A Vicious Cycle
The new Deputy Commander of the U.S. Cyber Command, Lt. Gen Robert Schmidle Jr, USMC, was recently quoted as saying that there was a “dearth” of doctrine and policy in the world of cyberspace. This, of course, came as something of a surprise to anyone who has who has been in this field for more than ten minutes. For you nugs, or anyone who lacks a sense of history:
1985: DOD Trusted Computer System Evaluation Criteria
1994: National Training Standards for INFOSEC Professionals
1996: Executive Order 13010
1997: National Training Standards for Information System Security Officers
1997: PCCIP Report
1998: DOD CIP Report
2000: National Plan for Information Systems Protection
2003: Information Operations Roadmap
2003: National Strategy to Secure Cyberspace
2004: National Military Strategy of the US
2005: Net Centric Environment Joint Functional Concept
2006: Federal Plan for Cyber Security and Information Assurance
2006: National Infrastructure Protection Plan
2008: National Defense Strategy
2008: Vision 2015-A Globally Networked and Integrated Intelligence Enterprise
This is a very modest sample of just the governmental and largely DOD-related set of policy, regulation, doctrine, reports, studies, manuals and like documents dealing exclusively or that dedicate large parts of their corpus with cyberspace security. This list does not include dozens of other reports, studies and papers from other governmental organizations, as well as independent organizations like think tanks and universities, that address the same and related topics from nearly all angles. Just the modest electronic archive I’ve managed to collect over the years would require about 12 million pieces of paper if you had to print it out. That’s not a dearth, that’s a deluge.
What is truly remarkable about all the ink that has been spilled about cyber security in this country alone is that most of these reports all say the same thing. Over and over again:
So, improving cyber security does not depend on more information, more studies, or more research; it depends on actually reading, listening, and heeding the advice and recommendations of those who have already studied the problems.
Why do we seem to be getting nowhere fast? Why, when computer technology and high-speed bandwidth are becoming ubiquitous, are we worse off from a security perspective today than we were nearly thirty years ago? It’s largely because no one is calling “bullshit” on the shenaningans perpetuated by those who are most responsible for this mess. Here are a few examples of what I mean:
“This is a wake-up call”
Most often heard combined with the phrase “Digital Pearl Harbor.” Malicious activity using computers has been going on about as long as there have been computers. The earliest public reference I can find is in a book called Computer Capers by the late Thomas Whiteside. “Cyber” espionage or war? Cliff Stoll – a non-expert – wrote about his experience dealing with then-KGB-sponsored German hackers targeting U.S. government secrets in the mid-1980s. Anyone who utters the words “wake up call” in a cyber security context is not hearing a wake-up call, they’re hearing the snooze alarm go off . . . for the 25th time.
“Digital Pearl Harbor”
Like the wake-up call, the threat of a “Digital Pearl Harbor” is another well-worn phrase used to try to signify the importance of fixing the significant problems we have now, so that an adversary cannot deliver a crippling blow to a critical national resource. The problem with that analogy is that in hindsight, Pearl Harbor was not much of a surprise. Likewise, we’re being attacked now! How is anything about cyber security a surprise to anyone? It’s not.
The number one problem with cyber security, at least from a political perspective, is that it doesn’t kill people. Terrorists kill people, hence the Transportation Security Administration and Department of Homeland Security. Foreign armies kill people hence our armed forces, weapons manufacturers, defense contractors, etc. Disease kills people, hence the Center for Disease Control, public health entities, pharmaceutical companies, etc. Comparatively speaking, what goes on in the dark recesses of cyberspace is trivial when compared to the evil perpetrated in meat-space and the corresponding impact it has on lives, societies, and economies. The idea that a given event in cyberspace is analogous to a catastrophic event in meat-space is at best laughable and at worst indefensibly insulting.
“We need more sharing”
Sharing information about threats and vulnerabilities across sectors and markets is a good thing, and if you have established a relationship with parties of a similar mind that actively and meaningfully work together in this regard, great. The problem is that as it is commonly understood, “sharing” usually means “something other people should do for me but not something I’m prepared to do for others.” That’s the exact opposite of sharing.
Government entities are the most egregious when it comes to sharing. The need for more or improved “public-private partnerships” are the code words you’re listening for, which really means the government wants you to share what you have with it, and in return they will show you the same vague, ambiguous briefing they’ve been showing you for the past 10 years (updated with information about the victim-of-the-month just to keep things fresh). The government as even gone so far as to ask the private sector to donate their experts to help improve the government’s security situation. It used to be that the government would send its people to spend time in industry in order to acquire specialized and hard-to-come-by knowledge and skills. Industry used to welcome access to a free engineer or scientist, but oddly enough they aren’t lining up to participate in a nothing-for-something scheme.
Next Week: A Sense of History