Cybersecurity: Moving Beyond the Chatter and Noise!
Pat Clawson - March 25th, 2010
As both a guest speaker and attendee at the Security Innovation Network’s fourth annual IT Security Entrepreneur’s Forum, I found the conference provided a great deal of insight on important cybersecurity issues. Two panels I found particularly relevant were: “An Industry and Government Perspective on the Emerging Cyber Threats, Risks and Vulnerabilities” and “Moving Forward with a Roadmap for the IT, Banking, Finance and Energy Sectors.” Here’s why — the panels provided great food for thought around the increasing range of cyber threats and the frequency and sophistication of these attacks against our nation’s most critical IT infrastructure while looking at future plans for fixing broken pieces of our security puzzle. This is significant because what’s currently missing from the security discussion today is how we can make the information we have actionable. We keep talking about what needs to happen, but for the last ten years, we haven’t found the right model.
While the bad guys are ramping up their tools and gathering intelligence, we’re spending too much time pontificating on what’s wrong with our current approach rather than moving forward with the right plan of action. Granted, if we want to protect ourselves as a nation, we first need to understand the current health and state of our national security, but without a clear plan of action from the top, all this talk will go to waste. A recent article published in the The New York Times, “Academic Paper in China Sets Off Alarms in U.S.,” highlighted a research paper written by a Chinese researcher who essentially wrote a how-to guide for attacking small U.S. power grid sub-networks in a way that would cause a cascading failure of the entire U.S. infrastructure.
What’s really alarming is that this paper looks at the existing vulnerabilities in the power grid and identifies specific ways to hack into the network. This is just another reminder that other nation states have a clear idea of where the weak points are in our infrastructure and can exploit them at any given time. Think about that for a second. Our computer systems could be compromised by other nation states at any given time — such a frightening and disappointing thought considering we’re supposed to be the most powerful nation in the world. But, let’s look at the reverse scenario…we probably have similar detail about their critical infrastructure…but it is state owned on their end. They can marry the data they are seeing on critical infrastructure attacks or tests by the USA and what they see on their military networks to get a clearer picture of what and how we operate. On our end, public and private sectors don’t talk…there is no sharing of attack data. We have NO balanced national view.
There are a few issues that need to be addressed quickly.
First, we have no national situational awareness without any ability to respond to attacks against our government and infrastructure. We have no clue how to best protect not only U.S. government systems, but private sector systems. The massive interconnectivity and the almost 100 percent dependence on computer technology today to conduct business leave us extremely vulnerable. The U.S. government has to take the lead in bringing all the core pieces together. That means technology and people across various sectors to protect and secure our nation. We need to respect the values of free enterprise and our capitalistic society and still find a way to allow the sharing of data that serves the security interest of the entire population.
Second, we don’t have a truly EMPOWERED cybersecurity leader to drive initiatives and education, and bridge the divide between public and private sectors to create better transparency and awareness. We need White House Cybersecurity Coordinator Howard Schmidt to be given budgetary power and authority to bring key elements from the private and public sectors under a single umbrella to identify cyber vulnerabilities as well as physical vulnerabilities and to build a model to address these risks. This means Schmidt will need to move quickly to build a non-toxic bridge between the private sector and the federal, state and local governments to understand risks, educate, collaborate and share data to create an effective incident response system. By getting a unified view of the risks (both physical and cyber) that exists across business and government systems and infrastructure, we can establish a holistic approach to securing our nation. Further, the partnership between the private and public sector will allow the U.S. government to then make business recommendations on security measures, key processes and technologies to secure and close any vulnerabilities.
It’s about time we put ideas into action with a good move forward plan. So, my question to you: What do you think is the best way to actually get the ball moving? I would like to hear your thoughts on that as I will be covering this extensively in the coming months.
Other interesting links: