To view the original article please click here.
Larry Clinton, US Infrastructure Op-Ed, 02/15/2010
On May 29, 2009, the Federal government issued a report that stated that, between 2008 and 2009, American business losses due to cyber attacks had grown to more than $1 trillion worth of intellectual property. In critical infrastructure sectors, where one might hope to see more encouraging statistics, the story is much the same.
According to “In the Crossfire: Critical Infrastructure in the Age of Cyber Security” a survey conducted by CSIS for McAfee and released 28 January 2010 “critical infrastructure owners and operators report their IT networks are under repeated cyber attack…the impact of such attacks is often sever and their cost high.” A majority of the executives polled believed that foreign governments were already involved in the attacks on their network systems.
The statistics in the report are telling. Nearly 90 percent of respondents reported being infected with virus or malware and 60 percent were the victims of sophisticated DNS poisoning (where web traffic is redirected), with nearly half reporting multiple monthly attacks. Denials of service attacks were also common with two thirds reporting that these attacks were effecting operations. In addition, theft of service attacks were common as was extortion.
Some critical sectors were especially hard hit. For example the oil and gas sector reporting that 71 percent had experienced some form of stealthy intrusion on their systems with one third of the sector reporting multiple intrusions every month.
The data about SCADA or Industrial Control Systems (ICS) was equally alarming. More than 75 percent of those with responsibility for such systems reported that they were connected to the Internet or some other IP network with about half acknowledging that this created an “unresolved security issue.”
Overall the study revealed that “One third of respondents say their sector is unprepared to deal with major cyber attacks or stealthy intrusions… by nearly two to one respondents said the vulnerability of their cyber systems had increased over the past year outnumbered those show said it had decreased…40 percent of the executives expected a major cyber security incident (one causing an outage of at least 24 hours, loss of life or failure of the company) within the next year. 80 percent predicted such an event in the next five years.”
Just as chilling as the extent of cyber attacks is our widespread lack of investment in addressing this critical threat.
The 2009 PricewaterhouseCoopers Global Information Security Survey found that, notwithstanding the increasing cyber threat and the attendant publicity to the threat, that nearly half (47 percent) of respondents reported that were actually deferring or reducing their investments in cyber security.
The results from 2010 CSIS study are even worse reporting that 66 percent of the US critical infrastructure owners and operators surveyed reported that they were reducing investment in cyber security and 27 percent said these reductions were significant (greater than 15 percent).
Even our most sophisticated organizations, both public and private, are struggling with this problem.
On 26 January 2010 the New York Times reported on a recent exercise in which senior Pentagon leaders were asked how they would respond to a cyber attack:
”The results were dispiriting. The enemy had all the advantages stealth, anonymity and unpredictability. No one could pinpoint where the attack had come from so there was no way to deter further damage with retaliation….especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state sponsored effort to cripple the US….What some participants knew – and others did not – was that a version of their nightmare had just played out in real life, not at the pentagon….but at Google.”
The reasons why cyber attacks are growing at such an alarming rate is simple. The economic incentives equation for cyber security massively favors the attackers. Cyber attacks are comparatively easy and cheap to launch. The amount that can be stolen is enormous both in financial terms and in the theft of corporate or national secretes. And, the chances of getting caught are miniscule.
On the other hand, cyber defenders are inherently a generation behind the attackers. The perimeter one needs to defend is virtually limitless. And, it’s very difficult to demonstrate a return on investment to cyber security. Both the private sector and the government must rethink, and reorganize, their fundamental approach to cyber security. This needs to begin by realizing that cyber security is not an “IT” issue.
At the governmental level cyber security has been treated primarily as a technical and operational issue rather than as the strategic and economic issue it truly is. At the corporate level cyber security needs to be seen as an enterprise wide, risk management issue which has critical links to each area of the organization including legal, operational, human resources, communications and finance as well, of course, as IT.
Several recent studies have noted the organizational problems within enterprises which militate against taking the needed enterprise wide approach to cyber security.
Deloitte’s 2008 “Enterprise Risk” study concluded that, in 95 percent of US companies, the CFO is not directly involved in the management of information security risks, and that 75 percent of US companies do not have a Chief Risk Officer. Sixty-five percent of US companies have neither a documented process through which to assess cyber risk, or a person in charge of the assessment process currently in place (which, functionally, translates into having no plan for cyber risk at all).
A 2008 Carnegie Mellon study concluded: “There is still a gap between IT and enterprise risk management. Boards and senior executives are not adequately involved in key areas related to the governance of enterprise security.”
At the launch of the CSIS Infrastructure report one of its main authors Adam Rice answered a question as to why in the face of the increasing cyber threat, investment was dropping. “When it comes to budgeting in most organizations cyber security costs are loaded into the IT department and that section is generally viewed as a cost center. Most organizations simply don’t translate IT security spending into a factor addressing the overall health of the organization and as a result the budgeting is simple not there.”
The American National Standards Institute (ANSI) in conjunction with the Internet Security Alliance (ISA) conducted a two year long program analyzing this issue resulting in a framework for addressing this structural problem “The Financial management of Cyber Risk: 50 Questions Every CFO Should Ask” which came up with the same conclusion.
”By now virtually every corporation in America has calculated the positive aspects of digitalization into their corporate business plans. Unfortunately that has generally failed to properly account for the financial downside resulting from the risks to their cyber systems. To successfully manage financial cyber risk will require a dialogue sparked by a series of pointed questions to all stakeholders …and supervised by the CFO”
While the private sector needs to look within itself for to address its own structural problems, the federal government must also take an increasing role, but it too must abandon its cold-war era assumptions about national defense and the role the private sector plays in the digital era.
The attacks against Google and the conviction of the majority of infrastructure executives that foreign governments are already attacking these privately owned systems illustrate that the private sector is now on the front lines of the cyber wars.
Government needs to launch a new form of partnership with industry that reaches beyond the beltway and connects at the business plan level.
To harden our defenses against digital attacks the federal government needs to provide market incentives to generate the investment required to harden private systems at a level that may well be beyond what is required by their current business plan and instead also appreciates its role in protecting the nation as a whole.
The history of the phone and power utilities provides a pathway that ought to be considered. At the beginning of the last century policy makers perceived the public policy need for private investment in universal phone and power service and thus essentially guaranteed the return on private investment in these businesses and thus created the public utility operated by privet firms.
We now have a similar situation wherein upgrading our infrastructure for universal cyber security that is in the national interest. Government has numerous tools, procurement, loans, and awards programs insurance, liability caps not to mention tax incentives which it already uses in other areas of the economy to generate pro-social investment. These tools need to now be harnessed to address our grouping cyber security needs in a new social contract for national security
The good news is we already know a great deal about how to mitigate most cyber attacks.
Independent research as well as testimony from the NSA and CIA all agree we can stop 80-90 percent of cyber attacks just be implementing the standards and practices we already have. The primary obstacle to doing so is cost.
A government incentive program tying market incentives to the voluntary compliance with these security practices could go along way toward creating a 21st century model of national security.