Well, there is a headline NO ONE ever expected to see…yeah, right.
At the Homeland Security & Defense Business Council’s Cyber Security Awareness Month Conference, it actually happened – really. The afternoon event, held on Wednesday, Oct. 13 at the Phoenix Park Hotel, was actually quite good.
Roger Cressey of Good Harbor Consulting was the lead keynote speaker. After a good introduction by Marc Pearl, the head of the council, Cressey gave a super address that covered the water front of the key issues facing our nation in cyber. He did it in a way that was at once entertaining (Roger is a great speaker) but also very sobering. He did not cover already plowed ground but was able to touch on all the major dilemmas we are now trying to resolve. He spared no one, chastising industry for trying to hold back any and all regulation; the government for not moving fast and decisively enough to address this key area of vulnerability; and the public for creating a false dichotomy between security and privacy (“We need to have a license to drive on the digital highway.”)
He hit issues such as supply chain vulnerabilities (“Do we need a true trusted foundry for components of certain networks?”), the criticality of software today (“This is really the key vulnerability today.”), and the fact that we should be preparing for a “digital Katrina,” not a “digital Pearl Harbor” – resilience is the key, and we should be effect and recovery focused, not attack focused. He did expound on a few other issues with which I took exception. I will get to these in a moment.
Cressey was followed by a fine panel that included representatives of the Executive Branch (Bruce McConnell of DHS), the Legislature (Brandon Milhorn of the Senate HLS Committee staff), Law Enforcement (Mike Merritt of the USSS), an Industry CIO (Bob Fecteau of BAE), and the Cyber insurance business (Ty Sagalow, the CIO of Zurich North America, Zurich Financial Services).
The first of the main points of the panel discussion was that cyber is no longer a “backroom” tech issue. On the private side, it is a money issue, and on the government side, it is about mission assurance. Both of these points of view make it a major issue for the Boss/Commander. Everyone was in agreement on this. A spirited discussion followed, mostly around what needed to be done next.
To almost every issue, Brandon Milhorn, who along with his fellow staffers has led an enormously bi-partisan effort to build a good cyber bill, answered, “We have that in the bill!” Despite the great outreach made by the Senate staff, there is still some ground to be covered to get all of industry on board or to adjust the bill to address their concerns.
Yours truly had the honor of being the closing keynote/wrap-up speaker. I took exception with my friend Roger on a couple of areas. Unfortunately, he was forced by his schedule to depart early, so we could not discuss these face to face, but I said them anyway. One, he draws far too strong a line between cyber crime and cyber espionage, and does not consider cyber crime a national security issue but a law enforcement one. I could not disagree more.
Cyber crime is such a big issue now; it has become a national security threat. The monetary value, the unholy alliance of criminals, terrorists, and intelligence agencies, and criminals’ efforts to “arm” as many cyber operators as possible (granted, for profit) make cyber crime one of our biggest cyber threats, and we must deploy every means to counter it. The line between espionage and crime is at best blurry, and we really cannot make much of a distinction.
Cressey also categorically stated that cyber terrorism does not exist. I assume he would acknowledge that there is a growing terrorist use of the Internet, but he feels that cyber terrorist attack is not credible. In this, he aligns with his old mentor and Good Harbor colleague, Dick Clarke. I think they are both wrong.
They have spent a life time trying to counter terrorists, but frankly, they do not think like terrorists. I guess my 28 years in U.S. Army Special Forces has caused me to have that mind set. I agree that we have scant proof of any cyber terrorist attacks sp far (except perhaps for Hamas’ unsuccessful use of a DDoS attack against Israel during the 2009 incursion into Gaza). However, to write them off completely is foolish. The bad guys are smart, adaptable, and are studying our vulnerabilities; do we really think they will not try to develop a cyber capability?!
I will spare the reader my full sermon on cyber terrorism, but it is a worry to many in authority. Remember, a terrorist group will not have the same goals as a nation state. They don’t need to collapse the entire U.S. electrical grid, only a part of it. A terrorist does not need to destroy the entire U.S. Financial Sector, only corrupt the data in one or two banks. They don’t need to invade the entire U.S. simultaneously, only use cyber means to “blind” our security efforts in the right area at the right time to infiltrate a team. You get the idea.
I ended the meeting with a four part call to action, mostly on the human elements of cyber security.
1. We need to get the American people involved with this effort, through education and awareness. Outside the Beltway, they want it and are ready to be informed.
2. We need to exhibit real leadership, both in business and government by coming to agreement on the issues that still divide us.
3. We need to develop good policy (I am including law, policies and regulations here), which will be possible if we educate people enough to have the needed national dialogue and lead effectively!
4. Lastly, we have to take true corporate responsibility for cyber. I do not mean corporate as in business, but corporate as in “We are ALL in this together.”
I used the example of the 300 Spartans in Thermopylae holding off the gigantic Persian Army, and compared them to our present cyber warriors. The Spartans all died, but they bought the feuding Greek city states time to unite and develop a plan to defeat the invaders. We should not squander the time our present defenders are buying us, but we should marshal our considerable technical expertise and national resolve to address the challenge of real cybersecurity.