Pages

17 October 2016

To The Next President: Get A National Cybersecurity Strategy


French Caldwell

In the first presidential debate, since cybersecurity is rarely a topic for political debate, I was surprised when moderator Lester Holt questioned the candidates about cybersecurity strategy. Specifically, Holt asked, “We want to start with a 21st century war happening every day in this country. Our institutions are under cyber-attack, and our secrets are being stolen. So my question is, who’s behind it? And how do we fight it?”

The first couple of sentences of Hillary Clinton’s response sounded as if she was going to establish a position on cyber-attacks, but then she segued into an attack on Donald Trump, and her answer just fell apart. The most coherent part of Clinton’s statement was: “…. We need to make it very clear — whether it’s Russia, China, Iran or anybody else — the United States has much greater capacity. And we are not going to sit idly by and permit state actors to go after our information, our private-sector information or our public-sector information.”

That statement sounded as though she was advocating a strategy to hack back, or counter-attack, but then she said: “And we’re going to have to make it clear that we don’t want to use the kinds of tools that we have. We don’t want to engage in a different kind of warfare. But we will defend the citizens of this country.”

So – maybe she would hit back, maybe she would not. Who knows?

As far as Trump’s position, once he got past his own counter-attack on Clinton, he also failed to outline a specific plan, “We should be better than anybody else, and perhaps we’re not…. So we have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem…. The security aspect of cyber is very, very tough. And maybe it’s hardly doable.”

I am not surprised the candidates could not state coherent positions for responding to cyber-attacks or on cyber warfare. Physical warfare is as old as mankind; we have had a really long time to develop strategies and positions there. Even with more modern types of warfare, such as air, space, nuclear, and bio-chemical warfare, in the twentieth century, we developed strategies and regimes of treaties and international agreements.

However, until now there has not been a major war where offensive cyber power was as dominant an element as land, sea, or air power. We have certainly been getting close though. As early as 1999 in the Kosovo war, cyber-attacks on Serbia’s air defense systems may have been used to enhance the effects of the NATO bombing campaign. In 2010, the world’s first documented digital weapon, Stuxnet, began its systematic destruction of Iranian nuclear enrichment capabilities. In June 2015, it was revealed that Chinese hackers had accessed over 20 million personnel records and security clearance data at the U.S. Office of Personnel Management, and the director of national intelligence testified that the hack led the CIA to pull personnel from Beijing. On December 23, 2015, Russian hackers shutdown portions of the power grid in the Ukraine, leaving 1.4 million people without power for up to six hours. And in recent months, Russian hackers have hacked state voter databases and emails from the Democratic National Committee, perhaps with the goal of seeding uncertainty in the electoral process in the minds of voters ahead of the American presidential election.. These attacks illustrate a shift in nation-state cyber strategies, from spying and surveillance to active use of offensive capabilities to attack critical infrastructure, national security assets, and even the political system itself.

Critical infrastructure and national security are not at risk just from nation-states. Cyber criminals are allegedly behind the theft and auctioning of National Security Agency advanced hacking tools. Another example is the ransomware attack on the medical records systems at a Washington, DC healthcare provider that delayed delivery of healthcare services to many patients. These instances illustrate the major shift in cyber-attacks today –with the dependence of critical infrastructure on information technology, safety and lives are at stake; it’s not only about money.

In 2013, the General Accounting Office (GAO) conducted a review of national cybersecurity strategy and found that roles and responsibilities in the federal government were ambiguous. GAO recommended that Congress “consider legislation to better define roles and responsibilities for implementing and overseeing federal information security programs and for protecting the nation’s critical cyber assets.” GAO also called on the Obama Administration to produce “an overarching strategy document that includes milestones and performance measures, cost and resources, roles and responsibilities, and linkage with other key strategy documents.” However, the President disagreed.

In 2002, with White House sponsorship, Richard Hunter, a colleague at Gartner, and I brought together over 120 CIOs and subject matter experts at the U.S. Naval War College wargaming center for three days to help answer one question: was it was possible to develop a strategic cyber-attack on the United States?. It was. Today, cyberwarfare clearly is a reality, and cyber-attacks that can threaten life and limb are happening with increasing frequency. With virtually 100% of the American GDP dependent on information technology, it is long past time for a coherent national cybersecurity strategy. Let’s hope the next Congress and the next president agree.

No comments:

Post a Comment