Here we go, beating ourselves up over the Edward Snowden-leaked National Security Agency programs designed to sort through trillions of telecommunications to find the few related to terrorism. Yet we don’t seem at all concerned about how fragile and vulnerable our huge private sector critical cyberinfrastructure, such as our electrical grid, Internet, banking and financial sectors, is to cyberattack.
Not only that, the main reason we haven’t been shut down by an external cyberattack by the Russians or the Chinese isn’t because they can’t do it, but because we are such a fat intelligence target for them. They prefer to be able to steal valuable information from us over the Internet rather than turn it off.
However, assuming things got really ugly, could they shut us down if and when they wanted to? Yes, and it’s particularly important that we understand exactly how they could do it and also how we could probably prevent it if we were just a little smarter than we seem to be.
First of all, most think that the Defense Department’s NSA and Cyber Command are responsible for protecting us from cyberattack. True. However, the “us” part for the NSA is limited to the “dot mil” part of the Internet – at most they protect just the “dot gov” part of our cyberturf.
This leaves the rest of our Internet – i.e., most of it – at a very high degree of risk from cyberattack. Not only that, and surprising as it might be, most of the “dot gov” part doesn’t even want the NSA’s help in defending its networks, because the NSA typically discovers lots of embarrassing leaks in the communication security of government networks.
The origins of this anomaly go back to when NSA had two basic missions: Collecting signals intelligence, known as “SIGINT,” and “communications security,” called “COMSEC.” In the old days, the second part was very aggressive and put most government telephone users on notice that if they “talked classified” over the unsecured government telephone network, they risked administrative or disciplinary action.
This, as you might imagine, was not at all popular, so over the years the mission was reduced or eliminated throughout the government.
Objecting to my unfavorable characterization of our private sector cyber vulnerabilities, official government spinners will probably say that today we have the Department of Homeland Security, the FBI, the Federal Communications Commission and private contractors working aggressively with the private sector to address and improve the cybersecurity for our private sector infrastructure. However, ask yourself: Do you really believe that, short of a catastrophic shutdown, our private cybersector could be trusted to come forward on its own with, for example, information that security had been compromised, and that, for example, our financial accounts were accessed or our power grid compromised because of an external cyberattack?
What would this do for investor confidence? Realistically, the odds of the private sector dealing responsibly with these kinds of threats are about as great as General Motors fixing a 57 cent defect in its cars’ ignition systems on its own. In short, we can’t expect them to be honest or objective about it.
So how do we insure our private sector cybernetworks are capable of withstanding or defending themselves against an aggressive external cyberattack like one launched against us because of a rapidly escalating international dispute with China or Russia? Easy. We should be continually testing our critical private infrastructures by simulating external cyberattack. This would be done using the older NSA communications security models as an operational analogy, supplemented with newer and more aggressive oversight and privacy requirements.
As a starter, I have suggested that this be an ongoing joint operation of the FBI, Homeland Security, NSA and the Cyber Command, and be conducted consistent with detailed attorney general privacy guidelines and aggressive oversight by the intelligence, judiciary and homeland security committees of Congress.
In addition, it should be carried out with advance notice to a specific private cybersector or, when centrally managed as part of a carefully coordinated national exercise, our critical private cyberinfrastructure could be “no notice” tested.
This proactive approach may be the only objective way we can be sure our critical private sector cyberinfrastructure can withstand a dedicated external cyberattack and we should be getting busy with it.
This isn’t a lesson we need to learn the hard way.