Defense secretary Leon Panetta couldn’t resist, could he? He couldn’t fight the urge to dig deep into the information security cliché handbook and yank out that old chestnut about a Cyber Pearl Harbor.
Seriously, is there a more cringe-inducing, FUD-filled phrase than Cyber Pearl Harbor? Never mind that it’s offensive to the families of those who fell on that date, but it raises the questions of whether the leader of the United States Department of Defense is so disengaged from reality that he decides that’s the best crutch to lean on? Or does he just need a new speech writer?
Enough questions; how about some answers.
Panetta’s speech last week at the Intrepid Sea, Air and Space Museum served several tacit purposes: A) he identified aggressors by name whom he says are a threat to the United States in cyberspace; B) he renewed his push for cybersecurity legislation that would force critical infrastructure operators in the private sector to overhaul their security programs; C) he made another call for the private sector to share data on attacks with the government; D) and most impressively, tilted the balance of power toward the DoD and away from the NSA when it comes to defending the U.S. from cyberattack.
It’s hard to shoot down Panetta’s kind of rhetoric. It hits home when the country’s top defender talks about the power grid going dark, faucets going dry and the stock market going belly up because of a computer attack. And when you point the finger of blame at political hot potatoes such as Iran, then it becomes doubly inflammatory.
Yet conversations about attacks on critical infrastructure, APT and China become noise until there’s reason to pay attention. Most security organizations are too buried in uptime, availability and making sure the company they work for makes money. They’re putting out too many fires every day to know or care if hackers from China or the cracker-wing of the Iranian Republican Guard is on their network. That’s a one-percent problem as far as most organizations are concerned.
And that’s where Panetta self-serving speech misses the point.
Companies large and—mostly—small are losing their shirts not to hacktivists or state-sponsored sophisticated hackers. Organized, smart and professional crooks using automated, commodity attacks are the real cyber enemy of American business. They’re stealing and selling payment card information and making millions. They’re putting hundreds of thousands at risk for identity theft with each data breach. They’re forcing some to lose trust in the Internet as a platform for ecommerce and communication. And they’re winning.
Panetta is not the first to bark loudly about cybersecurity in order to procure funding or nudge lawmakers toward legislation. It’s no surprise that every year at the RSA Conference, someone like General Keith Alexander of the NSA takes to the podium and lays out the A-B-C’s of Chinese hackers in an attempt to posture for recruits, budget money or both. FBI Director Robert Mueller is a frequent fixture at the lectern too, and for the same reasons.
In most cases, there are personal and agency agendas at work hoping to make enough noise to influence a largely uninformed Congress to action. There are exceptions on the Hill when it comes to being knowledgeable about cybersecurity. But for the most part, a lobbyist with a convincing bill of goods is going to get his way—how else would you explain SOPA and PIPA going as far they did on Capitol Hill?
And all the while, small businesses are getting crushed because their point-of-sale management interface is reachable online and vulnerable to any number of nasty, yet simple, attacks. Or some remote administration service running on a default password gives everybody access to your network. Or some guy working the midnight to 8 shift surfs sites he shouldn’t be surfing to, and the same machine you keep the books on is owned by a keylogger. This is where money is being siphoned out of the American economy by the millions. This is the immediate threat. And this is what the Leon Panettas of the world are ignoring.
The Cyber Pearl Harbor, Mr. Panetta, might not have anything to do with the Iranians plotting revenge for sanctions or Stuxnet. It’s much more likely to be the guy next door who runs the local carder market who’s winning the fight—and that’s who you should be lobbying to beat.