How would you describe the threat to the US information infrastructure? If you are a technologist or a national security expert or both I hope you would use your background and experience and expertise and produced a fused-all source assessment based on facts. But it is also ok to cite the masters, folks who really know what they are talking about and are paid to produce the most accurate possible reports. Below is an assessment I extracted from a source I know to be reliable, but to most of you technologists and national security professionals I hope this list will be seen as intuitive statements that ring true to your experience. Please look it over and let me know what you think (I’ll inject some thoughts at the end):
Judgements:
“The fact is that we are currently building an information infrastructure — the most complex systems the world has ever known — on an insecure foundation. We have ignored the need to build trust into our systems. Simply hoping that someday we can add the needed security before it is too late is not a strategy.”
Additionally:
- We are growing increasingly dependent on information systems for commercial and government activities.
- Our adversaries recognize this dependence and are developing tools to attack our information systems.
- Protecting our systems will require an unprecedented level of cooperation between government and the private sector.
- Protecting our critical information systems and the data on them will be key to our survival as the world’s leading economic power and as the world’s leader in information technology.
- Our heavy and growing societal and strategic dependence on information technologies and information systems has created vulnerabilities — vulnerabilities to our economic institutions, to the systems that support public needs, to our privacy, and to our military capabilities.
- The number of known potential adversaries conducting research on information attacks is increasing rapidly and includes intelligence services, military organizations and non-state entities such as terrorism groups.
Technology will increase the sophistication of their capabilities and will continue to reduce the cost of attack and the risk if security remains where it is today. - And the attackers have enormous incentives.Trillions of dollars in financial transactions and commerce moving over a medium that has minimal protection and sporadic law enforcement. Increasing quantities of intellectual property residing on networked systems. And the opportunity to disrupt military effectiveness and public safety, with elements of surprise and anonymity.
- The state sponsored terrorists and military Information Warfare people pose the greatest risk to our critical infrastructure because they have the greatest knowledge and resources.
- Foreign governments and their military services are paying increasing attention to the concept of ”Information Warfare”. Foreign military writings discuss the importance of disrupting the flow of information in combat. The battlespace of the future also will extend to our domestic information infrastructure, such as our electric power grids and our telecommunications networks – in short, the very foundations of our economy.
- We cannot keep building new capabilities on a poor foundation of security. We cannot ignore the need to build trust into our information systems any longer.
- It is folly to hope that someday we can add needed elements before it’s too late. The longer we wait, the more our country is exposed, and the costlier it will be to address the problem.If we are going to lead the world in information technology we must recreate the trust that existed between our government and our industry that allowed us to lead the free world for over forty years. We still have the power to lead by our example, and we still have the time to do what is right.
I think the information and assessments and powerful thoughts above are right on and should be considered by anyone in the national security and technology space.
The source? 1998 speeches and testimony by then Director of Central Intelligence George Tenet. I think he pretty much nailed what would happen with the assessment above (read more online at: https://www.cia.gov/news-information/speeches-testimony/1998/dci_speech_040698.html and https://www.cia.gov/news-information/speeches-testimony/1998/dci_testimony_062498.html
In fact, seems like he provided clear an unambiguous warning.
Since then, it seems like very leader in the national security, DoD and Intelligence Space that comes into office seems to muddle on oblivious to the cyber threat till some incident hits them, like Moonlight Maze or the series of intrusions into DoD and other nets over 2007 or the attacks vs Estonia or the attacks vs. Georgia or the attacks vs. Google. And in each time you get folks saying something like “oh well that was a wake up call.”
Any thoughts on that?
Is there anything that can be done so 12 years from now we are not asking ourselves why people in key positions are still saying things like “oh that was a wake-up call!”?
For more on this topic see the even older warning by CIA Director John Deutch at: Leader Of U.S. Intelligence Community Delivers Clear and Unambiguous Warning of Cyber Threat