CyberSecurity at Risk Part 2: Changing the Rules Again
This is the second in a two-part series on growing threats and strategies in the Internet age. CyberSecurity at Risk Part 1: Growing Threats demonstrates the rising impact of CyberCrime on business and that CyberWarfare is a key military strategy our enemies are quickly grasping. CyberSecurity at Risk Part 2: Changing the Rules Again shows the national security strategies needed to protect our vital interests.
In the fast-changing CyberSecurity world, staying one step ahead of attackers has never been more challenging.
Recently, a virus that infected 30,000 computer workstations attacked the Saudi Arabian oil company Aramco. Aramco took their main website off the Internet for several days. Credit for the attack came from a group called the Cutting Sword of Justice.
During 2009 and 2010, U.S. and Israel released the Stuxnet virus to secretly disrupt Iran’s uranium enrichment progress. Because Stuxnet is old CyberSecurity news – and as attackers catch up – we must change the rules of the game again.
Maintaining security in the Cyber world starts with the basics. However, stealing secrets is always easier if the front door is unlocked with nobody watching.
In February 2012, the hacker group Anonymous published 78 email addresses and passwords from the Syrian government: 33 of the 78 passwords were either “12345” or “123456.” On the same day, Anonymous leaked a series of emails from inside the Syrian government.
Are we doing any better than Syria securing our vital national secrets? In 2011, Gmail experienced a phishing attack from China that targeted personal email accounts of White House staff. A phishing scam seeks to get people to reveal IDs, passwords, and account numbers. The attackers’ aim was likely to uncover official White House business or national security secrets being discussed in private email or on home computers. Due to the common practice of using the same passwords at home and work, did the Chinese actually find much more?
Failed CyberSecurity Strategies
How well has the Obama administration done defending our cyber borders and protecting business and trade?
In the last legislative year, the House and Senate voted on differing national CyberSecurity bills. The Cyber Intelligence Sharing and Protection Act, passed in the House, was co-sponsored by the Democrat and Republican senior representatives on the Intelligence Committee. Obama, however, threatened to veto this measure that encourages companies to share cybersecurity information. The CyberSecurity Act of 2012, openly supported by the Obama White House, was defeated in the Senate when the Senate split over mandating cybersecurity standards for private businesses.
Despite this loss in the Senate, the Obama administration is pushing a Presidential executive order with key provisions from the failed Senate bill. Why would the White House deliberately go around the legislative process?
Rather than strengthening our defenses, the failed CyberSecurity Act of 2012 and likely Presidential executive order impose government oversight and interference, and add the following risks to businesses:
No protection from lawsuits – Information sharing is key to handling a Cyber attack. Leaked drafts of the proposed executive order do not include limits on companies being sued for sharing information about a cyber attack with the government. If companies need to frequently check with their lawyers on potential exposure to lawsuits, the timely flow of information will stop.
Even by adding protection against lawsuits in the CyberSecurity legislation, businesses may still hesitate to share vital information with government and each other. Food safety may be one of the few examples where the government and business have established the practices to quickly share information.
Government mandated standards – The Administration’s executive order seeks to impose “voluntary” CyberSecurity standards on critical industries. Would businesses be slapped with lawsuits from customers or shareholders for failing to meet “voluntary” security standards?
CyberSecurity Leadership Agenda
So challenging is the Cyber threat that at the recent DefCon hacker conference, National Security Agency General Keith Alexander asked hackers to help make the Internet secure and defend privacy. While this might lead to interesting relationships with the hacker community, a strong CyberSecurity leadership agenda must instead be created.
We can no longer be satisfied being one step ahead of the other side as we were with Stuxnet. All it takes is one talented and motivated individual to penetrate our cyber defenses that cost billions of dollars to build and maintain.
Here are a few key issues we must address in a rapidly changing technical world:
Create a partnership between government and business –The need to build readiness extends to businesses such as banks, power companies, communications, and other utilities in partnership with government. We cannot wait until an attack to ensure communication lines are in place between business, government and military.
Cut through or eliminate the layers of bureaucracy – Due to privacy concerns, many government agencies can’t share information with each other. Sharing Cyber intelligence between agencies is critical to ensuring our nuclear program, military forces, and intelligence agencies can meet an attack with proper force. Furthermore, eliminating needless CyberSecurity mandates and regulations minimizes government overreach.
Continue investing in CyberWarfare capabilities – General Keith Alexander recently said the Department of Defense will reach full CyberWarfare readiness by 2014. With the public sector in competition for prized talent in the private sector, adding the talent and systems to build readiness requires long-term funding, leadership, and discipline.
Define the rules of engagement – Our forces will only be successful in the case of a Cyber attack if the following questions are understood.
- Who is the attacker?
- What is the immediate response?
- What command structure is in place to make the decision for a greater response?
In the Cyber world, the identity of attackers is easily covered up. Suppose the U.S. retaliated against an attack only to discover the real attacker cleverly pointed the evidence elsewhere?
Cyber attacks have not yet crossed over to the horror and cost of real-life warfare. However, our ability to defend our borders and protect trade is being challenged every day. It takes only one technically savvy attacker to cause serious damage. With our enemies now including rogue states, drug lords and Cyber criminals, we cannot be protected by Cold War strategies of the past.
With new CyberSecurity threats, we must demand that our government act with urgency to protect our vital infrastructure. Maintaining our competitive advantage and national security in a post 9-11 world depends on it.
For more solutions to the problems facing America in a post 9-11 world, go to truecapitalism.org
 Wall Street Journal – http://online.wsj.com/article/SB10001424052702304563104576361863723857124.html
 Federal Computer Week - http://fcw.com/Articles/2012/07/15/FEAT-Inside-DOD-cyber-warfare-rules-of-engagement.aspx?Page=3