Well, the week of 15 – 19 Feb 2010 was a fascinating one if you follow cybersecurity events. The bellwether stories are numerous, and reaction to them has been varied. Even if you don’t join in the debates of the blogosphere, it sure is fun to “watch.” On the serious side, these issues are all critical ones, and the number of experts (real ones, not the self-proclaimed variety) who hold widely varying positions shows the challenge of this field.
The biggest headlines probably went to the 16 Feb exercise held by the Bipartisan Policy Center. This exercise used former high level administration players (from the Clinton and G.W. Bush teams) to play the key roles. These included:
- Ambassador John Negroponte, as the exercise Secretary of State
- Secretary Michael Chertoff, as the National Security Adviser
- Fran Townsend, as the Secretary of DHS
- John McLaughlin, as the Director of National Intelligence
- Stewart Baker, as the Cyber Coordinator
- Joe Lockhart, as the counselor to the President
The scenario started with a widely downloaded and infected smart phone app, and quickly cascaded to a major Internet malware infestation. Add a terrorist attack on some physical infrastructure and a few natural disasters, and pretty soon you have a huge national security challenge. The whole thing was filmed by CNN for broadcast later.
The reviews were mixed. Some decried the scenario, noting that technologically, it was a little over the top. Those unfamiliar with the normal exercise methodology where you almost always have apocalyptic situations wondered why they tried to stress the system that much. A good number of observers applauded the highlighting of a number of issues with which our system is not yet ready to deal. Lack of authority to act heavy handedly domestically, even in a crisis, was one key finding (take over the telecoms?), difficulty of attribution for the malware intrusion was another, and defining an act of war in cyber was a third. Policy wise, the lessons learned are similar to those noted in past exercises, but this one was totally public.
Bottom line? To paraphrase Chertoff, we are still at a September 10 level of readiness in the cyber realm.
Next was the public outing of the Kneber Bot. It was publicized that a Botnet, with over 74,000 “members” (zombie computers), has penetrated more than 2400 organizations in a wide variety of sectors using ZeuS malware. Some said, “Yes, this is old news, this bot has been around for a while.” Others said that this is a newer variety of ZeuS, one that is much harder to detect and stop. It engendered a lively debate as to the responsiveness of protective software companies to existing known threats. Still others were shocked at the extent of the problem.
Bottom line? The American people are still woefully unaware of the level of threat they face everyday. This includes lots of corporate leaders who should not be so uninformed.
Two major information technology schools in China were identified as a possible source of the now well-known attacks on Google that precipitated that company’s decision to pull out of the lucrative Chinese market. The schools deny it, as does the Chinese government. Many experts point to the fact that China is the most hacked country (in numbers) in the world, and the schools could have been set up to look like the culprits. These two institutions produce a great many outstanding computer practitioners. Some end up working in the private sector, some for the Chinese government.
Bottom line? Clear attribution is still tough to achieve; without it, it is impossible to take truly legitimate retaliatory action.
Privacy issues are at the center of the last two big stories. Google’s roll out of their new Buzz social networking tool got everybody steamed. Google preselected match up for all their Gmail customers to jump start the new network. Suddenly you were linked/following people Google chose for you. Google is working it out, and it may end up as a tempest in a teapot, but clearly privacy is still a valued commodity.
Similarly, a school in Pennsylvania issued laptops to all its students so they could use the schools electronic resources. Unfortunately the package (tracking software, Web cams) allowed the teachers to “know” what the students were doing at home, even in their rooms. One student was reprimanded for inappropriate behavior based on what the teacher “saw.” Huge privacy flags went up! Law suits started, computers recalled and lots of explaining began.
Bottom Line? Privacy remains a third rail, and cyber capabilities can run all over it if not thought out completely.
So, pick your issue: national readiness, ongoing vulnerabilities, international norms and personal privacy. Cyber continues to be a key and critical issue. It will not go away or lessen in importance. I know the Administration is working hard on any number of issues in this area, but we NEVER see it.
Mr. President, please tell your folks to lets us know how you are addressing these (and other) cyber challenges. Better yet, ask us in the private sector to help. We need the confidence that can only come with knowledge, and you need the expertise that is resident on the other side of the public/private equation.