Why the Government's Cybersecurity Plan Will End in Catastrophe
The Department of Defense wants access to private computer systems in the name of cybersecurity. In addition to being a privacy nightmare, CIO.com columnist Rob Enderle says a centralized information sharing system will actually make the United States more susceptible to cyber attacks and suggests an alternate approach to cybersecurity.
Fri, October 19, 2012
CIO — Last week Defense Secretary Leon E. Panetta presented his case for an invasive system to monitor the nation's private systems in order to better identify and respond to cyber threats.
Panetta correctly points out that the likelihood of a 9/11 scale cyber attack is real—and if something isn't done, large sections of the U.S. infrastructure could fail. He uses as an example the successful attack on ARAMCO, a Saudi Arabian state owned oil company, which wiped 30,000 computers, causing massive data loss and rendering them temporarily useless.
News: Future Cyber Attacks Could Rival 9-11, Cripple US, Warns Panetta
Get the latest IT news and analysis from Constantine von Hoffman's IT Security Hack blog
The proposed remedy is to provide the U.S. government with broad access to private systems so that malware can be quickly identified and removed and other national threats identified and stopped. The problem is that such access creates privacy issues and may itself be a bigger problem than the threat it attempts to eliminate. Not only is the requested change unlikely to happen any time soon, it may increase the potential for either a domestic or foreign cyber attack.
Central Network Eliminates Natural Protection
One hidden benefit in the fact that our systems often don't share information well or have a common security structure is that attacks against infrastructure therefore have to be tightly targeted. This means an attack on one private or public system probably won't even work on most others, since they run a variety of different security packages, operating systems and applications, all surrounded by different policies.
One of the reasons we haven't yet had a repeat of 9/11—that is, an attack that reaches catastrophic levels—is because these systems just don't interoperate very well or share information at a low level. The amount of work to carry out such an attack currently exceeds the resources of the attackers.
Create a central network where systems regularly and automatically share information in real time, though, and you also create a single point of access where such an attack can be perpetrated. You change an impossible problem into one that is just very difficult—and, given both public and private practices to put off spending on security until there is a credible threat or demonstrated damage, attacking this centralized system will likely get easier over time for an outside entity and may be too attractive for a properly placed disgruntled employee to pass up.