Computer security researcher Steve Gibson is seen in his home office, April 10, 2002. Two years ago he was testing intrusion-detection software when he suddenly found a program running on his computer that he had unknowingly installed.
"A Safe Harbor for our Foes"
Op-Ed, Washington Times
November 25, 2009
Author: Melissa Hathaway, Senior Advisor, Project on Technology, Security, and Conflict in the Cyber Age
Belfer Center Programs or Projects: Explorations in Cyber International Relations
Having just marked the anniversary of the first successful transmission of a computer-to-computer message on Oct. 29, 1969, also known as the 40th birthday of the Internet, there is an inconvenient truth about this magical medium.
Few Americans know that voyeurs, thieves, spies and nations regularly invade our homes, enterprises and government.
In a time where we discuss and debate border protection from in-bound missiles or illegal immigrants, we fail to address the stark reality of the threat that transgresses our borders daily.
This threat is present in the Internet - the interconnected series of networks that enables us to access our bank accounts from almost anywhere in the world, facilitates communications to family and friends, aids in delivering power and water to our homes and businesses, controls transportation and other critical infrastructure systems, and is transforming the way our doctors provide health care.
The inconvenient truth about the Internet is that it is harboring and facilitating America's adversaries, whether they be nation-states, terrorist organizations, criminal syndicates or rogue hackers. These adversaries regularly probe and attack government and private-sector networks.
They steal credit card and other financial data to raise funds for other illicit activities.
Through widely disseminated computer viruses, like the Confickr worm or other self-replicating programs, networks or computers that have not kept up with security patches are at risk for loss or destruction of data, or may become unwitting members of vast electronic armies, called "botnets" that are used for other malicious attacks such as the one that roiled government networks on our nation's Independence Day this year.
The implications are vast and historical, and there is a pressing need to penetrate the American consciousness now. Hollywood has already dramatized some of the possibilities, illustrating how computers can be used for high-tech financial crimes or to wreak havoc with transportation systems or the electrical grid.
Urgent steps are needed for government, industry and citizens. Our government needs to tell our citizens that the risks portrayed in the movie theaters are not imaginary.
For example, how many citizens are aware that thumb-drives given away by the hundreds or thousands at conventions or home shows can be infected with malicious software that, once implanted on your home computer, can be triggered to use your home computer to attack your employer or your government?
Likewise, government must work with the private sector to identify new threats and to protect all systems from attack. While the magnitude is difficult to estimate with any precision, we know intellectual property and sensitive military information are stolen today at an alarming rate, and that private-sector networks are infiltrated as a means for attacking those networks, or as a medium through which to attack our government or other targets.
Information-security officers throughout the United States understand the risks, but limitations on what is shared with competitors hamper efforts to build successful defenses.
Moreover, although the private sector continues to find new ways to exploit technologies to transform the global economy and connect people in ways that few could have imagined even a decade or two ago, we have not invested in the resilience necessary to ensure that our businesses can continue to operate in a degraded environment.
During the Cold War, defenses focused on stockpiles of intercontinental and other strategic missiles, attack submarines and long-range bombers. The two major powers placed missiles and bases in strategic locations, amassing allies as in a real-world game of Risk. Unlike the one-dimensional, zero-sum problem of the Cold War, the cybersecurity problem is more like the grand Chinese strategy game of Wei-Ch'i (or Go, as is it more commonly known in the Western world).
The complexity and scope of today's cybersecurity problem mirrors the complexity of Wei-Ch'i and requires that we partner to build more effective solutions and develop and implement a sophisticated strategy.
The plan announced by President Obama on May 29, 2009, in conjunction with the release of the detailed Cyberspace Policy Review recognized the complexity of the cybersecurity problem and the challenges we face.
That plan includes public education campaigns, public-private partnerships to share information and develop security solutions, investments in education to develop new cadres of cybersecurity professionals, and enhanced collaboration with international organizations and allies.
Achieving progress on this strategy will not be easy, and will require senior leadership in the White House to coordinate efforts throughout the executive branch. Equally importantly, progress will require cooperation with Congress to ensure that the federal government develops and implements coordinated efforts to address the cybersecurity problem.
One of the most important messages of the Cyberspace Policy Review is that progress on the cybersecurity problem will require full engagement across government, the private sector and U.S. citizens. Unlike the Cold War, this is not a mission that belongs only to the Pentagon and the intelligence community.
As the Internet prepares for its first "midlife crisis," it remains open to all citizens. Accordingly, protecting cyberspace requires full participation from the business community and from private citizens. We all have a role to play in this important mission, and the sooner that our government begins to lead us forward in an collaborative effort, the safer we all will be.
Melissa Hathaway is president of Hathaway Global Strategies LLC and senior adviser at Harvard University's Belfer Center. She was acting senior director for cyberspace for the National Security Council.
For more information about this publication please contact the Belfer Center Communications Office at 617-495-9858.
For Academic Citation: