Telling the Whole Story About US Cyber Attack Program
A recent Wall Street Journal article (July 7, 2010, “U.S. Plans Cyber Shield for Utilities, Companies”) did a good job telling some of the story about this important, and potentially chilling, American initiative. However, I feel the journalist could have, and should have, gone farther with the article. This blog will deconstruct the article and add some important perspective.
First off, I want readers of this blog to understand that I have worked for many government agencies in and around cyber security and was one of the many team members that helped to create the FBI’s cyber snooping system called Carnivore.
Let’s look at some key sections of the article, followed by my thoughts and comments:
- 2nd paragraph – “The surveillance by the National Security Agency, the government’s chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system, these people said.” The vast majority of networks in this country already have monitoring systems implemented that monitor for unusual activities. Compliance requirements such as FERC 706, PCI, CFATS, HIPAA and many others require these monitoring devices. Devices such as Host-Based Intrusion Detection systems (HID’s) and Network Intrusion Detection systems (NID’s) are on most, if not all, networks in this country, so there is no need for the NSA to implement these items.
- 6th paragraph – “The overall purpose of the [program] is our Government…feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security.” Raytheon secured an initial $100 million contract for this project but never stated that it was a good idea…only that the Government wants to ensure that the critical infrastructure is protected…but I suggest an audit would do this. Maybe that’s why FERC and NERC are requiring audits to make sure registered entities are securing their networks and critical assets.
- 8th paragraph – “A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It’s a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.” The fact that the military compares snooping on a company’s network which would give them access to payroll, financial and other sensitive information that could be used against them for the benefit of a politically motivated attack to a traffic camera is just plain silly. The military also says it is pertinent so as to prevent the physical attack on the critical infrastructure…I fail to see how snooping on a corporate network has anything to do with protecting from a physical attack.
- 9th paragraph – “U.S. intelligence officials have grown increasingly alarmed about what they believe to be Chinese and Russian surveillance of computer systems that control the electric grid and other U.S. infrastructure. Officials are unable to describe the full scope of the problem, however, because they have had limited ability to pull together all the private data.” The reason that the U.S. Intelligence Officials can’t describe the problem because they have had limited abilities is exactly right. However, the way this paragraph is worded would make it seem that the limited abilities are because companies are not cooperating. The truth is that there are too many opinions on how this should be done…including from those who have no idea of what they are doing or saying (politicians). The Government needs to hire a group of hackers like the Chaos Computer Club, Brazil Boys or Masters of Deception to come in and solve these problems. What? You have never heard of these guys? There’s a reason for that. The best guys/gals are never caught, therefore, they are not widely known. Companies like McAfee and Symantec keep dozens of hackers on staff to fight against viruses.
- 13th paragraph – “With the growth in concern about cyber attacks, these relationships began to extend into the electronic arena, and the only U.S. agency equipped to manage electronic assessments of critical-infrastructure vulnerabilities is the NSA, government and industry officials said.” Are you kidding me? The NSA and many other agencies to include the CIA, FBI, NASA and most other government agencies have been successfully hacked so many times that this argument has more holes in it than a slice of Swiss cheese. These people can’t protect against “60 Minutes” reporters from obtaining sensitive information, how in the world can they protect against a cyber terrorist?
- The article states in the 2nd to last paragraph – “While the government can’t force companies to work with it, it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.” Personally, I always get a little nervous when a regulatory body talks about incentives. That is Government speak for “Do what we say or the President will invoke an emergency on your facility under the GRID Act and take your facility from you.
The “Perfect Citizen” project is, in my opinion, just one more way the politicians will attempt to grab control of a private company all in the name of national security. There are only two groups who will benefit from this – Government agencies and consulting firms like Abidance Consulting. The Government needs to take a few steps back and reassess their position. A good recommendation would be to complete audits on all critical infrastructure facilities and determine their state of readiness for a cyber attack based on best practices created by organizations such as NIST 800-53 or ISO-17799. After the audits have been conducted, the Government should issue “warning citations” stating, in detail, what the shortcomings are of that facility and to give them an opportunity to make amends. If they fail to comply, then implement stronger measures against them.
By doing this, the Government will make friends, keep friends and will ensure that companies will do what they need to do for fear that they could lose everything. If you just come right out and force this on a company, there is no incentive on their part to cooperate.
James Holler is founder of Abidance Consulting.