Today's article in the Washington Post on the Pentagon's Cyber Command requesting more authority to perform international cyber attacks in an effort to protect US interests and assets in my mind brings to light the inherent flaws of our existing US Cyber Defense "strategies".
First, some background. US Cyber Command (USCYBERCOM) was formed in May 2010 with a general mission to protect DoD cyber assets (.mil), improve US cyber attack capabilities and support DoD missions in cyberspace (i.e. disrupt enemy systems prior to military sorties, etc.). Note, USCYBERCOM does NOT protect non-military/DoD assets, including our federal government infrastructure. Which leads us to the Department of Homeland Security (DHS). Such tasks (protecting .gov) are the responsibility of the DHS, which, apart from the fact in many people's view it is one of the most bloated and ineffective government agencies to date (albeit born with good intention, but simply put, everyone has an ego), has just last week created another crap storm of bad publicity for itself when DHS Chief Janet Napolitano announced that NSA cyber-spooks would be participating hand in hand with the DHS in civilian cyber-security incidents. Not that I technically disagree with the concept in certain circumstances which have been properly vetted, but 4th Amendment, anyone?
Regardless, USCYBERCOM is both the strategic and tactical cyberspace arm of the DoD charged with both defending .mil and DoD assets as well as developing and then implementing offensive capabilities against foreign entities which have been assessed to pose a threat to US. The DHS is, on paper, the technical equivalent of USCYBERCOM for the federal government charged with protecting .gov assets. So who is responsible for defending our civilian assets, such as critical economic verticals like our finance, medical and manufacturing sectors?
Drum roll ...
Themselves. Individually. With no coordinated strategic direction what-so-ever. Each individual organization in each of our primary business verticals is responsible for defending their own assets in whatever manner they deem appropriate. Sure, we have numerous regulatory compliance standards out there like PCI-DSS, etc., but they are all scattered, focused on specific industry variables and in most cases either are ridiculously vague and/or have no teeth. Compliant does not equal secure. Now, I am certainly not the first security geek to either point that out or the fact that security is subjective. Or even the fact that security is subjective because it is associated, from an investment perspective, with loss (Prospect theory). We even have an entire security solution subset called Data Loss Prevention to make sure, in case anyone had any doubts, that security is indeed associated with loss. And any investment, whether a gain or a loss, eventually boils down to an individual's status quo.
In black and white terms, the security of the entire non-military US economy is reliant on the individual subjective decisions of each and every individual strategic decision maker (CxO) of each and every company in both the public and private sector that does not do business with either .gov or .mil. And, more than likely, a decent percentage of those that also do business with .gov and .mil as well.
While the direction of this commentary may appear as if it is moving towards a diatribe about whether or not the government and/or the military should be as involved in protecting US economic assets in cyber-space as it was in protecting our US economic assets in our cities during the cold war, with all of our missiles set up, ready to launch at the slightest hint that Russian missiles might be flying towards our private sector institutions huddled conveniently together said physical locations, it is not.
It is about the need for discourse between civilian and government institutions, both public and private sector, both DHS and USCYBERCOM, to develop a unified defensive strategy with the end goal of standardizing how we can successfully protect our civilian economic resources as well as we can protect our non-civilian .gov and .mil resources, are thereby (hopefully) removing the subjectivity out of the "protect our nation's economy" security problem. No doubt, it is a daunting task, fraught with politics, lobbyists and egos. But a necessity nonetheless.
The US has fallen behind our existing cyber-adversaries from a defensive perspective in many ways. The sheer number of reported data theft/loss incidents in the civilian public and private sectors sourcing from international entities appears to be growing exponentially, and the attacks are becoming more targeted and therefore more difficult to protect against every day. The US government counters that lack of a national set of defensive strategies and tactics with an overwhelming superiority of offensive strategies and tactics. However, in this case, a good defense is not at all a good offense, especially when all indications point to the fact that our existing cyber-adversaries have been lifting our corporate trade secrets right from under our noses since at least the early 2000s. Aurora was niche, Stuxnet may have been even more niche, even if wasn't technically "targeted" at US assets. And those "unknown, unknown" threats are the threats we as a nation need to be afraid of and develop strategies to protect against, together, civilian, government and military.
USCYBERCOM asking for more authority to begin, essentially, hacking campaigns against our current known cyber-adversaries illustrates how far behind we are from many of those threats. Those adversaries do not need to ask for permission or lobby congress to get this done, since it already being done by either nation-states who understand that "cyberwar" includes the defensibility of their nation's public economic infrastructure or by highly funded organized crime units who are above the law to begin with (let alone our own allies). Our nation's technological advantages combined with a complete lack of civilian sector security strategies, tactics and standards puts the US at a very large disadvantage :
It is cheaper to purchase stolen trade secrets that will reduce the technological chasm the US currently holds over most of the rest of the world than it is to develop said technology on your own as a small international startup. And look how easy we have made it for our civilian corporate trade secrets to be stolen.
