Cyberwar, You’re On

Cyber_warfare

There was significant news this week about the U.S. and Israel making major inroads with cyberwar capabilities.

First, the New York Times today (1 June 2011) writes about alleged Bush and Obama administrations’ “increasingly sophisticated [cyber] attacks on the computer systems that run Iran’s main nuclear enrichment facilities”–sabotaging as many as a 1000 centrifuges, delaying their deadly program by as much as 2 years, as well as conducting cyber espionage to strengthen our negotiating hand.

The cyber offensive program code-named Olympic Games allegedly involved cyber weapons codeveloped by the United States’ National Security Agency and Israel’s advanced cyber corps, Unit 8200.

The malware included such programs such as Stuxnet, Duqu, and The Flame and according to Bloomberg BusinessWeek (30 May 2012) may date as far back to 2007.

These cyber attacks have been viewed as the best hope of slowing the Iranian’s sinister nuclear program while economic sanctions have a chance to bite.

Additionally cyber attacks were viewed preferentially over using traditional kinetic military options and potentially causing a regional war in the Middle-east.

At the same time, the use of cyber weapons is a double-edged sword–if we use it on others, this may encourage cyber proliferation and it’s eventual use on us–and as the NYT writes, “no country’s infrastructure is more dependent on computer systems and thus, more vulnerable to attack than the United States.”

Therefore, it was good to see in The Washington Post yesterday (30 May 2012) that the Pentagon’s Defense Advanced Research Projects Agency (DARPA) is pursuing Plan X–“ambitious efforts to develop technologies to improve its cyberwarfare capabilities, launch effective attacks, and withstand likely retaliation.”

“If they achieve it, they’re talking about being able to dominate the digital battlefield just like they do the traditional battlefield.”
The “five-year $110 million research program” is seeking to accomplish three major goals in arming U.S. Cyber Command at Fort Meade for cyber war:

1) Mapping Cyberspace–create realtime mapping of the entire cyberspace and all its devices for commanders to use in identifying targets and disabling them and seeing enemy attacks.

2) Building A Survivable O/S–Just like DARPA invented the Internet as a survivable messaging and communication system, so too, they want to develop a battle-ready operating system for our computers (like a tank) “capable of launching attacks and surviving counterattacks.”

3) Develop (Semi-)Autonomous Cyber Weapons–so cyber commanders can engage in “speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code.”

Just to be clear, with cyber warfare, we are not just talking about computers taking out other computers–and end there, but rather this is where computers take out computers that are controlling critical infrastructure such as the power grid, transportation systems, financial systems, supply chain, command, control, and communications, weapons systems, and more.

Cyberwar could be more humane than pulverizing [targets]…with bombs,” but I doubt it will be.

Imagine, virtually everything you know coming to a complete halt–utter disruption and pandemonium–as well as the physical effects of that which would ensue–that’s what cyber war is all about–and it is already on the way.

So as, Richard M. George, a former NSA cyberdefense official stated: “Other countries are preparing for a cyberwar. If we’re not pushing the envelope in cyber, somebody else will.”

It is good to see us getting out in front of this cyber security monster–let’s hope, pray, and do everything we can to stay on top as the cyberspace superpower.

(Source Photo: Andy Blumenthal taken of mural at National Defense University, Washington D.C.)

Those In The Know, Sending Some Pretty Clear Warnings

Listen

There have been a number of leaders who have stepped up to tell people the real risks we are facing as a nation.

They are not playing politics–they have left the arena.

And as we know, it is much easier to be rosy and optimistic–let’s face it, this is what people want to hear.

But these leaders–national heros–sacrifice themselves to provide us an unpopular message, at their own reputational risk.

That message is that poor leadership and decision-making in the past is threatening our present and future.

Earlier this week (15 May 2011), I blogged about a documentary called I.O.U.S.A. with David Walker, the former Comptroller General of the United States for 10 years!

Walker was the head of the Government Accountability Office (GAO)–the investigative arm of Congress itself, and has testified before them and toured the country warning of the dire fiscal situation confronting us from our proclivity to spend future generation’s money today–the spiraling national deficit.

Today, I read again in Fortune (21 May 2012) an interview with another national hero, former Admiral Mike Mullen, who was chairmen of the Joint Chiefs (2007-2011).

Mullen warns bluntly of  a number of “existential threats” to the United States–nukes (which he feels is more or less “under control”), cyber security, and the state of our national debt.

Similarly, General Keith Alexander, the Director of the National Security Agency (NSA) and the head of the Pentagon’s Cyber Command has warned that DoD networks are not currently defensible and that attackers could disable our networks and critical infrastructure underpinning our national security and economic stability.

To me, these are well-respected individuals who are sending some pretty clear warning signals about cyber security and our national deficit, not to cause panic, but to inspire substantial change in our national character and strategic priorities.

In I.O.U.S.A., after one talk by Walker on his national tour, the video shows that the media does not even cover the event.

We are comfortable for now and the messages coming down risk shaking us from that comfort zone–are we ready to hear what they are saying?

(Source Photo: here with attribution to Vagawi)

Cloud Second, Security First

Shadyrat_map

Leadership is not about moving forward despite any and all costs, but about addressing issues head on.

Cloud computing holds tremendous promise for efficiency and cost-savings at a time when these issues are front and center of a national debate on our deficit of $14 trillion and growing.

Yet some prominent IT leaders have sought to downplay security concerns calling them “amplified…to preserve the status quo.” (ComputerWorld, 8 August 2011)
Interestingly, this statement appeared in the press the same week that McAfee reported Operation Shady RAT–“the hacking of more than 70 corporations and government organizations,” 49 of which were in the U.S., and included a dozen defense firms. (Washington Post, 2 August 2011)
The cyber spying took place over a period of 5 years and “led to a massive loss of information.”(Fox News, 4 August 2011)
Moreover, this cyber security tragedy stands not alone, but atop a long list that recently includes prominent organizations in the IT community, such as Google that last year had it’s networks broken into and valuable source code stolen, and EMC’s RSA division this year that had their SecurID computer tokens compromised.
Perhaps, we should pay greater heed to our leading cyber security expert who just this last March stated: “our adversaries in cyberspace are highly capable. Our defenses–across dot-mil and the defense industrial base (DIB) are not.” (NSA Director and head of Cyber Command General Keith Alexander).
We need to press forward with cloud computing, but be ever careful about protecting our critical infrastructure along the way.
One of the great things about our nation is our ability to share viewpoints, discuss and debate them, and use all information to improve decision-making along the way. We should never close our eyes to the the threats on the ground.
(Source Photo: here)

>Let’s Not Understate the Cyber Threat

>

Wow. I read with some surprise and consternation an article in Government Computer News, 4 December 2009. In this article, the author portrays the fears of a “digital Pearl Harbor” or overwhelming cyber attack on the United States as overblown—almost as if it’s of no real possibility or significant impact. In short, the article states:

“What good would it do an attacker to take down the vital U.S. networks? While the damage to this country could be great, the benefit to an attack would be nil if it could not be followed up. The real threat of cyber warfare is not in stand-alone attacks, but in attacks coordinated with military action.”

While, I agree that a coordinated attack is obviously more dangerous than a cyber attack alone, the threat and potential damage of a cyber attack could potentially be devastating—with or without military action.

Let’s think for a second about how the military traditionally projects force around the world through conventional warfare—taking control of the air, land, and sea. Control the sea-lanes and you have power over 90%+ of international commerce. Control the land and you have power over people’s daily lives—including their ability to satisfy even basic needs for food, clothing, and shelter, their personal safety, and even their ability to govern themselves. Control the air and you control freedom of movement on the ground, people’s basic comings and goings. Traditional military power can affect just about every facet of people’s lives including ultimately the taking of life itself i.e. paying “the ultimate price.”

Now think for a second, about what a massive cyber attack could potentially do to us. At this stage in history, we have to ask ourselves not what elements could be affected by cyber attack, but what elements of our lives would not be impacted? This is the case since virtually our entire civil and elements of the military infrastructure are dependent on the Internet and the computers that are connected to them. If you “pull the plug” or corrupt the interconnected systems, “watch out” seems apropos.

The same areas that are vulnerable to traditional military attack are threatened by cyber attack: Commerce, Energy, Transportation, Finance, Health, Agriculture, (Defense)…are all deeply interwoven and dependent on our interconnected computer systems—and this is the case more and more.

Think e-Commerce, online banking and finance, manufacturing production systems, transportation systems, food production and safety, the energy grid, electronic health records, C4ISR, and so on.

While thank G-d, we have been spared a really devastating attack to date (if you exclude the massive data compromised/stolen in recent cyber attacks), we would be derelict in responsibilities for ensuring safety and security if we thought that was it.

Further, while unpleasant as it may be, we should consider the impact in terms of potential for physical harm or loss of life in the event of a serious cyber attack?

While many brush aside this possibility, there is certainly the potential. Even putting aside the potential public panic/chaos and ensuing loss of life and property that could occur in a serious attack, how about just taking out a single, major facility—like a dam, power plant, reservoir, electrical hub, transportation system, and so on. This is an important focus of efforts to ensure critical infrastructure protection, a public-private sector partnership initiative.

Rep. Lamar Smith, R-Texas said “Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives.”

Sure, a severe and consequential attack would require ample skills, knowhow, resources, and sophistication—it is no small feat—but with the hosts of cyber criminals, terrorists, and hostile nation states out there increasingly trying to hack our systems, there is valid cause for concern.

This recognition of what’s possible does not mean it is probable or imminent. However, the awareness and understanding of our increasing dependence on the Internet and related systems and the acknowledgement that there are those out there—as in 9-11—who seek to do our country harm, should not blind us with fear, but rather spark us to constructively deal with the challenge and take proactive actions to secure the ever expanding realm of cyberspace.

The Executive Summary in the CyberSpace Policy Review that was conducted by the White House in 2009 sums it up, this way:

“The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.”

We should not and cannot understate the possible threats against our nation, but rather we need to act responsibility and rationality, with resolve to protect our nation, before and not only after. As the CyberSpace Policy Review states:

“The Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat. We need to demonstrate abroad and at home that the United States takes cybersecurity-related issues, policies, and activities seriously.”

Fortunately, our nation has recognized the potential threat and is acting, as Security Focus reported on June 24, 2009: “The U.S. Secretary of Defense ordered the military to create a unified command to act as the nation’s central hub for cyber capabilities and commanded the Pentagon to develop a policy framework for cyberspace operations.”

On a personal note, I am grateful for the many good, hardworking people in our military, civilian and private sector that are working to secure cyberspace for us, and believe we need to do this with vigor and resolve. It’s necessary in order to safeguard our future that is ever reliant on technology.

>A Call to IT Arms

>

Recently, I heard a colleague say that we should view IT not as a cost center, but as a resource center—and I really liked that.

In fact, IT is a cost center and a resource center, but these days there is an overemphasis on it being a cost center.

On the negative side, people seem to like to criticize IT and point out the spectacular failures there have been, and in fact, according to Public CIO “a recent study by the Standish Group showed that 82% of all IT project were either failures or were considered challenged.”

This is the dark side of IT that many would like to dwell on.

However, I would argue that while we must constantly improve on IT project delivery, IT failures can be just a point in time on the way to tremendous success and there are many of these IT successes that we benefit from in big and small ways every day.

Moreover, it may take 1000 failures to achieve that one great breakthrough success. That is the nature of innovation and experimentation.

Of course, that does not mean we should do stupid or negligent things that results in failed IT projects—we must do our best to be responsible and professional stewards. But, we should not be afraid to experiment and fail as a healthy part of the creative process.

Thomas Edison said: “I have not failed. I’ve just found 10,000 ways that won’t work.”

So why are we obsessed with IT failures these days?

Before the dot com bust, when technology was all the rave, and we enjoyed the bounty of new technologies like the computer, cell phones, handhelds, electronics galore, the Internet and all the email, productivity software and e-commerce and business applications you could ask for, the mindset was “technology is the engine that drives business.” And in fact, many companies were even changing their names to have “.com” in them to reflect this. The thinking was that if you didn’t realize the power and game-changing nature of technology, you could just as well plan to be out of business in the near future. The technologies that came out of those years were amazing and you and I rely on these every day.

Then after the dot-com burst, the pendulum swung the other way—big time! IT became an over zealous function, that was viewed as unstructured and rampant, with runaway costs that had to be contained. People were disappointed with the perceived broken promises and failed projects that IT caused, and IT people were pejoratively labeled geeks or techies and viewed as being outside the norm—sort of the societal flunkies who started businesses out of home garages. People found IT projects failures were everywhere. The corporate mindset changed to “business drives technology.”

Now, I agree that business drives technology in terms of requirements coming from the business and technology providing solutions to it and enabling it. But technology is also an engine for growth, a value creator, and a competitive advantage!

Further, while some would argue these days that IT is “just a tool”, I would counter that IT is a true strategic asset to those who understand its role in the enterprise. I love IT and I believe we all do and this is supported by the fact that we have become basically insatiable for IT. Forrester predicts U.S. IT budgets in 2009 will be in the vicinity of $750 billion. (http://it.tmcnet.com/topics/it/articles/59200-it-market-us-decline-51-percent-2009-researchers.htm) Think about what you want for the holidays—does it have IT in it?

A recent article in the Wall Street Journal was about how the homeless are so tied to technology that many have a computer with Internet access, even when they don’t have three square meals a day or a proper home to live in.

Another sign of how critical IT has become is that we recently stood up a new Cyber Command to protect our defense IT establishment. We are reliant indeed on our information technology and we had better be prepared to protect and defend it.

The recent White House 2009 Cyberspace Policy Review states: “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security.”

It’s time for the pendulum to swing back in the other direction and to view IT as the true strategic asset that it is.