The Senate Intelligence Committee is pushing forward the Cybersecurity Information Protection Act in response to the growing threat to national and economic security from cyber attacks. It is meant to improve the security of public and private computer networks by increasing awareness of threats. For businesses, there are many possible dangers.
“Businesses can lose intellectual property they’ve invested in, their negotiating position with someone else or internal decision making,” said Gen. Michael V. Hayden, principal at The Chertoff Group, a global advisory firm that focuses exclusively on the security and risk management sectors. Hayden previously served as director of both the CIA and the National Security Agency.
“Someone could also attack a private sector network, not only to steal information but to degrade the network. For sectors like the power sector, the danger could be someone taking over your network and using it to create physical destruction — to not make your website go down but to take over your industrial control system and make it misbehave so it destroys itself.”
These attacks occur because the cyber world was created in a way that makes it difficult to defend.
“The original concept of the cyber world was something called ARPANET,” Hayden said. “The overall statement of work was, ‘How do I move large volume of data, quickly and easily, between a very limited number of nodes — all of them I know — and all of them I trust?’ There was little reason to build security into an absolutely trusted network. However, it took off, and that is still a fair description of the Web where you have an almost limitless number of nodes — most of them you don’t know and a whole bunch you shouldn’t trust.
“Your natural instinct is to say, ‘I’m being mugged in here. Why isn’t my government protecting me?’ In Western democracies, we have a lot of trouble figuring out what it is we want the government to do and what it is we will let the government do. There are debates in Congress about privacy and security, and it just goes on and on.”
Hayden said there’s a lot of technological capacity and trained people not being used because that basic question hasn’t been answered.
“We put everything we know of value out in this domain and the government isn’t coming to our rescue,” he said. “When you have a need and government is late to that need, the private sector steps in. We’re now seeing very intense private sector activity to provide security in the cyber domain.
“What we’re trying to do is reduce risk; risk is equal to threat (x) vulnerability (x) consequence. The historical defense has been about reducing vulnerability — firewalls, good passwords, turning your machine off for the weekend, etc. All of that is designed to protect you at the perimeter. However, even if you do it perfectly, and none of us do, that stops the low-end 80 percent of threats, which sounds good, but that also means 20 percent are getting in no matter what you do.”
To combat this, the private sector has moved to consequence management.
“It’s not just defense of the perimeter; it’s presumption of breach,” Hayden said. “It’s the presumption someone has gotten into your network. You respond and defend your precious data more aggressively.
“The future of cyber defense is in the threat factor. In the physical domain, you reduce threat by shooting back. That’s hard to do in the cyber domain. What we’re seeing now is cyber threat intelligence being done by the private sector — real intelligence work with requirements, collection plans and analytical reports. Thereby, you can tell companies where they should put their energy rather than defending themselves against abstract threats, with abstract tools, for abstract purposes.”
For more information, visit www.intelligence.senate.gov or call (202) 224-1700.