From: Harvard Business Review
by Steven Weber
On Friday, May 31 at the Shangri-La Security Dialogue in Singapore, US Defense Secretary Chuck Hagel said that cyber threats posed a “quiet, stealthy, insidious” danger to the United States and other nations.
Wait a minute. What exactly is quiet and stealthy about a security issue that Hagel’s colleague General Keith B. Alexander, the Director of the National Security Agency, labeled just a few weeks earlier the source of the “greatest transfer of wealth in history” from US companies to foreign hackers?
For companies and organizations that allocate vast sums of money and some of their best technical talent to the challenge of trying to protect their networks from thousands of cyberattacks daily, there’s nothing quiet or merely insidious about what’s going on. Remember the summer of 2001 when CIA Director George Tenet said of the Al-Qaeda threat “the system was blinking red” but few around him seemed to grasp the urgency? I believe the cyber threat right now has much the same character. You don’t have to be a master of the extraordinarily complicated and highly technical details of the issue to recognize this important signal: almost universally, you will find that the more an organization’s technical people know about the nature of the threat-response dynamic, the more worried they are about who is going to win that race.
How did we ever let things get this bad? The first answer to this question is usually either an engineering or an economic one. Engineers point to the problems inherent in Internet protocols that were designed, from the beginning, to be more about interoperability and connectivity than security per se. Economists point to problems of collective action and misaligned liability rules that actually reduce the incentives for firms to invest sufficiently and efficiently in protecting the network. And then there’s politics: every politician wants to champion the “innovation” and growth aspects of the Internet, and there’s little to gain from highlighting what a dangerous place it really can be.
What seems harder to talk about, but ultimately more fundamental, is culture. Let’s face it: as a society, the culture of the Internet is much more about open-ness and experimentation than about safety and security. This has deep roots in the libertarian ideologies of the personal computer movement (it really was a movement) and the techno-utopian, anti-authority mindset that made the Internet what it is — and is partly responsible for what makes it as great as it is.
But the Internet has now grown up. Our financial, military, healthcare, utilities, communications, commerce, supply chain, and just about every other essential life and business infrastructure system now depends on it. Internet culture, however, has grown up less. Consider this: You can’t get on an airplane or walk into an office building in New York or buy a car without proving that you are who you say you are; but anyone can enter the Internet anonymously from almost anywhere they are on the planet and walk through the virtual equivalent of almost all the same systems. Sometimes you need hacking tools that are easily accessible for purchase on the web; sometimes you need significant technical expertise. And much of the time you don’t need anything at all other than malicious, or even just curious, intent.
On Friday of this week President Obama and Chinese president Xi Jinping will spend a good chunk of their time together talking about the cybersecurity problem. Neither was anxious to do so for political reasons, but the spate of recent media reports and public leaks have left Obama, at least, with no real choice. They may very well agree in principle on a shared interest in what governments care about the most: critical national infrastructure protection. Over time, the two governments will (hopefully) land on shared rules of the road that step away from the doomsday threat of massive cyberwar much like the Russians and the Americans found ways during the Cold War to reduce the likelihood of the thermonuclear doomsday scenario from which neither side could possibly benefit.
But they won’t agree on what to do about “lesser” levels of threat, any more than the Cold War adversaries were able to during their time. That’s because when it comes to things like commercial espionage and intellectual property theft — the things that matter to individual companies — the two big nation-state cyber-players are in quite different positions and have meaningfully different interests. It’s a little oversimplified but basically correct to recognize that the US has much more to protect and the Chinese have much more to attack.
Here’s the real insidious threat that companies need to worry about. What if Washington and Beijing do reach a common understanding on the really big stuff — the massive security risks to sovereign interests — and take steps to reduce the threat of mutually assured cyberdestruction? What will all the hackers and cybercriminals — officially sponsored and otherwise — then do with their excess time and expertise? A reasonable career move would be to specialize in “lower level” attacks like, well, corporate espionage and intellectual property theft.
For governments, most of this is a nuisance, a trade issue, and at large scale potentially a competitiveness issue, but it’s not the same as a massive attack on the national power grid and it won’t drive the same kind of government response.
If you wait for governments to define and solve this problem for you, you might just get thrown under the bus.
Here are four things that the private sector — and I mean CEOs, not CTOs — should be loudly and persistently demanding of Washington right now:
- A Government funded FFRDC-type institution, to pay for basic research and early risk phase investment in commercial security systems.
- A support system, financial and legal, for smaller and startup companies that can’t afford to spend their money and time worrying about the security of their networks.
- A national cyber-guard or cyber Peace Corps equivalent, that would spread software and practices first around the US, and then around willing allies and friends abroad.
- A major national effort to educate the public and market a new “culture of security” for Internet behavior. It’s the human link that is and almost certainly always will be the weakest link in any security system. So we need constant messaging about the basic blocking-and-tackling of online behavior to get individuals to recognize their own risky actions and their personal responsibility for security. How did Stuxnet first get into Iranian computers? Likely through a thumb drive that some unthinking Iranian engineer brought into a nuclear centrifuge control center. We don’t like to admit it, but the same kind of sloppiness happens all the time in America. As long as Internet culture allows or even supports that kind of “freedom” (as, for example, a culturally acceptable extension of BYOD policies), companies are in real danger.
Leave a Reply