The following is a guest post by Richard Stiennon who will be my guest on the May 7th, 2010 PI Window on Business segment “Surviving Cyber War” on Blog Talk Radio at 12:30 PM EST.
Note: A second guest post by Richard through the Procurement Insights Blog will appear here on Friday, April 23rd.
Perhaps in response to rather vocal criticism of his frantic warnings about cyberwar, Mike McConnell, retired Navy Admiral and one time Director of National Intelligence ,published a position piece in The Washington Post. He draws on the Cold War to support his thesis that the US must do more to counter cyber threats. Here is my take on his comments.
Deterrence. McConnell describes the need for attribution and the ability to respond in a massive way to cyber threats. Attribution is a slippery subject in the world of cyber attacks. In all the incidents that have been reported the United States is the *only* government that has admitted to meddling in international cyber affairs. That was when Twitter revealed that the US State Department had contacted then and asked them to delay a scheduled maintenance on their popular micro-blogging site during the uprising in Iran when protesters were using Twitter to spread news of gatherings and protests in the streets. All other incidents have been vehemently denied by the states involved; specifically China and Russia.
Admirals and generals have often found themselves at odds with the populations of democratic countries. They have devoted their lives and sacrificed the lives of the people under them to protect the property and freedom of those citizens and feel compelled to maintain the military machine that they drive. Yet, in time of peace the populace views war preparation as leading to those very wars, not as a deterrent. The pacifist democracies of Europe and the UK could have easily prevented the carnage of World War II by slapping down Hitler when he first violated the Treaty of Versailles and moved troops and artillery into the Rhineland region in 1936. A quick response would probably have led to Hitler’s removal by his General Staff as they had advised against his aggressive moves in the first place. They lost credibility as each of Hitler’s audacious moves met no resistance. But, that is not how democracies work. Do not mistake me, when the enemy is at the gate freedom loving people are the first to stand up and defend their homelands. But no amount of flag waving and dire predictions will change them.
I draw on WWII, McConnell draws on the Cold War. But, by focusing on the balance of power created by the threat of nuclear holocaust, McConnell leaves out how the Cold War was won. Let’s be honest. Democracy and freedom and the states that support those principals survived the Cold War. Totalitarianism perished in the end. While there are many theories of how this was accomplished, from the influence of Rock and Roll, to the fax machine, I tend to give the most credence to the economic front. The West outspent the Soviet Union. Technology, innovation, and a massive arms buildup forced the Soviets to make parallel investments that along with the crippled industrial plans that could not work in a modern world, impoverished the country to the point where internal strife pulled it down.
I suggest that rather than focus on creating a balance of mutual assured destruction such as existed during the protracted Cold War, a more appropriate response to cyber threats is to increase the costs for the attackers by improving defenses.
Public Private Partnership
McConnell goes on to make the completely unfounded statement:
“… the lion’s share of cybersecurity expertise lies in the federal government..”
I am sure the security researchers at Symantec, Fortinet, McAfee, Bluecoat, Webroot Software, Sourcefire, and hundreds of other security vendors as well as the tens of thousands of security practitioners in the private sector, would be mystified by this claim. Yes, there are cybersecurity experts within the federal government. No way does the “lion’s share” reside inside the government. That is why we are in the sorry state we are in today.
McConnell is somewhat conflicted in his call for greater public-private partnership as pointed out by Glenn Greenwald writing for Salon.
Ever since McConnell created the Comprehensive National Cybersecurity Initiative (CNCI )during the Bush administration we have heard a lot about public-private partnerships but have seen very little action or reduction in successful cyber attacks. As I have maintained, the private sector does not need the government’s help. Certainly, laws requiring ISPs to filter attacks are not required and would create a morass of enforcement and oversight. McConnell favors such laws. The private sector is actually way ahead of the Pentagon and federal government when it comes to countering network based attacks. Akamai, the biggest Content Delivery Network (CDN) recently started to market its security services and is now hosting many of the government sites that were taken down during last July’s Denial of Service (DoS) attacks. Verisign has their own DoS defense services as does Prolexic and dozens of other companies.
I hope Congress realizes the impracticality of trying to pass laws during a rapidly evolving situation as they engage this week in reviewing the appointment of Lt. Gen. Keith Alexander to head the Pentagon’s Cyber Command.
Richard Stiennon is the founder of IT-Harvest, an independent IT security analyst firm, and the author of the security blog ThreatChaos.com. He is a holder of Gartner’s Thought Leadership award and was named “one of the 50 most powerful people in Networking” by Network World Magazine. He lives in Birmingham, MI.
This book examines in depth the major recent cyber attacks that have taken place around the world, discusses the implications of such attacks, and offers solutions to the vulnerabilities that made these attacks possible. Through investigations of the most significant and damaging cyber attacks, the author introduces the reader to cyber war, outlines an effective defense against cyber threats, and explains how to prepare for future attacks.
Remember to use the following link to tune into both the On-Demand and Live “Surviving Cyber War” broadcast on May 7th, 2010 at 12:30 PM EST.