“Our cyber-defenses are woefully lacking,” says former DNI Mike McConnell
Mike McConnell
Mike McConnell, former DNI and currently heading the cyber effort at Booz Allen, is intimately acquainted with the current level of US cyber defenses. Over the weekend, McConnell wrote an article published in The Washington Post which discussed how the US could go about winning the cyber war that many experts believe we are currently losing.
“The United States is fighting a cyber-war today, and we are losing. It’s that simple,” McConnell writes. “The problem is not one of resources; even in our current fiscal straits, we can afford to upgrade our defenses. The problem is that we lack a cohesive strategy to meet this challenge.”
The United States is one of the most networked nations in the world and therefore has much to lose by having inadequate cyber defenses. Back in 2007, Estonia, also a highly networked country, had its Internet capacity crippled by a broad-sweeping cyber attack.
Recently, the Bi-Partisan Policy Center hosted Cyber ShockWave, a simulated cyber war game which demonstrated a number of the problems the US faces in the event of a massive cyber attack. The US still lacks fundamental foundations for dealing with a cyber attack against our critical infrastructure.
McConnell believes that to prepare for a cyber attack, the US should look to the Cold War example of nuclear arms. “The cyber-war mirrors the nuclear challenge in terms of the potential economic and psychological effects,” he writes. “So, should our strategy be deterrence or preemption? The answer: both. Depending on the nature of the threat, we can deploy aspects of either approach to defend America in cyberspace.”
In order to a deterrence model to work, the US must make its intentions clear, outlining how it would respond in the event of a cyber attack. Currently, McConnell writes that the US has outlined its intentions but does not have the mechanisms in place yet nor the well outlined policy.
“The United States must also translate our intent into capabilities. We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options — and we must be able to do this in milliseconds,” McConnell writes.
More importantly, the threats in cyberspace are slightly different from the nuclear debate during the Cold War. During the Cold War, the nuclear threat came from the Soviet Union. However, the current threat landscape in cyberspace includes state and non-state actors.
To deal with the threat from non-state actors, particularly terrorist organizations, McConnell recommends a preemption strategy. “We preempt such groups by degrading, interdicting and eliminating their leadership and capabilities to mount cyber-attacks, and by creating a more resilient cyberspace that can absorb attacks and quickly recover,” he writes.
McConnell also called for an increased level of cooperation between the public and private sector, to include greater information sharing. In order to build a coherent cyber strategy, McConnell would like to see experts come together to discuss the various challenges and possible solutions.
“We now need a dialogue among business, civil society and government on the challenges we face in cyberspace — spanning international law, privacy and civil liberties, security, and the architecture of the Internet. The results should shape our cybersecurity strategy,” McConnell writes.
McConnell’s article in The Washington Post can be viewed here
Related posts:
While agreeing with much of what Mike McConnell said, I find one of his statements incredible!
“But the REALITY is that while theLION’s SHARE of cybersecurity expertise lies in the federal government, more than 90 percent of the physical infrastructure of the Web is owned by private industry. Neither side on its own can mount the cyber-defense we need; some collaboration is inevitable.” What LION is he talking about or did he mean to say: “Lieing Share?” Let’s look at some facts. DHS has 188K federal employees and over 200K private sector contractors. Thus, assuming many of them are working on cybersecurity, that cyber expertise in NOT in the federal government but in the private sector. Of course DHS had its HSIN system hacked last year. http://fcw.com/Articles/2009/05/13/Web-DHS-HSIN-intrusion-hack.aspx Because the FEDERAL Government does NOT have cyber expertise they are trying to HIRE it from the private sector. http://www.cnn.com/2009/POLITICS/10/02/dhs.cybersecurity.jobs/index.html CSIS reports:
“Currently, the U.S. Department of Defense has 90,000 personnel involved with cybsercurity, with only 35,000 to 45,000 non-civilian cybersecurity employees. Every year it trains 80 cybersecurity professionals and is calling for an additional 20,000 to 30,000 cybersecurity professionals. Only 120 cybersecurity experts go into government after graduation, but the government is looking to increase that number to a thousand. Other government programs look to attract10,000 young Americans into the expanding field of cybersecurity.” http://csis.org/blog/hire-cybersecurity-specialist DOD was not able to even prevent its program on the Joint Strike Fighter from getting hacked! http://www.cnn.com/2009/US/04/21/pentagon.hacked/index.html GAO has recently reported on many of the problems with the CNCI program too. http://www.gao.gov/cgi-bin/getrpt?GAO-10-338 And Mike, because the federal government DOES NOT HAVE the lions share of Cyber Sec expertise, they are AGAIN going to the private sector and trying to buy some of that expertise they desperately need! http://fcw.com/Articles/2010/02/26/Web-DHS-cybersecurity-RandD.aspx?p=1 That is the REALITY that I see.