Although President Obama may have found a way to keep his BlackBerry, he will not be able to use it while executing his new job. He might eventually be able to move to a phone-PDA certified by the National Security Agency to handle Top Secret voice, email, and website communications, but at the moment, the government is understandably wary of using handhelds for storing and transmitting classified information.
The threat of hackers and cyber thieves is very real and can be extremely dangerous. If a “Group” (terrorist organization, nation, state, non-state actors-pick your poison) could coordinate a cyber attack with some type of physical intrusion or ground offensive, the “Group” could do some serious damage. An example of such a scenario would be the controversy surrounding Russia’s invasion of Georgia last August. Georgia had been experiencing distributed denial of service (DDoS) attacks targeting its government websites before and during the hostilities. These attacks disrupted Georgia’s communications, but no direct evidence links the Russian government to having orchestrated the attacks. It is also worth noting that a similar cyber attack happened in Estonia last year during tensions between Moscow and the Baltic state. Czech Business Weekly states, “while no one is pointing fingers openly at Russia, all heads are turned in that direction.” But, like the cyberattack on Georgia, no conclusive evidence points to the Russian Government. In the case of Estonia, no ground offensive was necessary to effectively shutdown servers and major infrastructure-including the banking industry-setting off massive panic and a “cyber-riot” that plunged the tech-savvy country in the cyber dark for over two weeks.
Although this scenario is unlikely to happen in the United States, America is certainly not immune to cyber attacks. America’s information systems have been targeted for decades. In 2007, the Pentagon’s systems were hacked. Although China was “blamed” for the attack via indirect channels, there is no conclusive evidence that they where behind the breach. Obama and McCain’s Campaign computers were hacked mid-summer 2008 by “a foreign government or organization” looking for proposed policy information. In November 2008, the Department of Defense acknowledged their systems had been infected by a virus and, subsequently, banned the use of all thumb drives. Just think: electricity, water, transportation, all major infrastructures, are run by computer. A well placed virus can cause a system to malfunction quickly.
Is this making anyone else a bit nervous?
But, good news! Obama just outlined his Cyber-Security Strategy. The outline of this strategy is embedded in a Homeland Security Agenda; it highlights six major categories in which the Obama Administration wants to focus: (The whole document is worth a look.)
- Strengthen Federal Leadership on Cyber Security
- Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure
- Protect the IT Infrastructure That Keeps America’s Economy Safe
- Prevent Corporate Cyber-Espionage
- Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit
- Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches
The strategy seems to be pulling mostly from the bipartisan CSIS Commission on Cybersecurity’s recommendations released last year. But there are more than a few hiccups, which I hope will be addressed when the logistics of the Cyber Security Strategy are revealed. (First on the list is to decide if you are going to make Cyber Security one word or two…)
Some questions come to mind: Putting aside the huge question of funding the projects, will the soon-to-be created post of National Cyber Advisor be from the private industry or from a government agency? Will the new programs be housed within existing government agencies or will they actually create a Cybersecurity BatCave somewhere? If so, what government agency has jurisdiction? How will this BatCave communicate with other government and intelligence agencies? Will this place be staffed with employees/agents who have arresting powers-international and domestic-or a compilation of other agency experts? (Note: this tactic didn’t work all that well when creating the DHS.) Basically, how will the agencies who already have division who deal with cybercrime-NSA, FBI, and DHS to name a few-react to this new strategy? Will this new cyber emphasis (though badly needed) actually get the resources it needs to be effective? And probably most importantly: How will the Cybersecurity BatCave itself be secured against cyber attacks? Having all the cybersecurity and vulnerability attack data in one place is a lot of eggs to have in one basket.
There are obviously lots of questions that need to be answered, but having Hillary Clinton list “cyber” as a weapon of mass destruction during her confirmation hearings (instead of it being known as a weapon of mass disruption) is a step in the right direction…we just need to get going as soon as possible.