If you haven’t been living under a rock, you’ve probably read or heard about the various “cyber attacks” or intrusions in the news lately. The latest being the front page of the WSJ today. As referenced in the article, the government is applying money towards addressing this issue. The problem being the government is hugely inefficient – agencies will squabble over the application of the money in the typical bureaucratic turf wars. The various departments will jockey to be the executive agency in charge of the major programs. If we’re lucky, the Obama Administration will create more government to duplicate efforts that exist in pockets in various existing agencies. All along the way, we’ll have the federal contractors, hungry for expanding their bottom lines in an economic environment that is relatively flat, chasing the money hither and yon. Large procurements (contracts) will take months to organize and execute because of the risk adversity and general inefficiency that exists in any large private or public organization – especially when the problem is becoming so high profile.
So what’s the answer? Fight the inefficiency. Government should use this opportunity to incentivize private industry, particularly those in what is termed “critical infrastructure programs” (i.e. Energy/Power generation and distribution, communications, water, civilian safety, etc.) to take appropriate steps to secure control systems. The alternative, which looms especially with the current administration, is that government will intervene on behalf of “national security” and embed itself into all of these industries. At this point, it’s not a big step to nationally run power, water, communications, etc. by an inefficient organization with little domain expertise in the specific industries.
While the WSJ article points to something that is more along the lines of industrial espionage by foreign powers thus weakening the advantage that we may have, the larger concern is one like Australia experienced with the Vitak Boden attacks in early 2000 where he hacked into waste treament facilities and dumped sewage into rivers, parks and resort lands along the Sunshine Coast of Australia out of revenge. Translate that into the 911 system, air traffic control, or the power grid.
I have witnessed the acceleration of initiatives aimed at dealing with this problem. We have so many creative resources to apply to it that given time (the largest problem), resources and the ability to break through political, procedural and organization roadblocks, we will be successful. But we must understand, that this is unlike any war that we’ve fought before. It is one where we are currently playing defense against ghost-like adversaries who at times can be enthralled by just receiving that description. We’ve tried to form a big wall of defense, but what we are protecting is too large for that approach. Instead, we need agile, targeted defenses and we must consider the offensive part of the war. By not attacking, in some way, the perpetrators of these attacks, we are just inviting more attacks and more complex attacks. Each attack yields valuable data about the defense and response capabilities. We must take the battle or some portion of it to them.