Capitol Hill Rhetoric Takes Aim at Wrong Cybersecurity Targets

Defense secretary Leon Panetta couldn’t resist, could he? He couldn’t fight the urge to dig deep into the information security cliché handbook and yank out that old chestnut about a Cyber Pearl Harbor.Seriously, is there a more cringe-inducing, FUD-filled phrase than Cyber Pearl Harbor? Never mind that it’s offensive to the families of those who fell on that date, but it raises the questions of whether the leader of the United States Department of Defense is so disengaged from reality that he decides that’s the best crutch to lean on? Or does he just need a new speech writer?

Defense secretary Leon Panetta couldn’t resist, could he? He couldn’t fight the urge to dig deep into the information security cliché handbook and yank out that old chestnut about a Cyber Pearl Harbor.

Seriously, is there a more cringe-inducing, FUD-filled phrase than Cyber Pearl Harbor? Never mind that it’s offensive to the families of those who fell on that date, but it raises the questions of whether the leader of the United States Department of Defense is so disengaged from reality that he decides that’s the best crutch to lean on? Or does he just need a new speech writer?

Enough questions; how about some answers.

Panetta’s speech last week at the Intrepid Sea, Air and Space Museum served several tacit purposes: A) he identified aggressors by name whom he says are a threat to the United States in cyberspace; B) he renewed his push for cybersecurity legislation that would force critical infrastructure operators in the private sector to overhaul their security programs; C) he made another call for the private sector to share data on attacks with the government; D) and most impressively, tilted the balance of power toward the DoD and away from the NSA when it comes to defending the U.S. from cyberattack.

It’s hard to shoot down Panetta’s kind of rhetoric. It hits home when the country’s top defender talks about the power grid going dark, faucets going dry and the stock market going belly up because of a computer attack. And when you point the finger of blame at political hot potatoes such as Iran, then it becomes doubly inflammatory.

Yet conversations about attacks on critical infrastructure, APT and China become noise until there’s reason to pay attention. Most security organizations are too buried in uptime, availability and making sure the company they work for makes money. They’re putting out too many fires every day to know or care if hackers from China or the cracker-wing of the Iranian Republican Guard is on their network. That’s a one-percent problem as far as most organizations are concerned.

And that’s where Panetta self-serving speech misses the point.

Companies large and—mostly—small are losing their shirts not to hacktivists or state-sponsored sophisticated hackers. Organized, smart and professional crooks using automated, commodity attacks are the real cyber enemy of American business. They’re stealing and selling payment card information and making millions. They’re putting hundreds of thousands at risk for identity theft with each data breach. They’re forcing some to lose trust in the Internet as a platform for ecommerce and communication. And they’re winning.  

Panetta is not the first to bark loudly about cybersecurity in order to procure funding or nudge lawmakers toward legislation. It’s no surprise that every year at the RSA Conference, someone like General Keith Alexander of the NSA takes to the podium and lays out the A-B-C’s of Chinese hackers in an attempt to posture for recruits, budget money or both. FBI Director Robert Mueller is a frequent fixture at the lectern too, and for the same reasons.

In most cases, there are personal and agency agendas at work hoping to make enough noise to influence a largely uninformed Congress to action. There are exceptions on the Hill when it comes to being knowledgeable about cybersecurity. But for the most part, a lobbyist with a convincing bill of goods is going to get his way—how else would you explain SOPA and PIPA going as far they did on Capitol Hill?

And all the while, small businesses are getting crushed because their point-of-sale management interface is reachable online and vulnerable to any number of nasty, yet simple, attacks. Or some remote administration service running on a default password gives everybody access to your network. Or some guy working the midnight to 8 shift surfs sites he shouldn’t be surfing to, and the same machine you keep the books on is owned by a keylogger. This is where money is being siphoned out of the American economy by the millions. This is the immediate threat. And this is what the Leon Panettas of the world are ignoring.  

The Cyber Pearl Harbor, Mr. Panetta, might not have anything to do with the Iranians plotting revenge for sanctions or Stuxnet. It’s much more likely to be the guy next door who runs the local carder market who’s winning the fight—and that’s who you should be lobbying to beat.

Suggested articles

Discussion

  • Anonymous on

    Perhaps it's up to the vaunted American capitalistic businesses to make themselves safe.  Unless it's now too concerned with cost reduction and other methods of increasing executive bonuses to see the need for security.  The security problem is solvable if business wants to solve it.  Look at what happened to Northern Telecom (Canadian company) years ago when they failed to look after their own security.

    Regards,

     

  • Anonymous on

    Panetta is from the CIA. That should explain everything.

  • Anonymous on

    I disagree that "Companies large and—mostly—small are losing their shirts not to hacktivists or state-sponsored sophisticated hackers. "

    If you are an Intellectual Property based company (software, hardware, anything remotely technical) the PLA is actively trying to steal your IP every single day, and anybody in these businesses that denies that is either lying or has no idea what is going on in thier network.

    Of course, for now anyway, few technology companies are admiting to this, because no-one wants to be the next RSA. But be under no illusion, it's happening, every day and if you talk privately to any security engineer in Silicon Valley, in Seattle or any other big tech hub they'll tell you all about it.

  • Anonymous on

    While "Cyber Pearl Harbor" is pretty bad, last week Paul Stockton, Assistant secretary of defence for homeland defense and America's security affairs continually referenced that we are at a "Pre-9/11 Moment" in before the Cyber-Jihad.  I'm not sure you could get more FUD references into so few words.

    Of course, this is from the same group of people that see legislation as the only answer to "our current cyber security threats".  It seems some at the government think that businesses and other entities wont do anything for security unless mandated; no thoughts to the fact that these things affect bottom line financials, so most places incorporate security spending into any of their risk management strategies.

     

  • Anonymous on

    The NY Times misquoted him,  he did not say "[...] derail passenger trains loaded with lethal chemicals".

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.