Adfero Group HSPI

You have heard the saying, if it walks like a duck, quacks like a duck, and looks like a duck, it must be a duck. News sources and government officials tell us we live in a world of constant cyber attack, so we must be at war, right? In cyber world, this kind of talk is harmful and obscures the new world in which we really exist. We are not at war – we are in conflict, and some of the tools we are using cross interesting and controversial 20th-century political lines.

When I attend various meetings around DC on cyber issues, I often see confusion and challenge – good people trying to resolve confusing issues, wrestling with individual – as well as the country’s – social and political demons. Cyber is a new kind of land. It has no physical dimension. There are no borders or boundaries, and everyone seems to be a part of something that no one can control. People in DC are bit lost right now, and there are some distinct cultural reasons why.

The Jainists of India have a parable. It is the story about the blind men feeling the elephant – each one feels something different. Watching the Federal government roll out a cyber “strategy” over the past couple of week has felt just that way. The cyber-elephant is a vast and ever-expanding body, and Washington is mucking around this way because of two basic problems. In its simplistic form, the first challenge is definitional and the second challenge is doctrinal.

National security leaders like Leon Panetta, Janet Napolitano and even President Obama have been telling members of Congress and the country that unless immediate action is taken, the United States will suffer cyber attacks guaranteed to shut down our power, communication, financial and water infrastructure sectors. Well, I’m not buying it. The politics of fear is a D.C. classic.

The New York Times recently admitted it had been raided by Chinese “privateers,” stealing reporter’s notes and sources. With this act by the Chinese, we now face clearly the idea that a nation-state can try to enforce its will on an individual private actor inside the United States. Moreover, they have done so to an actor that is not a part of the national security or industrial base. This act must be responded to swiftly and aggressively. And Washington seems not yet prepared to deal with it.

Yogi Berra once observed after two of his teammates smacked back to back homers, “it was déjà vu all over again.” His wisdom applies to cyberspace in 2013 – it is going to be déjà vu all over again. Here are four likely Cyber Challenges we will encounter this year. None of these challenges are “fatal.” They are simply the challenges at hand.

There are few spots left around the world without Internet access, and few people who cannot reach out to access it. It has been relatively free of state interference and American dominated. However, the Net has had mounting problems, and 2012 has marked the end of the old Internet as we knew it. The days of an American-controlled freewheeling Internet with unlimited access and relatively cost-free access are over.

By Doug Doan
So far, none of the presidential candidates have mentioned much about Homeland Security. With so many other problems, issues surrounding how best to organize, manage and lead the vast DHS bureaucracy are just not that important. Too bad. I would have liked to see the candidates talk about what they might do. Here is an agenda that I happily provide.

Senate Majority Leader Harry Reid and his congressional colleagues’ proposed Cyber Security Act of 2012 is the wrong solution for America’s cybersecurity problem. The split is not between Democrats and Republicans; it is between competing views of the way to better security. The main reason these efforts are wrong is that they are based on a regulatory model. This sort of solution is a 19th-century answer for a 21st-century problem.

Many companies are examining the possibility of switching to Bring Your Own Device (BYOD) as a method of significantly reducing their IT infrastructure capital costs. Here is but another example of how short-term versus strategic thinking is creating havoc in American business. The dangers associated with BYOD far outweigh the short-term benefits. Convenience and a perception of cost reductions appear to again be trumping sound security practices.

The White House’s 2009 Cyber Review estimated the loss of intellectual property from companies as a result of cyber-based hacking in 2008 alone exceeded $1 trillion in value. FBI Director Mueller said in 2009 that his Bureau was aware of 3200 Chinese front companies operating in the United States. Kudos to House Intelligence Committee Chairman Mike Rogers for telling the American public about the significant efforts of countries like China to utilize every means available to spy on American companies – something the National Economic Security Grid has designated as the “Advanced Persistent Asymmetrical Threat.”

After twenty years of rapid growth, we now stand with an unregulated and uncontrolled Internet vulnerable to attack and disruption from anywhere and by anyone on the planet. We have minced around the edges of doing something about this essential part of our daily lives for years. The time has come to declare reality. It is a public utility. It affects all Americans lives. It needs to be regulated by the government.

On the day before the Labor Day weekend, the White House released the President’s latest “National Preparedness Month” Proclamation. Like last year’s, the proclamation employs the term “resilience.” Yet, the White House remains unwilling to act to establish resilience as the nation’s preparedness objective and daily operating condition. Rhetoric is not results.

The Smart Grid is the way of the future in electricity management, but it also presents cybersecurity challenges. A recent report on Smart Grid Cyber Security from the Government Accountability Office cautioned against using regulation to bolster security. There is a “default setting” on businesses and government entities that seems to drive them toward regulatory solutions. It is a harmful tendency in our modern world, and it is not the right approach for improving U.S. cybersecurity.

The Aspen Institute’s Security Forum, held at the end of July, proved why it has become, in only three years, a “must-attend” event for those of us working in the homeland and national security space. The four-day program was packed with insight from leading thinkers and past and present policy makers and influencers on the subject of national and homeland security. There was not a single bad panel, but three sessions stood out in my mind as being a slight cut above the rest.

Information travels through America’s cyber networks at the speed of light. The legislation that will be used to govern some aspects of network security is traveling at the speed of bureaucracy. The Senate has been debating two cybersecurity bills that will impact U.S. cybersecurity standards, but whatever Congress eventually decides, the onus is on U.S. citizens and businesses to step up their individual security efforts.

One issue that receives too little public attention is the blatant use of hackers by China to steal U.S. intellectual property, defense technology, and other data critical to national security and competitiveness. China is one of America’s biggest competitors, and they (hackers, Chinese corporations and the Chinese government) clearly have no problem penetrating U.S. public and private sector networks to leapfrog over the years of hard work and innovation. Are we not outraged?

By Rob Strayer
Two hundred years ago today, the United States declared war against Great Britain, beginning the War of 1812. At that time, the British Navy was the aggressor, boarding U.S. commercial vessels. Today, the United States faces a digital threat to its national security and commercial interests. Like their nineteenth century counterparts conducting flagrant piracy on the high seas, cyber attackers openly and notoriously exploit U.S. commercial networks. How does the United States develop a national cyber security policy that is tailored to the problems that private sector companies face (avoiding the mistakes of 1812)?

Once again, America is officially under attack. According to multiple reports, including an “incident response” report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S. natural gas pipeline companies are at the center of a major cyber attack campaign. While I’m certain that some in Congress will use this latest cyber attack campaign as fodder to further their cyber security legislation, I do not believe we can legislate our way out of this problem.

On Monday, one of the Obama Administration’s heavies took to the Op-Ed page of the Washington Post to fight for cyber security. John Brennan, the President’s senior advisor on counterterrorism and homeland security, published a pretty impassioned piece reminding the Nation that cyber treats are real. Personally, I thought we were beyond the debate about the existence of the cyber threat and our need for better cyber defenses, cyber hygiene, training, and public-private info sharing. I guess there are still nay-sayers out there.