There continues to be a significant shortfall in our cyber security capabilities, and this is something that needs our determined efforts to rectify.
Often I hear a refrain from IT specialists that we can’t wait with security until the end of a project, but rather we need to “bake it into it” from the beginning. And while this is good advice, it is not enough to address the second-class status that we hold for IT security versus other IT disciplines such as applications development or IT infrastructure provision. Cyber Security must be elevated to safeguard our national security interests.
Here are some recent statements from some our most respected leaders in our defense establishment demonstrating the dire strait of our IT security posture:
· “We’re the most vulnerable, we’re the most connected, we have the most to lose, so if we went to war today in a cyber war, we would lose.”- Retired Vice Admiral Mike Mullen (Federal Computer Week 24 February 2010)
· The United States is "under cyber-attack virtually all the time, every day” - Defense Secretary Robert Gates: (CBS, 21 April 2009)
· “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.” (White House CyberSpace Policy Review, 2009)
Further, the number of attacks is increasing; for example, SC Magazine 20 November 2009 reported that the number of cyber attacks against the Department of Defense was increasing year-over-year 2009 to 2008 by some 60%!
And the penetration of our critical systems spans our industrial, civilian, and defense establishment and even crosses international boundaries. Most recently reported, these included the following:
· F-35 Joint Strike Fighter $300B program at Lockheed Martin,
· The Space Shuttle designs at NASA
· The joint U.S. South Korean defense strategy
· The Predator feeds from Iraq and Afghanistan and more.
Thankfully, these events have not translated down en-masse and with great pain to the individuals in the public domain. However this is a double-edged sword, because on one had, as citizens we are not yet really “feeling the pain” from these cyber attacks. On the other hand, the issue is not taking center stage to prevent further and future damage.
This past week, I had the honor to hear Mr. James Gossler, a security expert from Sandia National Labs speak about the significant cyber security threats that we face at MeriTalk Innovation Nation 2010 on the Edge Computing panel that I was moderating.
For example, Mr. Gossler spoke about how our adversaries were circumventing our efforts to secure our critical cyber security infrastructure by being adept and agile at:
· Playing strength to weakness
· Developing surprising partners (in crime/terror)
· Changing the rules (“of the game”)
· Attacking against our defenses that are “naïve or challenged”
In short, Mr. Gossler stated that “the current state-of-the-art in information assurance [today] is significantly outmatched” by our adversaries.
And with all the capabilities that we have riding on and depending on the Internet now a days from financial services to health and transportation to defense, we do not want to be outgunned by cyber criminals, terrorists, or hostile nation states threatening and acting in ways to send us back to the proverbial “stone-age.”
Unfortunately, as a nation we are not moving quickly enough to address these concerns as retired Navy vice admiral Mike McConnell was quoted in Federal Computer Week: “We’re not going to do what we need to do; we’re going to have a catastrophic event [and] the government’s role is going to change dramatically and then we’re going to go to a new infrastructure.”
Why wait for a cyber Pearl Harbor to act? We stand forewarned by our experts, so let us act now as a nation to defend cyber space as a free and safe domain for us to live and thrive in.
There are a number of critical obstacles that we need to overcome:
1) Culture of CYA—we wait for disaster, because no one wants to come out first—it’s too difficult to justify.
2) Security is seen as an impediment, rather than a facilitator—security is often viewed by some as annoying and expensive with a undefined payback, and that it “gets in our way” of delivering for our customers, rather than as a necessity for our system to work
3) We’ve become immune from being in a state of perpetual bombardment—similar to after 9-11, we tire as human beings to living in a state of fear and maintaining a constant state of vigilance.
Moreover, to increase our cyber security capabilities, we need to elevate the role of cyber security by increasing our commitment to it, funding for it, staffing of it, training in it, tools to support it, and establishing aggressive, but achievable goals to advance our capabilities and conducting ongoing performance measurement on our initiatives to drive results.