Weapons Exist to Defeat Cyber Attacks, But Are Not Being Used
Most of the crime that is being perpetrated in cyberspace could be prevented if only organizations employed the weapons they already have at hand, says an industry expert. Companies and government agencies, for instance, have information systems that could identify and possibly avert unauthorized release of data, a la Wikileaks.
The government worries about foreign nations trying to hack into Pentagon networks, but often is not paying attention to the “insider threat,” says Charles Croom, retired Air Force lieutenant general and vice president of cybersecurity solutions at Lockheed Martin Corp.
In breaches such as the Wikileaks cables, where allegedly it was an Army soldier who downloaded classified documents, “Why didn’t we protect ourselves?” Croom asked. “Because we didn’t take it seriously … even though the insider threat is significant.”
Croom spoke last week at the Institute for Defense and Government Advancement’s “Network Enabled Operations” conference in Arlington, Va.
Recent studies by government experts and industry giants such as Verizon noted that most data thefts or network attacks are avoidable if existing measures are applied, Croom said. “If we only implemented what we know how to implement we could avoid 80 percent of breaches,” he said. “Why aren’t we doing it? Because it’s damned hard implementing what we already know how to do.”
Major Internet service providers, known as ISPs, already have means to destroy botnets — malicious software that runs autonomously. But they elect to not go after botnets because they worry about liability claims, said Croom.
On the government side, agencies and Congress are still scrambling, without a “cohesive strategy” for how to strengthen the nation’s cyber defenses, Croom said.
Senior Obama administration officials — such as White House cyber czar Howard Schmidt, Homeland Security Secretary Janet Napolitano and U.S. Cyber Command Chief Gen. Keith Alexander — have spoken at various forums about the need to boost cybersecurity, but each has expressed divergent viewpoints on “what the threat is and what the way ahead is,” Croom said. “How do you come up with a cohesive government strategy when you have a leadership as diverse as they are?” he asked. “That may be part of our problem: We can’t really agree on the difficulty” of the cyber challenge, he added. Perhaps if they all got in a room together and talked, they would they come out with similar answers, Croom said.
The fragmented arrangement of U.S. cybersecurity responsibilities only will create more confusion about who has the authority, for example, to unleash a network attack on an adversary, or who has the power to determine if a target is legitimate. “What happens if we taken down a country’s utility and the hospital’s power goes out?” Croom asked. If U.S. critical infrastructure were struck by malware, it’s not clear whether that would be considered a hostile terrorist-like act. “What is our threshold for war, and when do we respond kinetically and say, ‘That’s enough.’”
Croom blames the military for not providing expert guidance to civilian authorities. “The military, in my view, has totally avoided the strategy aspect,” he said. Instead, it has just thrown money at the problem. “In the military, we do what we do best when we come to a hard issue: We create an organization.”
The Defense Department established the Cyber Command and, “as good military people do, we define roles and responsibilities for the organization,” Croom said. After the bureaucracy is in place, maybe someone will ask, “what the heck was our strategy anyway?” Croom said. “I’m not saying that’s bad, but it does seem backwards.”
Cyber Command, in Croom’s opinion, prematurely declared itself “operational” last year, “without any processes, without any talent.”
The private sector, meanwhile, is ambivalent about investing in cyberwarfare technology because, for many companies, there is still no “business case,” Croom said. “Industry also is saying to the government, ‘Hey you’ve got more information than I have, why don’t you start sharing it?’”
With the economy in the United States still struggling, it is going to be more difficult for corporations to justify large expenditures in security against peril they don’t really understand or believe they really exist.
There is an ongoing debate in the industry on why the nation has not yet seen a “Digital Pearl Harbor.” Some insiders believe we’ve just been lucky, others maintain that U.S. information systems might be more resilient than most people think they are. Or maybe nobody has yet bothered to seriously plan an attack.
Executive Branch agencies and the private sector will be closely watching congressional actions this year regarding cybersecurity. The key question, said Croom, is whether Congress will call for more or less regulation. Industry would like to see the government adopt contracting rules that reward “best practices” in cybersecurity and long-term research investments. The private sector also would like some clarity on what critical infrastructure the government intends to protect.
Mark Young, special counsel for defense intelligenceat theHouse Permanent Select Committee on Intelligence, said Congress continues to wrestle with these issues.
Speaking at the IDGA conference, Young pushed back on the conventional wisdom in Washington that congressional committees are more interested in protecting their turf than in securing the nation’s networks.“Unlike what you might see in some headlines, it’s not necessarily a turf battle,” Young said. “Staffers and members are trying to figure out who should handle what.”
But he acknowledged that Congress is “just as confused sometimes as the Executive Branch is on who should be doing what.” The specific duties of the intelligence community, the Defense Department or the Department of Homeland Security haven’t been communicated to Congress, he said. The line between the National Security Agency and U.S. Cyber Command also is blurry, he said. “The debate within the Executive Branch is reflected on Capitol Hill.”
The issue of whether acyberattack is an act of war seems a “little bit of a red herring,” Young said. “The fact that we all spin our wheels trying to figure out if this is an act of war” is pointless, he said, because only the president can make that call.
For Congress, it’s important to institutionalize public-private partnerships, he said. “Over 80 percent of the infrastructure is owned by private sector.” Lawmakers also want to be included upfront in any major decisions, he said. “The Executive Branch is going to be a lot happier if they cooperate with the Hill rather than bringing us at the end, and surprising us after it’s fait accompli.”