May 22, 2014
Maybe, but so are most of our adversaries. RCP
America Is a Sitting Duck For Cyber Attacks
The private sector’s Internet infrastructure is very vulnerable.
FE_PR_120530cyber.jpg
Vulnerable to attacks.
By Daniel J. Gallington April 14, 2014 2 Comments SHARE
Here we go, beating ourselves up over the Edward Snowden-leaked National Security Agency programs designed to sort through trillions of telecommunications to find the few related to terrorism. Yet we don’t seem at all concerned about how fragile and vulnerable our huge private sector critical cyber infrastructure, such as our electrical grid, Internet, banking and financial sectors, is to cyber attack.
Not only that, the main reason we haven’t been shut down by an external cyber attack by the Russians or the Chinese isn’t because they can’t do it, but because we are such a fat intelligence target for them. They prefer to be able to steal valuable information from us over the Internet rather than turn it off.
However, assuming things got really ugly, could they shut us down if and when they wanted to? Yes, and it’s particularly important that we understand exactly how they could do it and also how we could probably prevent it if we were just a little smarter than we seem to be.
[See a collection of editorial cartoons on the NSA.]
First of all, most think that the Defense Department’s NSA and Cyber Command are responsible for protecting us from cyber attack. True. However, the “us” part for the NSA is limited to the “dot mil” part of the Internet – at most they protect just the “dot gov” part of our cyber turf.
This leaves the rest of our Internet – i.e., most of it – at a very high degree of risk from cyber attack. Not only that, and surprising as it might be, most of the “dot gov” part doesn’t even want the NSA’s help in defending its networks, because the NSA typically discovers lots of embarrassing leaks in the communication security of government networks.
The origins of this anomaly go back to when NSA had two basic missions: Collecting signals intelligence, known as “SIGINT,” and “communications security,” called “COMSEC.” In the old days, the second part was very aggressive and put most government telephone users on notice that if they “talked classified” over the unsecured government telephone network, they risked administrative or disciplinary action.
This, as you might imagine, was not at all popular, so over the years the mission was reduced or eliminated throughout the government.
Objecting to my unfavorable characterization of our private sector cyber vulnerabilities, official government spinners will probably say that today we have the Department of Homeland Security, the FBI, the Federal Communications Commission and private contractors working aggressively with the private sector to address and improve the cyber security for our private sector infrastructure. However, ask yourself: Do you really believe that, short of a catastrophic shutdown, our private cyber sector could be trusted to come forward on its own with, for example, information that security had been compromised, and that, for example, our financial accounts were accessed or our power grid compromised because of an external cyber attack?
[See a collection of political cartoons on defense spending.]
What would this do for investor confidence? Realistically, the odds of the private sector dealing responsibly with these kinds of threats are about as great as General Motors fixing a 57 cent defect in its cars’ ignition systems on its own. In short, we can’t expect them to be honest or objective about it.
So how do we insure our private sector cyber networks are capable of withstanding or defending themselves against an aggressive external cyber attack like one launched against us because of a rapidly escalating international dispute with China or Russia? Easy. We should be continually testing our critical private infrastructures by simulating external cyber attack. This would be done using the older NSA communications security models as an operational analogy, supplemented with newer and more aggressive oversight and privacy requirements.
As a starter, I have suggested that this be an ongoing joint operation of the FBI, Homeland Security, NSA and the Cyber Command, and be conducted consistent with detailed attorney general privacy guidelines and aggressive oversight by the intelligence, judiciary and homeland security committees of Congress.
[See a collection of political cartoons on Chinese hacking.]
In addition, it should be carried out with advance notice to a specific private cyber sector or, when centrally managed as part of a carefully coordinated national exercise, our critical private cyber infrastructure could be “no notice” tested.
This proactive approach may be the only objective way we can be sure our critical private sector cyber infrastructure can withstand a dedicated external cyber attack and we should be getting busy with it.
This isn’t a lesson we need to learn the hard way.
Daniel Gallington is the senior policy and program adviser at the George C. Marshall Institute in Arlington, Va. He served in senior national security policy positions in the Office of the Secretary of Defense, the Department of Justice and as bipartisan general counsel for the U.S. Senate Select Committee on Intelligence.
View 2 Comments
No comments:
Post a Comment