People all over the country are writing about 2009 – a good many will write about the events that affected cyber issues. I will not try to do a complete tour de force but will list some of the issues I felt were either very interesting or particularly important. I will likely miss some issues readers may feel I should have been included. I ask your indulgence a head of time.
The year began with a new President and a new Administration. President Obama vowed to make Cyber a major priority. He hired Melissa Hathaway to lead a fast but comprehensive review. Although its release was delayed, on May 29, 2009, the resulting report was given a Presidential launch and a huge amount of attention.
The report was a good one. It had in it an excellent “skeleton” of the plan they wanted to follow. It was a bit light on the “how to” but was seen as a great start. The news media focused largely on the call for a Cyber Coordinator on the National Security Staff who would report to the National Security Advisor, Jim Jones, and the Director of the White House National Economic Council, Larry Summers and have direct access to the President.
The press mistakenly took to calling the position a Cyber Czar. Overall, things seemed to have promise. Unfortunately, it took until December 22 for the President to name Henry Schmidt to the job. The choice is a good one; industry and the rest of the government are looking forward to begin moving positively in the area of cyber activities.
The year was marked by a huge number of events, attacks and intrusions that made the news (By the way, these are not all of equal detriment – that is a post for another day).
- Confiker continued to bedevil the cyber world. It is still out there proliferating, and we still don’t know what the darned thing is really designed to do. Massive efforts go on to stop it and discover its real purpose.
- On July 4, we experienced the so-called Korean Virus attacks. The consensus was that we weathered them pretty well. True, the spontaneous botnet attack against South Korean and U.S. targets was essentially a distributed denial-of-service (DDoS) that collapsed after a few days. Unfortunately, those who dismissed it as nothing more than a “spam” attack were too optimistic. The event showed the uneven levels of protection and security that mark the U.S. cyber security response. While this particular event may not have been that big a danger, it did reveal to anyone watching that we have vulnerabilities that can be exploited by a relatively unsophisticated attack. This was not the good news that some claimed.
- Considering that I have written and spoken about the confluence of Cyber Crime and Terror (Proceedings, Heritage Foundation, the French Journal de Defense National), I found something interesting in the Palestinian cyber response to the Israeli incursion into Gaza. Just as the Israelis launched their attack, they experienced a huge cyber assault against their civil defense system networks. The attacks ultimately had little effect, besides giving the Israelis a bit of a scare (They depend on those systems to keep their citizens informed and their responders moving). The interesting thing was that the DDoS attack was eerily similar to the techniques used in the 2007 attacks against Estonia. Could it be that terrorists renting criminal botnets might already be in place? Did Hamas or even Hezbellah hire the same Russian criminal organizations that participated in Estonia to go after the Israelis?
- The FBI announced an investigation into the hack of CitiBank on December 22. This was interesting for two reasons. The first was timing, occurring on the same day as the announcement of Howard Schmidt as the Coordinator. It was a wonderful reminder that we still badly need better cyber defenses. The second was that it is emblematic of the kinds of problems we face everyday in the private sector that go unreported (or at least under reported) all the time. Until we can develop a system that incentivizes businesses to share intrusion in a timely way, the bad guys will continue to have the upper hand.
On a positive note, Cloud Computing continues to gain interest and momentum. It is the way we will be going (and should be), and we had better be good at it. Security concerns remain, as do many legal and policy questions. We have an opportunity to do this phase of cyber development well, and we should not miss it. We need quality providers, and good but flexible industry standards. The tech industry needs to get this right.
Lastly, we saw a proliferation of Industry Business Units, centers of excellence, and think tank-like organizations all trying to get on the cyber bandwagon. One hopes this is a good thing. It will be if companies get beyond a marquee name and a secretary in their cyber business units, or just renaming an older organization and calling it a cyber center of excellence. This is still a huge area of concern, and the private sector must get beyond looking at the potential for profit and try to help fix the problems that exist today and will develop in the future. The bad guys still move faster than we do. Everyone agrees the government needs the help of the private sector to do this well. There must be more to it than profit motive. A team must be forged to win this fight.
The New Year holds great promise. Let us all look to 2010 as the year we make real progress in Cyber Security.