>Let’s Not Understate the Cyber Threat

>

Wow. I read with some surprise and consternation an article in Government Computer News, 4 December 2009. In this article, the author portrays the fears of a “digital Pearl Harbor” or overwhelming cyber attack on the United States as overblown—almost as if it’s of no real possibility or significant impact. In short, the article states:

“What good would it do an attacker to take down the vital U.S. networks? While the damage to this country could be great, the benefit to an attack would be nil if it could not be followed up. The real threat of cyber warfare is not in stand-alone attacks, but in attacks coordinated with military action.”

While, I agree that a coordinated attack is obviously more dangerous than a cyber attack alone, the threat and potential damage of a cyber attack could potentially be devastating—with or without military action.

Let’s think for a second about how the military traditionally projects force around the world through conventional warfare—taking control of the air, land, and sea. Control the sea-lanes and you have power over 90%+ of international commerce. Control the land and you have power over people’s daily lives—including their ability to satisfy even basic needs for food, clothing, and shelter, their personal safety, and even their ability to govern themselves. Control the air and you control freedom of movement on the ground, people’s basic comings and goings. Traditional military power can affect just about every facet of people’s lives including ultimately the taking of life itself i.e. paying “the ultimate price.”

Now think for a second, about what a massive cyber attack could potentially do to us. At this stage in history, we have to ask ourselves not what elements could be affected by cyber attack, but what elements of our lives would not be impacted? This is the case since virtually our entire civil and elements of the military infrastructure are dependent on the Internet and the computers that are connected to them. If you “pull the plug” or corrupt the interconnected systems, “watch out” seems apropos.

The same areas that are vulnerable to traditional military attack are threatened by cyber attack: Commerce, Energy, Transportation, Finance, Health, Agriculture, (Defense)…are all deeply interwoven and dependent on our interconnected computer systems—and this is the case more and more.

Think e-Commerce, online banking and finance, manufacturing production systems, transportation systems, food production and safety, the energy grid, electronic health records, C4ISR, and so on.

While thank G-d, we have been spared a really devastating attack to date (if you exclude the massive data compromised/stolen in recent cyber attacks), we would be derelict in responsibilities for ensuring safety and security if we thought that was it.

Further, while unpleasant as it may be, we should consider the impact in terms of potential for physical harm or loss of life in the event of a serious cyber attack?

While many brush aside this possibility, there is certainly the potential. Even putting aside the potential public panic/chaos and ensuing loss of life and property that could occur in a serious attack, how about just taking out a single, major facility—like a dam, power plant, reservoir, electrical hub, transportation system, and so on. This is an important focus of efforts to ensure critical infrastructure protection, a public-private sector partnership initiative.

Rep. Lamar Smith, R-Texas said “Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives.”

Sure, a severe and consequential attack would require ample skills, knowhow, resources, and sophistication—it is no small feat—but with the hosts of cyber criminals, terrorists, and hostile nation states out there increasingly trying to hack our systems, there is valid cause for concern.

This recognition of what’s possible does not mean it is probable or imminent. However, the awareness and understanding of our increasing dependence on the Internet and related systems and the acknowledgement that there are those out there—as in 9-11—who seek to do our country harm, should not blind us with fear, but rather spark us to constructively deal with the challenge and take proactive actions to secure the ever expanding realm of cyberspace.

The Executive Summary in the CyberSpace Policy Review that was conducted by the White House in 2009 sums it up, this way:

“The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.”

We should not and cannot understate the possible threats against our nation, but rather we need to act responsibility and rationality, with resolve to protect our nation, before and not only after. As the CyberSpace Policy Review states:

“The Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat. We need to demonstrate abroad and at home that the United States takes cybersecurity-related issues, policies, and activities seriously.”

Fortunately, our nation has recognized the potential threat and is acting, as Security Focus reported on June 24, 2009: “The U.S. Secretary of Defense ordered the military to create a unified command to act as the nation’s central hub for cyber capabilities and commanded the Pentagon to develop a policy framework for cyberspace operations.”

On a personal note, I am grateful for the many good, hardworking people in our military, civilian and private sector that are working to secure cyberspace for us, and believe we need to do this with vigor and resolve. It’s necessary in order to safeguard our future that is ever reliant on technology.

>A Call to IT Arms

>

Recently, I heard a colleague say that we should view IT not as a cost center, but as a resource center—and I really liked that.

In fact, IT is a cost center and a resource center, but these days there is an overemphasis on it being a cost center.

On the negative side, people seem to like to criticize IT and point out the spectacular failures there have been, and in fact, according to Public CIO “a recent study by the Standish Group showed that 82% of all IT project were either failures or were considered challenged.”

This is the dark side of IT that many would like to dwell on.

However, I would argue that while we must constantly improve on IT project delivery, IT failures can be just a point in time on the way to tremendous success and there are many of these IT successes that we benefit from in big and small ways every day.

Moreover, it may take 1000 failures to achieve that one great breakthrough success. That is the nature of innovation and experimentation.

Of course, that does not mean we should do stupid or negligent things that results in failed IT projects—we must do our best to be responsible and professional stewards. But, we should not be afraid to experiment and fail as a healthy part of the creative process.

Thomas Edison said: “I have not failed. I’ve just found 10,000 ways that won’t work.”

So why are we obsessed with IT failures these days?

Before the dot com bust, when technology was all the rave, and we enjoyed the bounty of new technologies like the computer, cell phones, handhelds, electronics galore, the Internet and all the email, productivity software and e-commerce and business applications you could ask for, the mindset was “technology is the engine that drives business.” And in fact, many companies were even changing their names to have “.com” in them to reflect this. The thinking was that if you didn’t realize the power and game-changing nature of technology, you could just as well plan to be out of business in the near future. The technologies that came out of those years were amazing and you and I rely on these every day.

Then after the dot-com burst, the pendulum swung the other way—big time! IT became an over zealous function, that was viewed as unstructured and rampant, with runaway costs that had to be contained. People were disappointed with the perceived broken promises and failed projects that IT caused, and IT people were pejoratively labeled geeks or techies and viewed as being outside the norm—sort of the societal flunkies who started businesses out of home garages. People found IT projects failures were everywhere. The corporate mindset changed to “business drives technology.”

Now, I agree that business drives technology in terms of requirements coming from the business and technology providing solutions to it and enabling it. But technology is also an engine for growth, a value creator, and a competitive advantage!

Further, while some would argue these days that IT is “just a tool”, I would counter that IT is a true strategic asset to those who understand its role in the enterprise. I love IT and I believe we all do and this is supported by the fact that we have become basically insatiable for IT. Forrester predicts U.S. IT budgets in 2009 will be in the vicinity of $750 billion. (http://it.tmcnet.com/topics/it/articles/59200-it-market-us-decline-51-percent-2009-researchers.htm) Think about what you want for the holidays—does it have IT in it?

A recent article in the Wall Street Journal was about how the homeless are so tied to technology that many have a computer with Internet access, even when they don’t have three square meals a day or a proper home to live in.

Another sign of how critical IT has become is that we recently stood up a new Cyber Command to protect our defense IT establishment. We are reliant indeed on our information technology and we had better be prepared to protect and defend it.

The recent White House 2009 Cyberspace Policy Review states: “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security.”

It’s time for the pendulum to swing back in the other direction and to view IT as the true strategic asset that it is.