Reform the Defense Supply Chain to Face the Realities of Conflict in the Digital Age?
For centuries, we’ve operated under the principle that nations are sovereign within their own borders, with traditional rules of war clearly stating that combatants need to be identifiable military targets. Acting on this principle, a functioning government has traditionally had to raise a force more powerful than any potential rival, either internally or externally, when threatened with an act of war.
However, the rules of war are proving to be inadequate to the realities of cyber conflict in the digital age. The border-less nature of cyberspace presents a unique challenge, specifically for the defense sector, in dealing with the traditional governing principles of Law of Armed Conflict. In the digital age, the private sector may well be on the front line of cyber conflict with some asserting that, for national security purposes, the private sector may have to grow into traditional government roles of national defense.
The defense sector is fighting a two-front cyber war right now, with the challenges of fending off millions of attacks on defense networks and the slow burn of economic espionage. The President and Congress need to resolve fundamental issues already under discussion within the defense sector, such as what constitutes “war” in the digital age? What are the rules of engagement and retaliation? Are we really willing to start an armed conflict over a cyber-attack?… (read on!)
WHY ISN’T THERE AN ACADEMY AWARDS CEREMONY FOR CYBERSECURITY?
Let me spare you the suspense, because we don’t deserve one.
Most people who have become aware of cybersecurity in the past few years think we are talking about credit cards, passwords, and firewalls.
I give these rookies a pass. The real fault lies which those of us, including myself, who have been toiling in this field for a decade or two. We are the ones to blame.
Who is really deserving of being decorated as the best actor in cybersecurity?
Who has told the story of the true threat we face in a way worthy of the sort of universal praise garnered by not just the Oscar winners, but the nominees?
Wouldn’t it be great to have our field mature to the space where the entire industry is willing gather together and celebrate excellence the way the motion picture Academy does?
Are we not as good as the film community?
Ok, we don’t need a red carpet and self-aggrandizing speeches, but we do need the energy, the creativity the excellence that our motion picture brethren display.
Multiple estimates suggest we lost as much as $500 billion to cyber crime last year and estimates indicate that could rise to $2-6 TRILLION by the end of the first Trump Administration.
That’s more money than the entire health care industry. Is it receiving the same attention, from government or industry?
The evolution of the threat matrix means that critical infrastructure, only theoretically at risk previously, is now likely to become a real present threat.
Where is the investment? Where is the attention? Where is the action?
I look forward to the day when we will thank the Academy for nominating a range of excellent efforts in our field.
I fear that day is still a long way off.
MOVEMENT IN THE RIGHT DIRECTION ON CYBER SECURITY
While the bulk of mainstream news coverage on cyber issues has been focused on macro issues such as Russian involvement in our electoral process, there have been less noted initial signs of progress on the more traditional cyber concerns such as the protection of critical infrastructure, theft of intellectual property and securing of personal data.
The most encouraging signs can be found in the draft Executive Order on cyber that floated into the community last Friday. While much of the draft order addresses organizational and timing issues the Trump Administration is considering, the most encouraging elements of the draft can be found in the direction the Order suggests the new Administration will take when addressing the cyber threat. I’m focused on what questions will the new team be asking as they develop policy, because if you ask the wrong questions you get the wrong answers…(read on!)
10 CHEAP TRICKS TO IMPROVE OUR CYBERSECURITY: PART I
On September 15, 2016, the Internet Security Alliance will publish a 400 page, 17 chapter, book containing 106 recommendations for the incoming Administration and Congress. One of the recommendations is that, frankly, we need to invest more in cyber defense. We are chasing a $500 billion to $1 trillion dollar a year issue with about $9 billion in non-defense cyber spending and successfully prosecuting maybe one or two percent of cyber criminals.
However, when talking with government officials, one of the first things we are told is that getting increased spending for anything is extremely difficult. So, without getting into a spending debate, we will now offer 10 ideas that will cost virtually nothing in the federal spending sense yet can substantially improve our cybersecurity. This blog presents the first 5 of these… (read on!)
THE NEXT ADMINISTRATION NEEDS TO PICK UP THE PACE – A LOT – ON CYBERSECURITY
The Pentagon’s 2015 annual report says that most DoD systems are subject to low to mid-level cyberattacks and our defense systems are basically subject to compromise whenever an adversary chooses to do so.
If the world’s largest and best-funded military operation is subject to low and mid-level attack, what is reasonable to expect from discount retailers (Target) and movies studios (Sony) or anyone else?
And the bad news is, we may soon look back on these as the good old days.
Our cyber systems are actually becoming technically weaker as the Internet of Things and explosion of mobile devices vastly expand the cyber perimeter. Meanwhile, the attack community – wisely investing in their business – is becoming much more sophisticated, including finding new weakness in the core protocols the Internet is based on. The “APT” – the Advanced Persistent Threat — has now become the Average Persistent Threat as the sort of elite attack methods we saw only between nation states and DIB partners a few years ago have now become fairly common place throughout the economy.
And, of course, the economics of cybersecurity all favor the attacker. Attacks are cheap, easy and profitable. Defense is mostly reactive, underfunded and misplaced from a cost benefit perspective.… (read on!)
GOVERNMENT NEEDS TO GET ITS OWN ACT TOGETHER WITH RESPECT TO CYBERSECURITY
Last week, I commented that given we have spent much of the last decade developing a consensus on an overall approach to cybersecurity as articulated in both the House GOP Task Force on Cybersecurity and President Obama’s Executive Order 13636, the one thing we don’t need from the newly appointed President’s Commission on Enhancing National Cybersecurity is a new “plan.” We need action.
For the next several weeks, I’d like to offer my own top ten list of what actions the next Administration ought to undertake to improve cybersecurity.
Item one: Government needs to get its Own Act Together with Respect to Cybersecurity.
Government’s credibility in educating, let alone regulating and mandating, cybersecurity in the private sector is clearly undermined by its lack of demonstrated ability to manage its own house…. (read on!)
DEAR CYBER COMMISSION, WE DON’T NEED A NEW PLAN
A wise person once said every great plan eventually dissolves into actual work.
What we need right now is actual work on cybersecurity.
We have spent much of the past decade, and particularly the last 5 years, coming to a consensus on the best approach to improve our overall cybersecurity.
Back in 2008, two competing approaches to cybersecurity existed: the strategy outlined by the Bush Administration’s National Strategy to Secure Cyberspace, and an alternative approach articulated in the Lieberman-Collins Cybersecurity Act.
The National Strategy to Secure Cyberspace argued that the Internet needed to be free of government involvement and adequate security would evolve naturally from the market in response to the growing threat…. (read on!)
That’s democratic with a small d.
The most under-reported story of Super Tuesday is certainly not that Donald Trump has seized hold of the GOP nominating process or the Party’s internal revolt — that story has been beaten to death.
It is also not that Trump has used social media, like Bernie Sanders, to circumvent the establishment — that story is actually inaccurate in at least one important respect.
The most important story from the overall political perspective is HOW Donald Trump used social media.
Bernie Sanders used social media to raise millions of dollars so he could purchase TV and radio advertising to compete with the better-funded Clinton campaign. Trump is using social media to bypass the need for TV and radio advertising
Trumps use of social media as a persuasion tool, rather than primarily as a fundraising tool, ironically strikes at the core issue of the Sander’s campaign which is that big money has corrupted the political process…. (read on!)