What is cybersecurity’s PR problem?

Air Force,Security by on February 17, 2007 at 7:00 pm

Slashdot picked up an FCW article on coordinated Chinese hacking.

The full article is worth a read, but here are a few standout quotes:

Attacks coming from China, probably with government support, far outstrip other attackers in terms of volume, proficiency and sophistication, said a senior Netwarcom official, who spoke to reporters on background Feb 12. The conflict has reached the level of a campaign-style, force-on-force engagement, he said.


Current U.S. cyber warfare strategy is dysfunctional, said Gen. James Cartwright, commander of the Strategic Command (Stratcom), in a speech at the Air Warfare Symposium in Orlando, Fla., last week.

Although the level of discourse at Slashdot is not always the highest, I was disappointed that this audience did not appreciate fully appreciate the problem. Many indicated that they didn’t believe there was a problem.

So, if Slashdot readers can’t grasp the threat how can we expect politicians to get it?

The weaknesses of our cybersecurity systems are well established - just about every red vs blue penetration test the US runs finds countless flaws. Military leaders are beginning to understand the risks (as evidenced in the article above). However, law, policy and systems continue to lag well behind the capabilities and risks of technology.

Sumit and I contributed to a ‘National Cybersecurity Strategy’ Paper about a year ago that was meant for the White House. We worked on developing the business case for why cybersecurity matters and what the risks look like. The reality is that we haven’t seen a large-scale coordinated attack intended to cripple. The types of threats we’ve seen to date have been much more akin to ‘tests’, ‘training activities’ and intelligence gathering (and all very successful).

There are several problems that the cybersecurity practioners suffer from:

  • All of the practioners hide behind email addresses only accessbile on secure netorks and phones with no answering machines. They also aren’t known for being the most social people.
  • All “events” are classified and even those leaked to the public end up are said to be bastardized versions of real events: The Invasion of the Chinese Cyberspies (time.com). You can’t convince someone of a problem if you can’t tell them about it.
  • We’ve never had a truly crippling attack. The capabilities exist and the vulnerabilities are there. Government policies are notoriously reactive…
  • Bastardized priorities. Deep down the chain of command, DOD system admins came to believe it was their mission to filter websites and otherwise hinder the use of the ‘Internets’. This deeply misguided prioritization has alienated most of the rest of the government (who aren’t able to get to their yahoo mail accounts or check their sports scores).
I don’t know what it will take to bring about serious change. It will have to happen at some point - I just hope it is proactive change.


No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License. | Dave Naffziger's BlogDave & Iva Naffziger