Tag: cybersecurity-industrial complex

Cybersecurity Improves No Matter What Congress Does

The Hill’s “Hillicon Valley” blog reported late Wednesday that cybersecurity legislation was likely to fail in the Senate today.

The post, originally titled “Cybersecurity Act Expected to Crash and Burn in Senate,” indulged in some typical Washington, D.C. conceit: “The Senate’s cybersecurity bill is likely to go down in defeat on Thursday,” it said, “ending any hope of passing a measure by the end of the year to protect America’s networks.”

It is highly arguable, the question whether cybersecurity legislation would protect America’s networks. Doing so is the responsibility of the owners and operators of those networks (and all other communications and computing infrastructure). They are working all the time on protecting their assets, and their capacities to do so are constantly improving.

Yes, attacks on computing are improving, too, but there is little substantiated evidence (the fear-mongering of government officials and contractors is not substantiated) that the bad guys are getting the upper hand.

The Scylla and Charybdis Senate leaders appear to have been navigating was between a bill that was too regulatory, swamping American tech companies and “critical infrastructure” providers with deadening regulation, and, on the other hand, a bill that tapped too deeply into Americans’ communications and data. I’m happy—and feel quite safe—with cybersecurity legislation breaking up on the shoals or getting sucked down into a whirlpool, either one.

It’s possible, of course, that Senate leaders could arrive at a last-minute compromise—they’ll come forth extolling their own heroism for doing so. It’s very likely that the next Congress will return with undiminished hubris to the idea that the federal government can and should secure our computers, networks, and data. But it’s not true. That is the responsibility, and far more within the capability, of the private-sector owners of the nation’s digital infrastructure.

Nothing in this post should diminish the importance of cybersecurity. It is indeed hundreds or thousands of different problems that will be addressed by manifold actors various ways over coming decades. The government has a role in cybersecurity: getting and keeping its own house in order. But the majority of the problem is ours, not the government’s, and we are slowly, surely taking care of it.

Oh, the Uses of the ‘Cyber’ Prefix: Cyberbellicosity, for Example

Senate Majority Leader Harry Reid’s (D-Nev.) announcement yesterday of upcoming Senate action on cybersecurity legislation coincides nicely with reporting that the recently discovered Flame virus has similarities to Stuxnet. You see, the best example of a cyberattack having kinetic effects—causing physical damage—is Stuxnet. It targeted Siemens industrial software and equipment used in Iran’s nuclear program, causing damage to some centrifuges used in that program.

Stuxnet is widely believed to be a product of the U.S. and Israeli governments. Flame’s kinship with Stuxnet adds to the story: Our government is a top producer of cyberattacks.

The methods used in these viruses will be foreclosed as researchers unpack how they work. Our technical systems adapt to new threats the way humans develop antibodies to disease. But in the near term the techniques in Stuxnet and Flame may well be incorporated into attacks on our computing infrastructure.

The likelihood of attacks having extraordinary consequences is low. This talk of “cyberwar” and “cyberterror” is the ugly poetry of budget-building in Washington, D.C. But watch out for U.S. cyberbellicosity coming home to roost. The threat environment is developing in response to U.S. aggression.

This parallels the United States’ use of nuclear weapons, which made “the bomb” (Dmitri) an essential tool of world power. Rightly or wrongly, the United States’ use of the bomb spurred the nuclear arms race and triggered nuclear proliferation challenges that continue today. (To repeat: Cyberattacks can have nothing like the consequence of nuclear weapons.)

Senator Reid has gone hook, line, and sinker for the “cyber-9/11” idea, of course. Like all politicians, his primary job is not to set appropriate cybersecurity policies but to re-elect himself and members of his party. The tiniest risk of a cyberattack making headlines to use against his party justifies expending taxpayer dollars, privacy, and digital liberties. This it not to prevent cyberattack. It is to prevent political attack.

Politics is well understood by the authors of the letter Senator Reid cited in his statement about bringing cybersecurity legislation to the Senate floor. They are mostly from the party opposite his. Several of them participated at some level in developing our nation’s cyberbellicose world posture. And several now make their living in consulting and contracting firms that respond to the danger they helped create.

They are:

  • Michael Chertoff, Homeland Security secretary under President Bush, is now co-founder and Managing Principal of The Chertoff Group, which “provides business and government leaders with the same kind of high-level, strategic thinking and diligent execution that have kept the American homeland and its people safe since 9/11.”
  • Mike McConnell, former director of the National Security Agency and National Intelligence under President Bush, is now Vice Chairman of Booz Allen Hamilton.
  • Paul Wolfowitz was a deputy defense secretary under President Bush, now a visiting scholar at AEI.
  • General Michael Hayden, former director of the NSA and the CIA under President Bush, is now a principal at the Chertoff Group, and in January 2011 was elected to the Board of Directors of Motorola Solutions, which “provides business- and mission-critical communication products and services to enterprises and governments.”
  • Gen. James Cartwright, former vice chairman of the Joint Chiefs of Staff, is on the board of advisors of TASC, Inc. TASC “provides advanced systems engineering, integration and decision–support services to the Intelligence Community, Departments of Defense and Homeland Security and civilian agencies of the federal government. We deliver honest counsel, forward–thinking engineering and advanced technologies that help our customers protect Americans at home, in the air, on the battlefield and in cyberspace.”
  • Hon. William J. Lynn III, former deputy defense secretary, is now Chairman & CEO of DRS Technologies, a Defense and Security Electronics Division of Italian industrial group Finmeccanica. DRS Technologies is “leading supplier of integrated products, services and support to military forces, intelligence agencies and prime contractors worldwide.”

Cybersecurity Hype

The approving response of an IT security professional last week pointed me to a story about cybersecurity in which I’m featured. The story and accompanying video are called: “Is Cyberwar Hype Fuelling a Cybersecurity-Industrial Complex?” It’s a really good look at how government contractors, many former government officials, are working Washington to generate an issue.

How rare is it that a cybersecurity news report includes even a word of doubt about the nature and scope of the threat? How rare is it that any news report includes a word of doubt about the nature and scope of threats?

My correspondent, who works at a public utility in IT security, said some things that are fascinating and important.

We are being asked to do things that have no practical risk reduction value purely for the perceived benefit. It takes no effort to say that the cyber world is about to end yet it takes tremendous effort to continually demonstrate that we are prepared for anything.

In other words, operators of so-called “critical infrastructure” are already wasting effort on things that look like improved security because they’re in the position of proving that nothing could ever go wrong. This is because cybersecurity fear-mongerers are spinning apocalyptic tales. Imagine what it will be like when varied government bureaucracies are calling on the private sector to prove they are implementing endlessly varying, imagination-based federal cybersecurity dictates.

Now, a few caveats are in order: Cybersecurity is a real problem, and there are many challenges presented to all organs of society in securing computers, networks, and data. I’m quoted in the story saying there is “no chance whatsoever” that nuclear power plants and electric infrastructure would be hacked and taken down for any significant period of time. The more accurate phrasing would have been that the chance is “exceedingly small.” The point remains that these problems have nothing of the scale or significance of the war or terrorism (except to the extent that terrorism is also an important but entirely manageable problem).

In the event of some future, modest-consequence event, I fully expect to be called out as having been a Panglossian cybersecurity naysayer. (It’s a tactic one would expect from advocates who misstate basic math to hype threats.) Not so. I expect some bad things to occur. I don’t believe that centralizing our country’s cybersecurity efforts with the federal government would position us better to prevent them or respond to them.