Avoiding Cyber Threat Amnesia

Avoiding Cyber Threat Amnesia

My involvement in the non-profit educational and research organization Cyber Conflict Studies Association over the last several years has led me to an observation about federal policy makers and cyber security. This observation probably applies to many commercial organizations and to academia (and possibly even to you) so we may be talking about human nature here. But the phenomenon was definitely clear by my review of historical documents and actions of the federal government. My hope is this review will help us address this in US policy.

What is amnesia? It is a condition where memory is lost. When it comes to the cyber threat to federal organizations we have a long list of evidence that this is occurring. The following is my list of evidence. I’m publishing it in the hopes that you can fill in the blanks on any other major events where our great institutions have learned and forgotten. We should study this phenomenon so we can prevent it in the future.

So, with that, below is the list of what I consider to be the federal government’s top “Wake-Up Calls” that the cyber threat is real:

  • 1970 and 1971 – The Defense Science Board publishes what will be known as the “Ware Report” highlighting the potential dangers to department information in the coming age of connected computing. This report was widely seen as a “wake up call” for computer security and caused changes at institutions like the National Security Agency to enhance the departments security posture.
  • Nov 1988 – The Morris Worm was released and propagated throughout internetworked systems including those of the federal government. This “wake up call” resulted in establishment of computer response organizations throughout DoD and also resulted in increased funding for computer security research being provided to academic organizations and institutions. The CERT/CC at Carnegie Mellon University was funded.
  • 1995 – The President’s Commission on Critical Infrastructure Protection (PCCIP) was widely regarded as a “wake up call” for the entire federal government and since it was extensively coordinated with industry and academia was also seen as a way forward in cybersecurity for the entire nation.
  • 1997 – Deputy Secretary of Defense John Hamre was quoted as saying “Solar Sunrise was a wake up call for DoD.” This activity resulted in increased funding to cyber defense organizations and the creation of a new joint activity called DoD’s “Joint Task Force Computer Network Defense” or JTF-CND (Gourley was first Director of Intelligence (J2) there).
  • 1998 Assistant Secretary of Defense Art Money was quoted as saying “Moonlight Maze was a wake up call for DoD.”  This activity resulted in enhanced counterintelligence resources and more information sharing across the DoD law enforcement and counterintelligence.
  • 2009 Director of National Intelligence Admiral Blair testified that “Buckshot Yankee was a wake up call” for the government. This activity resulted in more awareness and more funding for cyber security throughout the federal government.
  • 2010 Deputy Secretary of Defense Lynn writes that “Google’s Aurora attacks were a wake up call for us all.”  This wake up call resulted in stronger, deeper coordination across the federal space and underscored need for a DoD strategy.
  • 2011 Deputy Assistant Secretary of Defense Bob Butler says “Wikileaks was a wake up call for DoD.”   This wake up call resulted in significant activities and planning across the federal space aimed at enhancing security of information from disclosure.

 

That is the list as I see it. Those are the wake-up calls that I know of. Can you add more?  Or perhaps a bigger question is, can you help find ways to prevent this continued pattern of waking up then going back to sleep?

One way to prevent this pattern is to be more proactive. Perhaps my next post will be on the list of significant proactive things the nation has done in cyber security. So far I only have two item on that list. 1) The all of government coordination activities of the Cyber Initiative. The bad news is that was long ago, and 2) The establishment of US Cyber Command.  Do you know of others so significant that would make that cut? What else should be done to mitigate Cyber Threat Amnesia?

For more on these topics see the CTOvision Guide to National Security Technology and

,

8 responses to “Avoiding Cyber Threat Amnesia”

  1. Bob, good review of key happenings that have helped raise awareness, direct policy, and increase funding for cyber activities.  Part of the problem is the difficulty in understanding how big the problem is, and how much it should impact our lives.  This is not different than the overall problem of homeland defense.  As a Nation, the cyber policy and expenditures are radically different than before the beginning of your wake-up call list.  Since these changes we now find most of our DoD offices hidden behind security locks with no allowance for the productivity devices that threaten to be cyber windows into our activities.  However, the cost of our new cyber security is lost productivity and reduced idea sharing because of the increased diligence on clearances and meeting access.  At the same time we find many of our senior and mid-level DoD personnel exposing themselves and family members across social networks, thereby creating a new kind of cyber and homeland security threat.  In my mind it would be better if these wake up calls caused us to initiate a new cyber security paradigm such as the two classification secure data architecture being worked.  If we could protect the data and network access while removing as many barriers to productivity as possible then perhaps our amnesia could become of less concern.

  2. Marv, 

    Thanks much for the comments and context. I think you are right on all of this. One nuance we have to deal with, however, is the fact that many homeland security threats are easier for humans to understand since they involve physical threats analogous to threats we have faced since life began. These cyber threats are hard to understand in part because they are invisible till someone comes and tells the victim they have been had. I think that means education and training can be a big part of the solution to this. 

    Bob

  3. Bob, good review of key happenings that have helped raise awareness, direct policy, and increase funding for cyber activities.  Part of the problem is the difficulty in understanding how big the problem is, and how much it should impact our lives.  This is not different than the overall problem of homeland defense.  As a Nation, the cyber policy and expenditures are radically different than before the beginning of your wake-up call list.  Since these changes we now find most of our DoD offices hidden behind security locks with no allowance for the productivity devices that threaten to be cyber windows into our activities.  However, the cost of our new cyber security is lost productivity and reduced idea sharing because of the increased diligence on clearances and meeting access.  At the same time we find many of our senior and mid-level DoD personnel exposing themselves and family members across social networks, thereby creating a new kind of cyber and homeland security threat.  In my mind it would be better if these wake up calls caused us to initiate a new cyber security paradigm such as the two classification secure data architecture being worked.  If we could protect the data and network access while removing as many barriers to productivity as possible then perhaps our amnesia could become of less concern.

  4. Marv, 

    Thanks much for the comments and context. I think you are right on all of this. One nuance we have to deal with, however, is the fact that many homeland security threats are easier for humans to understand since they involve physical threats analogous to threats we have faced since life began. These cyber threats are hard to understand in part because they are invisible till someone comes and tells the victim they have been had. I think that means education and training can be a big part of the solution to this. 

    Bob

Leave a Reply