Last week Defense Secretary Leon E. Panetta presented his case for an invasive system to monitor the nation's private systems in order to better identify and respond to cyber threats.
Panetta correctly points out that the likelihood of a 9/11 scale cyber attack is real—and if something isn't done, large sections of the U.S. infrastructure could fail. He uses as an example the successful attack on ARAMCO, a Saudi Arabian state owned oil company, which wiped 30,000 computers, causing massive data loss and rendering them temporarily useless.
Get the latest IT news and analysis from Constantine von Hoffman's IT Security Hack blog
The proposed remedy is to provide the U.S. government with broad access to private systems so that malware can be quickly identified and removed and other national threats identified and stopped. The problem is that such access creates privacy issues and may itself be a bigger problem than the threat it attempts to eliminate. Not only is the requested change unlikely to happen any time soon, it may increase the potential for either a domestic or foreign cyber attack.
Central Network Eliminates Natural Protection
One hidden benefit in the fact that our systems often don't share information well or have a common security structure is that attacks against infrastructure therefore have to be tightly targeted. This means an attack on one private or public system probably won't even work on most others, since they run a variety of different security packages, operating systems and applications, all surrounded by different policies.
One of the reasons we haven't yet had a repeat of 9/11—that is, an attack that reaches catastrophic levels—is because these systems just don't interoperate very well or share information at a low level. The amount of work to carry out such an attack currently exceeds the resources of the attackers.
Create a central network where systems regularly and automatically share information in real time, though, and you also create a single point of access where such an attack can be perpetrated. You change an impossible problem into one that is just very difficult—and, given both public and private practices to put off spending on security until there is a credible threat or demonstrated damage, attacking this centralized system will likely get easier over time for an outside entity and may be too attractive for a properly placed disgruntled employee to pass up.
The government's recent history with security is a case in point. The death of the U.S. Ambassador to Libya showcased a situation in which the risks were real, and known, yet protections were reduced. After the attack, the political system focused on finding someone to blame, not assuring that the problem wouldn't recur.
In short, the very system Panetta is suggesting could be the key to causing the thing he is trying to avoid.
A Better Short-Term Cybersecurity Solution
I see several things the government could do instead.
- Strengthen liability laws in order to fast-track the process for compensating companies that suffer damage caused by inadequate protection.
- Assure that compensation came from the budgets of the government organizations whose systems were targeted, in a manner similar to the way insurance companies pay out settlements. This would force agencies to increase their security budgets and audit the results to ensure they aren't too exposed.
- Provide a common, required reporting method to report an identified attack along with a requirement for minimal legal coverage.
Analysis: How the U.S Can Avoid a 'Cyber Cold War'
All this could all be done without connecting the systems or creating a central government body to access them. There would be little additional government cost and few, if any, privacy concerns for anyone not perpetrating or directly connected to an attack. In short, such a plan would promote a higher level of prevention through better-funded protection.
'Cyber 9/11' Will Only Be Followed By More, Worse Attacks
Panetta's plan suggests that an attack is unavoidable. The problem with a method that almost assumes an attack will happen, or requires a successful attack in order to be implemented, is that it usually does more harm than good.
After 9/11, poorly planned responses crippled the airlines industry and nearly bankrupted the country—and the integration of government communication systems that could have prevented the event in the first place is still not complete.
The real concern is that we do, in fact, get hit with a 9/11 cyber attack, as the Department of Defense has anticipated, and that the response to the event either creates an even bigger financial or privacy problem or sets the stage for a much larger attack. None of these are mutually exclusive. Unfortunately, we need to anticipate such a dire outcome. If you are driven to interconnect your systems nationally, then doing it quickly, let alone at all, would be a very unwise idea.
Rob Enderle is president and principal analyst of the Enderle Group. Previously, he was the Senior Research Fellow for Forrester Research and the Giga Information Group. Prior to that he worked for IBM and held positions in Internal Audit, Competitive Analysis, Marketing, Finance and Security. Currently, Enderle writes on emerging technology, security and Linux for a variety of publications and appears on national news TV shows that include CNBC, FOX, Bloomberg and NPR.