As new Cyber Security legislation makes its way through Congress, the Wall Street Journal reported a warning from National Security Agency Director General Keith Alexander that a hacker group like “Anonymous” could soon develop the capacity to create limited power outages in the United States. While Anonymous predictably rejected the warning as “fear mongering,” the warning comes amidst reports of daily successful attacks against American networks and sites in both the public and private sectors and in the distant wake of an experiment conducted by the Departments of Homeland Security and Energy, dubbed “Aurora.” As CNN reported, Aurora’s March 2007 “experimental cyber attack caused a generator to self-destruct.” The speculation reported by CNN at the time was that “bigger, coordinated attacks could cause widespread damage to electric infrastructure that could take months to fix.”
Today’s reality is the Internet is the repository of a huge and growing amount of code (including malware) whose origin and ultimate purpose are unknown. Yet, well-intentioned, repeated government calls for action have not and will not fix a problem enabled by globally deployed technologies. Increasingly sophisticated malware creation and its speed-of-light delivery demands implementation of real-time global cyber surveillance, anomalous behavior (not just signature) detection and neutralization technologies on virtually every port on a Windows Operating System.
Beginning in April 2010, such technologies were repeatedly demonstrated to DHS Network Security and U.S. Computer Emergency Response Team officials. Reports from the same technologies were provided on a daily basis to DHS officials. The reports provided early warning and an accurate accounting of anomalous Internet activity (including that directed at U.S. energy providers) and demonstrated the ability to successfully detect, record, report, share, and neutralize global cyber scans, probes and attacks, and simultaneously update existing signature-based defense systems at any entities internet point of presence. As part of a cyber defense-in-depth strategy, and consistent with the intent of portions of proposed congressional legislation, these technologies also provide the capacity to instantly share this information with other public and private domains and 3rd party cyber security systems for further analysis.
Framing all the above, at a resilience event sponsored by the Conference Board of Canada in Montreal earlier this month, Robert Bach, a professor at The Center for Homeland Defense and Security, Naval Postgraduate School, noted that “The proof of lessons-learned is changed behavior.”
If so, the current approach to ensuring the operation of America’s critical infrastructures can only be characterized as lessons-observed. Because we have failed to change our behavior, it appears that there have been no critical infrastructure “lessons-learned” since the 1998 dawn of the Defense-Wide Information Assurance Program. At that time, the Department of Defense (DoD), recognizing an increasingly threat-filled cyberspace environment, and knowing that the absence of any operational multiplier (e.g., information) is an operational divider, developed the Defense Wide Information Assurance Program (DIAP). The DIAP’s Information Assurance (IA) measures moved DoD (beyond traditional information protection programs) to “defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.” In today’s lexicon — “Cyber Resilience.”
Driven by the success of IA and Year 2000 Transition (Y2K) lessons-learned, and against the backdrop of the failure of a protected critical infrastructure that brought devastation to New Orleans, was the imperative to ensure (in addition to their protection) the assured provision of essential cyber and physical infrastructure products and services. The lessons-learned and operational imperative led to the Homeland Security Advisory Council’s (HSAC’s) January 2006 principal recommendation to Secretary Chertoff to not only leverage but also elevate the bar above traditional Critical Infrastructure Protection (CIP) program goals and “promulgate Critical Infrastructure Resilience (CIR) as the top level strategic objective – the desired outcome – to drive national policy and planning.”
While there has been (and continues to be) a great deal of rhetoric and staff activity on the subject, rhetoric is not results and activity is not accomplishment. Six years later and despite congressional efforts, repeated calls for resilience by the President and Homeland Security Secretary and the HSAC, continuing CIP failures and the guarantee of at least multiple repetitions of their consequences, nothing has been done to either implement the HSAC’s recommendation or provide an explanation for the continuing failure to do so.
The operationally proven mindsets, methodologies, metrics and technologies to achieve, continuously improve and sustain acceptable levels of cyber and physical infrastructure resilience have been repeatedly presented to offices within the DHS headquarters. While being met with agreement on the growing infrastructure challenges before the nation, the response to the presentations and resilience efforts in general from the very DHS organization charged with their protection has been:
- Dismissive, irresponsible, Land of Oz-like statements including that voiced by a DHS Official at an October resilience conference in McLean, VA: “We included the term resilience 44 times in the National Infrastructure Protection Plan — for those of you who are keeping track;” and
- The inclusion of an obtuse definition subordinating resilience to existing CIP programs in the National Infrastructure Advisory Council Charter.
Government legislation and calls for greater private-public cooperation to deal with the increasingly exploitable and consequence-amplifying state of America’s critical infrastructure are fine – as far as they can go. However, rhetoric must be matched by results driven by performance-based operational requirements and objectively measurable and sustainable infrastructure performance goals. Absent change in organizational behavior, today’s efforts to protect America’s infrastructures will — at best — result only in maintenance of a totally unacceptable cyber and physical infrastructure status quo.
President Ronald Reagan said it best: “Status Quo you know is Latin for the mess we are in.”