Our cyber defense is in a state of crisis. That’s right: The United States of America is vulnerable in cyberspace in a way that should not be acceptable to any of us, Republican or Democrat, young or old, rich or poor.
The emergence of the Internet and the World Wide Web over the past 20 years have made information available to virtually everyone on the planet, including large populations which previously had little or no access. The Arab Spring in Tunisia, Egypt, Jordan, Yemen, Bahrain, and other countries of North Africa and the Middle East underscore the enormous power of digital systems to democratize the availability of information and disrupt non-democratic systems of government.
These systems have also democratized hacking and attacking cyber systems. Individuals and small groups, often with very little funding or formal organization, now regularly attack the Internet infrastructure and the enterprise information technology operations. Entire nation states and well-financed private groups have also developed extraordinary tools for attacking the same systems. During the 20 years of the Internet’s existence, these attacks have become pervasive and truly effective. Today the major communications pathways that support our military operations are attacked thousands of times a day by hackers, criminals and nation states.
But it’s no longer “just” a military issue. The threats have evolved and matured during the last six years to the point where many of our large enterprises are also under constant attack. The attackers are sophisticated adversaries, who routinely succeed in breaching systems that were expensive to build, creating economic damage as well as harming the reputation and trust invested in institutions. The attacks are now moving down to medium sized enterprise players. These attacks undermine the effectiveness of many business processes that are fundamental to the productivity of our economy.
The cyber attacks themselves are increasing in technical sophistication. Many are based on so-called “zero day attacks“, which exploit previously unknown vulnerabilities in devices, operating systems, storage and applications. Recently, the use of social engineering attackshas made even well-protected networks and applications vulnerable, by tricking trusted individuals into exposing systems unintentionally. Insider threats are growing as well, as evidenced by the huge loss of classified information in the WikiLeaks breach.
Efforts to protect internet based assets of both business and government are largely confused, diffuse, and very poorly organized and funded. The Department of Defense has succeeded in establishing a Cyber Command with the resources and authority to aggressively defend the military’s assets, but it has no charter or authority beyond the military.
In 2010 there were over 50 bills introduced in Congress that tried in one way or another to deal with policy, standards, organizational responsibilities, executive department leadership, legal issues, international agreements, and funding for cyber defense. None of them were enacted into law. In 2011, there were more than 30 bills introduced, and again none were passed. Meanwhile, research and development of new tools for protecting our information systems are vastly underfunded. Standards for employing security and protective measures are not keeping up with the threats.
This has become one of the most fundamental problems for the future of the nation. It is technically complex, but is impeded by out of date laws and very diffuse organizational responsibilities and leadership. The building of a solid foundation of national and international principles is sorely needed to restore and maintain the integrity of the Internet as the foundation for our national and global national and economic security. In the civilian domain, we need to rethink how we are organized to fight e-crime, e-fraud, and cyber espionage by building a more cohesive organizational structure that is framed around IT infrastructure – like the Internet itself – rather than being based on physical infrastructure. Such an organizational construct must be virtual, use the resources of multiple agencies and provide the agility to deal with the ever-changing world of IT. We also need better computer security education for users of these systems, new game changing technologies to better protect systems, and more aggressive enforcement which can cope with the international scope of Internet crime.
William P. Crowell authored this post. Crowell is former Deputy Director of the National Security Agency as well as a respected executive and director of private companies in the security space.