Cyber's Strangelovian moment?
A steady drumbeat of news about sophisticated cyber attacks against our government and leading institutions has attendees at this year's RSA conference in a fever. And that may be bad for security.
Image credit: flickr/ManeITor
In our government, private firms and the public, fear and suspicion of stealthy cyber attackers have never been higher. That's great for business here in San Francisco, where the RSA Security Conference runs all week. But history tells us it may not be a good thing for the rest of us.
The current mania about the threats posed by faceless enemies is approaching levels not seen since the height of the Cold War in the late 1950s and 60s. Like the "Red Menace" six decades ago, the cyber menace - "APT" (or "advanced persistent threats"), to use defense industry parlance - is perceived to be both everywhere and nowhere: undetectable, unfathomable. "The near impossible battle against hackers everywhere" was the headline of a recent Reuters report, neatly summing up the sentiment on the Cyber Menace within the D.C. Beltway and among leading defense and technology firms. "They outspend us and they outman us in almost every way ... I don't recall, in my adult life, a more challenging time," says Dell's chief security officer, John McClurg, who is quoted in the story.
This sudden and dramatic display of this kind of 'Washington consensus' on cyber security owes its existence to a number of developments. The last four years has seen the sunset of two hot wars in Iraq and Afghanistan - wars that (pre)occupied the foreign policy establishment for much of the last decade. And, with Osama bin Laden dead, the defense establishment's ever-wary eye has swung to fast-growing and ambitious China, the world's next superpower. There is, of course, an undeniable increase in cyber espionage against a wide range of public sector and private firms that have spilled into the spotlight - Google, RSA, Facebook, Twitter and Apple among them.
At the same time, there has been a recognition of the growing dependence of our economy and critical infrastructure on IT networks and, in fact, the public Internet. And then there's the intelligence - much of it supplied by private firms. Last week's headline grabbing report from the security firm Mandiant Inc. on the doings of a group known as "APT1" is just the latest among them. APT1, we learned in that report, is actually Unit 61398 of China's People's Liberation Army (PLA) operating out of a nondescript, 12 story office building in the city of Shanghai.
And, of course, there's money to be made - lots of it. In fact, cyber security is one of the only areas that our sequester-strapped military can say, with confidence, that it will spend more money in the coming years. Mandiant, itself, may be headed for a public offering in the coming year, if rumors are to be believed.
But, as in the depths of the Cold War, today's fixation on "APTs" and nation-backed cyberspies can easily fool us into overreacting. The recent Mandiant report on APT1 is a great example. The report made headlines, but there was little truly new information in it. Mandiant has long maintained that it tracked not just one APT group, but dozens of them. Other firms - notably Trend Labs and Symantec - had been discussing APT1 (though by other means) for years.
Furthermore, the methods used by the group known as "APT1" were hardly novel. Its victims were subject to targeted phishing attacks, exploitation of new or previously unknown ("zero day") vulnerabilities in common software components, polymorphic, data stealing malware and so on. Finally, it had long been established that both private industry and government were targets - especially where those worlds overlapped, such as in defense and critical infrastructure. China has the world's second largest economy and its pouring billions into modernizing its army. Should we really be surprised that Unit 61398 has its own building?
So what's the big deal? I think we need to be happy that cyber threats and cyber defense are finally getting the attention of the policy establishment. But we also need to be wary of letting public concern spill over into panic.
In the Cold War classic, Dr. Strangelove, a nuclear first strike was retaliation for one rogue U.S. Air Force Brigadier General's belief that government-backed water fluoridation was a Russian plot to pollute Americans' "precious bodily fluids." We haven't gotten there yet, but we should worry about an environment in which even those who know better are inclined to jump at shadows. At the very least, we risk throwing money and resources at a problem to "catch up" rather than focusing on incremental changes and strategies that will improve our resilience to attack and make us more secure. At worst, we risk ill conceived "pre-emptive" attacks against perceived threats, as the veiled chatter about "hack back" and cyber offensive operations suggests.
Alas, the threat posed by cyber attackers - military or otherwise - is no Sputnik. Furthermore, improving the security of both private and public networks and critical infrastructure is no Moon shot. In other words: we can't throw a bunch of engineers in a room and solve this. Rather, the solution for the U.S. as other countries is slow and incremental. As President Obama's recent Executive Order on Cybersecurity and subsequent plan for mitigating the theft of trade secrets makes clear, both private and public sector organizations must focus on assessing risk and following industry best practice to protect critical assets. Speaking at an event hosted by The Trustworthy Computing Group on Monday, Robert Pittman, the Chief Information Security Officer County of Los Angeles encouraged organizations to put their weight behind a standards-based technology and standard operational procedures around IT security to improve their resilience against attack. That's a long and (frankly) not a very sexy story to tell - but its also the truth.