The Cybersecurity "Wake Up Call" and the Snooze Button

While Alex has dealt rather masterfully with the consequences of the trumped-up Russian SCADA hacking incident, I’d like to point to a different aspect of it: the cybersecurity “wake up call.” The Springfield incident was immediately called a “wake up call” for cybersecurity practitioners. Of course, we now know that it was not a cyber attack. But suppose , for the sake of argument, that it really was the work of nefarious Russians. That would be a real cause for concern, wouldn’t it?

As Bob Gourley tweeted, we’re now in our 4th decade of “cyber wake up calls.” The only thing more played-out in the cybersecurity field is the phrase “digital pearl harbor.” So why does the phrase continue to predominate? Some of our panelists at the FedCyber Government-Industry conference talked about problems with the private sector’s lack of attention and budgetary emphasis on security and lack of recognition from policymakers of the evolved nature of the threat. While these are worthy explanations, perhaps something else is at play: the cyber snooze button that we perpetually hit whenever we are “woken up.”

Cybersecurity obviously is a huge concern to policymakers and analysts. The private sector is also taking note. But the problem, as Bob has said in the past, is that on a day-to-day basis security is simply not a priority. It is seen as a technical matter rather than policy issue that demands the attention of CIOs, and is based on a reactive model rooted in point defense of all access points rather than defense in depth, does not tackle enterprise management as a whole, and is rooted in the fallacious assumption that the PC as the only point of vulnerability within an organization. Moreover, as Martin Libicki points out in his book Conquest in Cyberspace,  there is no such thing as forced entry in cyberspace. The vast majority of successful attacks are the result of simple weaknesses that were not proactively addressed.

To be more simple, the cyber snooze button is continuously hit because many simply do not want to wake up to the reality that cybersecurity is no longer an exotic subfield limited to a small cadre of technical experts. It is a basic element of living in a hyperconnected world that will only grow more so as more and more elements of our lives become networked. Trusting your toaster will be the least of your concerns. But for whatever reason, we cannot accept this reality and make prudent–if sometimes painful–adjustments.

Rather, cyber is cast in terms of an exotic and unstoppable threat akin to megaterrorism or nuclear warfare. The problem with this is that it tends to encourage outlandish and unworkable solutions, lead to scares akin to the one that Alex has analyzed, and casts cyber as a strategic matter to be dealt with by politicians rather than an problem with multiple dimensions. There is the nation-state based cyber threat, certainly, but many firm and agencies deal day to day with opportunistic criminals–not Stuxnet or a crack team of elite PLA infowarriors.

Until we can learn to see cyber in less dramatic terms, we will continue to have multiple wake up calls, and a few scares like the Illinois water pump incident. Unfortunately, some organizations and individuals will have hit the snooze button one too many times, and will face threats—although certainly less severe than Vladimir Putin’s colleagues wiping out critical infrastructure–with the potential for serious fiscal, personal, or public relations damage.

CTOvision Pro Special Technology Assessments

We produce special technology reviews continuously updated for CTOvision Pro members. Categories we cover include:

  • Analytical Tools - With a special focus on technologies that can make dramatic positive improvements for enterprise analysts.
  • Big Data - We cover the technologies that help organizations deal with massive quantities of data.
  • Cloud Computing - We curate information on the technologies enabling enterprise use of the cloud.
  • Communications - Advances in communications are revolutionizing how data gets moved.
  • GreenIT - A great and virtuous reason to modernize!
  • Infrastructure  - Modernizing Infrastructure can have dramatic benefits on functionality while reducing operating costs.
  • Mobile - This revolution is empowering the workforce in ways few of us ever dreamed of.
  • Security  -  There are real needs for enhancements to security systems.
  • Visualization  - Connecting computers with humans.
  • Hot Technologies - Firms we believe warrant special attention.

 

Recent Research

Mobile Gamers: Fun-Seeking but Fickle

Update from DIA CTO, CIO and Chief Engineer on ICITE and Enterprise Apps

Pew Report: Increasing Technology Use among Seniors

Finding The Elusive Data Scientist In The Federal Space

DoD Public And Private Cloud Mandates: And insights from a deployed communications professional on why it matters

Intel CEO Brian Krzanich and Cloudera CSO Mike Olson on Intel and Cloudera’s Technology Collaboration

Watch For More Product Feature Enhancements for Actifio Following $100M Funding Round

Navy Information Dominance Corps: IT still searching for the right governance model

DISA Provides A milCloud Overview: Looks like progress, but watch for two big risks

Innovators, Integrators and Tech Vendors: Here is what the government hopes they will buy from you in 2015

Navy continues to invest in innovation: Review their S&T efforts here

MSPA Unified Certification Standard For Cloud Service Providers: Is This A Commercial Version of FedRamp?

solid
About AdamElkus

Adam Elkus is a PhD student in Computational Social Science at George Mason University. He writes on national security, technology, and strategy at CTOvision.com and the new analysis focused Analyst One, War on the Rocks, and his own blog Rethinking Security. His work has been published in The Atlantic, Journal of Military Operations Foreign Policy, West Point Counterterrorism Center Sentinel, and other publications.

  • Pingback: Alex's 2012 Tech Predictions

  • Pingback: Alex’s 2012 Tech Predictions | CTOsite

  • Pingback: Alex’s 2012 Tech Predictions – Bob Gourley

  • Pingback: Federal R&D Priorities

  • http://ctovision.com Bob Gourley

    As an aid to continued research on this interesting topic, the following list is from our page at:
    http://ctovision.com/cyber-security-wake-up-calls-for-the-federal-government/ 

    1971 – The Defense Science Board releases the “Ware Report” which was widely considered to be a “wake up call” for the DoD. It was instrumental in strengthening the NSA’s computer security efforts and called for serious efforts to be put in place elsewhere in the DoD.
    1995 – The President’s Commission on Critical Infrastructure Protection (PCCIP) was widely regarded as a “wake up call” for the entire federal government and since it was extensively coordinated with industry and academia was also seen as a way forward in cybersecurity for the entire nation.
    1997 – Deputy Secretary of Defense John Hamre was quoted as saying “Solar Sunrise was a wake up call for DoD”
    1998 Assistant Secretary of Defense Art Money was quoted as saying “Moonlight Maze was a wake up call for DoD”
    2009 Director of National Intelligence Admiral Blair testified that “Buckshot Yankee was a wake up call” for the government
    2010 Deputy Secretary of Defense Lynn writes that “Google’s Aurora attacks were a wake up call for us all”
    2011 Deputy Assistant Secretary of Defense Bob Butler says “Wikileaks was a wake up call for DoD”

  • http://ctovision.com Bob Gourley

    As an aid to continued research on this interesting topic, the following list is from our page at:
    http://ctovision.com/cyber-security-wake-up-calls-for-the-federal-government/ 

    1971 – The Defense Science Board releases the “Ware Report” which was widely considered to be a “wake up call” for the DoD. It was instrumental in strengthening the NSA’s computer security efforts and called for serious efforts to be put in place elsewhere in the DoD.
    1995 – The President’s Commission on Critical Infrastructure Protection (PCCIP) was widely regarded as a “wake up call” for the entire federal government and since it was extensively coordinated with industry and academia was also seen as a way forward in cybersecurity for the entire nation.
    1997 – Deputy Secretary of Defense John Hamre was quoted as saying “Solar Sunrise was a wake up call for DoD”
    1998 Assistant Secretary of Defense Art Money was quoted as saying “Moonlight Maze was a wake up call for DoD”
    2009 Director of National Intelligence Admiral Blair testified that “Buckshot Yankee was a wake up call” for the government
    2010 Deputy Secretary of Defense Lynn writes that “Google’s Aurora attacks were a wake up call for us all”
    2011 Deputy Assistant Secretary of Defense Bob Butler says “Wikileaks was a wake up call for DoD”

  • Pingback: My Infosec Wish for 2013: A Balanced Cyberwarfare Debate

  • Pingback: My Infosec Wish for 2013: A Balanced Cyberwarfare Debate - SYS - Information security & technology news