The end of the year is approaching, and it is time to look back and see what the major cyber events/issues have been in 2010. I tried to keep it manageable, but it was a busy year. So, here are my nominations for the most significant cyber issues.
Google Attacked by a Nation State – Major international businesses are targets – competitors and countries want their crown jewels, their Intellectual property. Google weathered the storm and made the hard decision to withdraw from the biggest market in the world. Make no mistake – this will happen again, particularly to tech companies. Our openness is based on western democratic principles. Others don’t always agree with them and are more than willing to try and exploit them.
Stuxnet – This was and is a major issue. We have our first real cyber weapon, and as some predicted with cyber weapons, they tend to be a little imprecise, affecting others besides the target. Actually, we are still not sure of Stuxnet’s intended target. Iran is the most likely, but it could have been Siemens. We are also still not sure who originated it.
Just this week, I have seen articles claiming it was China and others saying it was Russia. Both the United States and Israel have also been pointed to. What we do know is that they used insider vulnerabilities (flash drives were the transmission vector), they brought Industrial control systems to the fore (many “experts” said these control systems, SCADA and others, were not a target), and that plenty of analysis has taken place. What we do not have is enough conclusive findings. We can say that Stuxnet proves that people are trying to develop means of attacking one of our most important infrastructure areas – control systems.
WikiLeaks – This is not a specific cyber issue; it was actually an example of old school insider espionage. It could have been mitigated by tech means and more leadership. If there had been an effective anomaly monitoring system in use, the copying of huge amounts of data would have been seen and reacted to. Additionally, better segregation of data would have helped. Manning had the clearance but no legitimate “Need to Know” much of what he is alleged to have stolen. His attitude and opinions should also have tipped his chain of command to watch him a bit closer. Regardless, this event will have an effect on how we do business in cyber.
Cyber Laws – We still have no comprehensive cyber legislation. I realize that there is a lot on Congress’s and POTUS’s plates, but we need to get this fixed. No one wants Congress to rush; this has to be done well and “right,” but we need it SOON. The lack of effective legislation affects several other issues below.
U.S. Cyber Command Stand up – While still controversial, this has been too long in coming. The newest major command (a sub-unified command of U.S. STRATCOM) has made great strides with a very tough mission. The Military Services are now catching up and are busily putting together their headquarters and force contributions to CyberCom. The big question is defining their exact mission and authorities. Gen. Keith Alexander can really say: “we’ve caught the bus, now what do we do?” How aggressive should they be in defending our networks? What is the full scope of their responsibility? How do they stay separate from NSA, and how do they integrate with geographic CoComs? What about services and installations in non-operational situations? Basically, there may actually be more questions now than there were before. Creating US CyberCom was absolutely the right thing to do, but we need to quickly answer these key questions.
DoD / DHS Cyber Cooperation Agreement – Frankly, this scares many people, who would prefer a wide separation between DoD and any domestic mission. I understand their concerns, but it is unrealistic to think we can afford to build another capability like the one that resides at Ft Meade, MD. This cooperation gets cheers from others, because it makes great practical sense: “use the experts we have to address a problem that exists and is threatening us today.” Regardless of where you sit on this one, everyone must admit that there are many real legal ramifications, and we need to sort out legal authorities NOW.
The Rise of the Cyber Vigilantes – “Citizens” taking action using cyber means have been out there in the past, but now they are becoming more widely known, more public and more prevalent. Essentially, we now have a new environment where everyone, individually or in groups, feels perfectly free to use cyber means (even cyber attacks) to make a point or get their way. Presently, we have no “good” legal basis to address this phenomenon. We must develop a legal foundation quickly, or we will continue to be at a loss when the vigilantes strike.
The bottom line of all this is simple: cyber not only continues to be a key issue but has probably grown in criticality. If you are in leadership and have not begun your personal cyber education, it is clearly time to start.
Happy New Year!