Adfero Group HSPI

America’s intelligence community finds itself pressed to deal with the “Wild West” frontier of an ever-expanding cyber space. From Twitter to blogs to e-mail, the changes are coming hard and fast for governments, businesses and individuals worldwide. The challenges for the American policy maker and the intelligence community are simple and yet hugely complex. So far, by our own admission, we appear not to be passing the grade.

One of the keynote speakers at last week’s Cyber Conference at the Walter Washington Center was Ed Amoroso, the CTO of AT&T. Ed is brilliant, well spoken, and as funny as any speaker I have heard lately. He also has a practical and accurate view of the challenges we are facing in the cyber realm – including LAN protection, botnets and mobile security. He raised lots of great issues and challenged the audience to work out the solutions.

Following the recent attention given to the water sector’s vulnerability to cyber intrusion, there’s been a lot of talk about what went wrong, whose fault it was and why changes need to be made in the sector. However, the challenge in addressing the water sector’s cyber security posture isn’t in outlining existing problems, but rather in generating realistic, affordable and timely solutions to mitigate them. My concern is that we may just keep talking about the problem without actually doing anything about it.

Since news broke last week about a suspected cyber attack on an Illinois water utility, media, government and industry have probed the ramifications for U.S. critical infrastructure protection (CIP). Though DHS and FBI later found no attack had occurred, the incident does highlight vulnerabilities in the way utilities are secured against cyber threats. To understand these complex issues, reporters turned to water security expert, Catalyst Partners principal and Security Debrief contributor Vance Taylor.

By Rob Strayer
It is an unfortunate modern reality that cyber attacks are commonly used to steal money from businesses and individuals. Cyber attacks that disrupt or destroy physical assets, on the other hand, have been rare up to this time. The news over the weekend that a terrorist organization was able to finance its activities by hacking AT&T business customers’ telecommunications accounts represents a new and disturbing development in the use of cyber attacks by terrorists.

As happy/relieved as I am to know that the Russians aren’t out to disrupt our water services, it is important to note that a water system in South Houston was the victim of a real cyber attack. (You’ll recall it occurred in direct response to DHS downplaying of the reported situation in Illinois).The would-be attack, and the actual one, are stark reminders that the threat of cyber attacks are real.

I have read several articles on the recent water plant cyber intrusion that damaged a pump in a small utility firm’s facility in Illinois. I am not a digital forensics analyst, but I do find the reactions very interesting. Frankly, I don’t know what the Water Plant incident really means, but at this point neither does anyone else. Can we afford to dismiss it, even if it turns out to be amateur hackers? I have said this before; the sky is not falling! However, we still need to up our vigilance and recognize that we have enormous vulnerabilities and competent adversaries.

The last several months in D.C. have witnessed a series of Executive Orders, proposed legislation, bureaucratic action and public bickering over how to “defend” cyberspace. This dividing up of provinces of responsibility in cyberspace is interesting. It is a lovely 20th century way of dealing with a 21st century problem. Setting boundaries in the boundless frontier. Those seeking to harm cyberspace must be laughing up their collective sleeves or Guy Fawkes masks.

Richard Clarke is at it again. In a conference this week, he stridently appealed to the audience. He warned that the President aught not consider going to war any time in the near future. This because our cyber capabilities are so weak and America’s enemies are sure to use cyber attacks against us. Dick Clarke is a competent and farsighted man who has served this Nation long and well. Why does he seem to relish wallowing in hyperbole? We are NOT boxed in by our cyber insecurities to the point of having no options.

The recently identified “Duqu” worm has raised a whole new set of issues. Seemingly a variant of the Stuxnet malware that got so much of the world’s attention, everyone is trying to figure out what it “means.” Stuxnet opened a new window, and Duqu is only the first of many. The rub is, unlike Stuxnet, which targeted Iranian centrifuges, Duqu may be coming directly at you and your systems.

In this era of budget austerity, telework is an effective way to reduce agency costs and increase productivity. Recognizing these benefits, federal agencies have implemented telework policies and an increasing number of employees are taking advantage of the option. At the same time, however, teleworking presents significant security challenges. Agencies can reduce telework risks through the use of Trusted Computing.

I teach an online Master’s Level course in cybersecurity policy Issues. As part of one of my lessons, I asked students the following question: Can the principles of public health be applied to help understand cybersecurity, or should we stick with a military/defense metaphor? A student offered 10 core functions of public health entities, a stark contrast to traditional law enforcement and security premises centered on enforcement, detection, and deterrence. It is a better fit.

A lot of factors can lay claim to being a “key” to cybersecurity. I would offer another: agility. Presently, agility is the best friend of the Bad Guys. On the defensive side, we labor under a great disadvantage. Development of defensive means is slow and reactive; we have to follow strict rules for commercial deployment of products, and beyond the technical procedures, we have huge hurdles on the legal, policy and regulatory sides. In short, the good guys are anything BUT agile.

Again the other day, another of our government cyber leaders delivered the usual canned speech about how we must increase our defenses – read expand budgets/personnel – to defend ourselves against an “electronic Pearl Harbor.” And so, once again, the muscles in the back of my neck begin to stiffen wondering when they are going to stop saying this and if, some day, they will arrive in the 21st century. Cyber attacks – they are not wars – are not about total destruction but death by a thousand cuts.

We are still more than a year out from the next Presidential election (and the accompanying Congressional races), and the level of discourse is so divorced from reality that I am a little nervous about our ability to govern effectively. Both sides are so unwilling to act like adults, to compromise, to build consensus, that many folks are assuming we’ll get nothing done for the next year plus. If that happens, we will have some big problems. America’s networks experience intrusions pretty much continuously, and nearly everyone agrees we have a problem. The bad part is that Washington is not in a problem-solving mood.

The Washington Post published an excellent article, “Suspected North Korean cyberattack on a bank raises fears for S. Korea, allies” detailing a significant cyber attack on a major South Korean bank that occurred last April. This was more than the Denial of Service attacks that have been executed in the past. It was a sophisticated virus attack that took down hundreds of servers at the bank, shut it down for days, and then corrupted a huge amount of financial data. We will see more and more of this. Poor and disconnected nations and terrorist groups have nothing to lose by executing these sorts of attacks.

The present, predominant view that Weapons of Mass Destruction (WMD) is confined to Chemical, Biological, Radiological, Nuclear, and High Yield Explosives (CBRNE) only is now passé. Many people do not even include the “E”. This is far too narrow a view! At least two other categories must be included in the pantheon of WMD. These are cyber weapons and economic warfare.

The draft strategy paper for the National Initiative for Cybersecurity Education (NICE) is on the street and soliciting comments. This is a very important effort. The NICE project hits on the three main “legs” of a national education effort. Some folks have compared this need to the efforts put forth after Sputnik. If that seems trite or overblown to you, I respectfully submit that it is, in fact, a bigger need.

I have been saying for a while that cyber terrorism is a real threat, and one with which we will need to grapple TODAY. Others, some frankly with far more eminence than I have, disagree. Yet, at the recent BlackHat conference, Cofer Black, the counter terrorism expert who lead the CIA’s efforts against Al Qaeda for President George W. Bush, joined “my side” of the debate. Cofer Black is no Propeller-Headed Geek; he is a hardcore practitioner who has fought terrorists his entire career. He knows how they think, act and believe, and he acknowledges cyber terror as an issue.

I know lots of people who have written about how “wild” the cyber realm is today, and the lack of “rules” makes it a Hobbesian State of Nature. The bottom line is that in cyber, there is an incredible freedom to digitally take matters into ones own hands. The concept of nation states having a monopoly on the instruments of power is simply not true in cyber, and it does not matter how big ones biceps are if you can work a keyboard.