Cybersecurity Strategy: a Primer for Policy Makers and Those on the Front Line
Total Page:16
File Type:pdf, Size:1020Kb
Cybersecurity Strategy: A Primer for Policy Makers and Those on the Front Line Steven R. Chabinsky* THE PROBLEM The Internet seems to offer the promise of everything to everyone. For global and local business, it lowers costs while increasing innovation, invention, effectiveness, and efficiencies. For wealthy and poor economies alike, the Internet greatly expands markets for products and services. For peoples free and repressed, it provides an inlet and an outlet of expression. For large and small communities, whether living in urban centers or outlying regions, the Internet enables control over critical power, transportation, water, and sewerage systems. Lest we forget, for sophisticated criminals, terrorists, warmongers, and spies, the Internet also offers the chance of a lifetime to cheat, steal, and strike from afar with little money, covered tracks, and enormous real world impact. While the ability to use the same technology for positive or destructive ends is neither new nor momentous, it is necessary to consider whether the rapid adoption of the Internet has provided so considerable an asymmetric advantage to our adversaries that it can change the course of American history. In this regard, when we consider the intent and capabilities of our enemies, we cannot underestimate them or, as the 9/11 Commission found in a different context, suffer from failures in imagination, policy, capabilities, or management. Thus our future remains uncertain. Based on our increasing reliance on networks to drive our economy and support our health, welfare, communications, and security, certain questions loom large. For example, can our enemies control whether, how, and when our systems operate and our vital services get delivered? Are our personal and business records, corporate intellectual property, and state secrets routinely exposed or imperceptibly altered?1 Unfortunately, the answers to these questions not only remain unknown, they perhaps are unknowable. Therefore, it is difficult to provide our nation’s government leaders, corporate executives, shareholders, and citizens with reasonable assurance that our computer systems have not been * Deputy Assistant Director, Federal Bureau of Investigation. 1. Especially worrisome are the cyber attacks that would hijack systems with false information in order to discredit the systems or do lasting physical damage. At a corporate level, attacks of this kind have the potential to create liabilities and losses large enough to bankrupt most companies. At a national level, such attacks directed at critical infrastructure industries have the potential to cause thousands of deaths and hundreds of billions of dollars worth of damage. See U.S. Cyber Consequences Unit (US-CCU), http://www.usccu.us/# Key_Features_ of_the_US-CCU’s_Research (an independent, nonprofit research institute). 27 28 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:27 penetrated, that our software has not been adulterated, and that our hardware does not contain implants. Similarly, it is difficult to state with confidence that over time our mission-critical data and systems – which underlie our economic prosperity, national security, and public health – will remain accurate and available when needed.2 We do know that cyberexploitation is occurring at an unprecedented rate by a growing array of state and nonstate actors against a wide range of targets,3 and that the threat will continue to grow as our society becomes increasingly reliant on information systems.4 For these reasons, just over four months into his Presidency, Barack Obama announced that “our digital infrastructure – the networks and computers we depend on every day – will 2. A glimpse into the full scope of this problem is reflected in the SANS Institute’s expert consensus ranking of the top ten cyber threats: 1. Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities – Especially on “Trusted” Web Sites. 2. Increasing Sophistication and Effectiveness in Botnets. 3. Cyber Espionage Efforts by Well Resourced Organizations Looking to Extract Large Amounts of Data – Particularly Using Targeted Phishing. 4. Mobile Phone Threats, Especially Against iPhones and Android-Based Phones; Plus VOIP. 5. Insider Attacks. 6. Advanced Identity Theft from Persistent Bots. 7. Increasingly Malicious Spyware. 8. Web Application Security Exploits. 9. Increasingly Sophisticated Social Engineering Including Blending Phishing with VOIP and Event Phishing. 10. Supply Chain Attacks Infecting Consumer Devices (USB Thumb Drives, GPS Systems, Photo Frames, etc.) Distributed by Trusted Organizations. See SANS Institute, Top Ten Cyber Security Menaces of 2008, http://www.sans.org/press/ top10menaces08.php. 3. The full dimension of the cybersecurity problem includes not only risks to the confidentiality, integrity, and availability of sensitive data, but also substantial risks to the command and control of important physical assets such as electric power grids, water supply, and other critical infrastructure. See, e.g., DEPARTMENT OF HOMELAND SECURITY, PRIMER CONTROL SYSTEMS CYBER SECURITY FRAMEWORK AND TECHNICAL METRICS (2009), available at http://www.us-cert.gov/controlsystems/pdf/Metrics_primer_v9_7-13-09_FINA L.pdf. “Electronic control systems that operate much of the Nation’s critical infrastructure are increasingly connected to public networks, including the Internet. Consequently, control systems and the associated critical infrastructure are at greater risk than before from externally initiated cyber attacks.” Id. at 1. 4. Intelligence Community and Annual Threat Assessment: Hearing Before the Sen. Armed Serv. Comm., 111th Cong. 38 (2009) (statement of Dennis C. Blair, Dir. of Nat’l Intell.), available at http://www.dni.gov/testimonies/20090310_testimony.pdf (“As govern- ment, private sector, and personal activities continue to move to networked operations, as our digital systems add ever more capabilities, as wireless systems become even more ubiquitous, and as the design, manufacture, and service of information technology have moved overseas, the threat will continue to grow.”). 2010] A PRIMER ON CYBERSECURITY STRATEGY 29 be treated as they should be: as a strategic national asset,” to be protected as “a national security priority.”5 To be sure, numerous academic and professional fields have developed around cybersecurity and risk management. All is not lost. Most certainly, there is a corresponding need to guard against an overreaction to these problems that would lead to total risk avoidance at all times for all things. Yet, how many people have the data necessary to assess their vulnerabilities, the threats against them, and the harm they are facing in the event of a successful attack? Each data point is essential to establishing an accurate risk profile and, in turn, making informed decisions about how we prioritize and protect our resources. Similarly, how many directors, officers, and government leaders understand who within and outside their organization affect their risk posture? Is the systems administrator or the chief information security officer in charge? Or, as tends to be the case far too often, is the company put at risk when an employee shows up at work one morning with a thumb drive that he plugs into his desktop’s USB slot? Regrettably, we have brought these vulnerabilities upon ourselves, having first invented the Internet and then having eagerly embraced the ensuing Digital Revolution without establishing a corresponding viable security structure. This point has not been lost on FBI Director Robert Mueller, who likened our predicament to that of Ancient Rome. In 2007, Mueller said: There is an old saying that all roads lead to Rome. In the days of the Roman Empire, roads radiated out from the capital city, spanning more than 52,000 miles. The Romans built these roads to access the vast areas they had conquered. But, in the end, these same roads led to Rome's downfall, for they allowed the invaders to 6 march right up to the city gates. I. FRAMING A CYBERSECURITY STRATEGY It is difficult to develop a national strategy for a subject as vast as cybersecurity. Where do we start and, perhaps equally perplexing, how do we know when to stop and move on toward implementation? From a federal government perspective, these questions were presented not long ago to the National Cyber Study Group (NCSG). The NCSG was formed by the Office of the Director of National Intelligence and began to meet 5. Remarks by the President on Securing Our Nation’s Cyber Infrastructure (May 29, 2009), available at http://www.whitehouse.gov/the_press_office/Remarks-by-the-President- on-Securing-Our-Nations-Cyber-Infrastructure/. 6. Robert S. Mueller, III, Dir., FBI, Address at Penn State Forum Speaker Series (Nov. 6, 2007), available at http://www.fbi.gov/pressrel/speeches/mueller110607.htm. 30 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:27 weekly in May of 2007.7 Under the skillful leadership of Melissa Hathaway,8 the NCSG developed in less than a year the cyber strategy that would later be adopted by the White House as the Comprehensive National Cybersecurity Initiative (CNCI).9 The CNCI is contained within National Security Presidential Directive 54, which is cross-designated as Homeland Security Presidential Directive 23. That document remains classified and therefore unavailable to the public, although the White House has released an unclassified summary.10 Nevertheless, for purposes of this article, knowing the entirety of the policy is less important