We have seen a number of nation-states beginning to use black hat hacking tools and espionage tactics in an effort to steal intellectual property from corporations, target retailer customer databases, and monitor the electronic communications of entire national populations for terrorist threats.
This development, as well as the risk of cyber attacks against critical national infrastructure and banking data centers, has been mirrored by the U.S. government’s decision to craft a cybersecurity strategy. However, the nature of cyberspace situates the onus for cybersecurity outside the authority of the U.S. military, intelligence community and Department of Homeland Security alone.
Shane Harris, author and senior intelligence and national security correspondent for The Daily Beast, discusses this escalating issue in a recent webcast entitled, “Caught in the Crossfire: The Business Impact of Cyberwar and High Tech Espionage.”
In exchange for threat intelligence, Harris notes these private companies subsequently agreed to a public-private information sharing partnership with the U.S. government to shore up its information security strategy. This partnership, which can loosely be understood as the “military Internet complex,” has since evolved to include more than 100 companies, paving the way for the Pentagon and the U.S. defense community to re-evaluate its understanding of computer security as the fifth domain of warfare that, as with land, sea, air and space, it feels compelled to dominate.
The U.S. Department of Defense’s revolution of thought has been matched by a revolution in spending: in 2014, $13 billion was allocated to cyber defense programs (which does not include classified initiatives), whereas an amount of only $11.6 billion was dedicated to combatting climate change.
Despite their emergence, these information-sharing agreements have not served to clarify the roles of either private companies or the U.S. government. Harris uses the September 2012 DoS attacks against major U.S. banks and the more recent Sony hack to illustrate this point.
In the former, the U.S. government did little to aid the victims of the attackers, whereas in the latter, it publicly denounced North Korea as the party responsible for the attack and embraced a “proportional response,” both in terms of sanctions and clandestine cyber attacks against North Korean Internet and government targets, as an effective display of national resolve.
These two incidents reveal the extent to which the U.S. government is setting inconsistent cybersecurity policy. As a result, it is imperative that companies realize the fact that, for the time being, they cannot count on the federal government to come to their aid in the event of a security incident.
That is not to say that this will always be the case. At the time, President Dwight D. Eisenhower’s “military industrial complex” must have seemed equally strange to the U.S. government and weapons manufacturers back in the 1950s. Like this historical precedent, the passage of time, not to mention a series of laws that have yet to be passed or even conceived, will clarify the roles of both the public and the private sector when it comes to cyber security.
In the meantime, however, and in evidence of the fact that thousands of actors could perpetrate attacks similar to the Sony hack, it is unclear how private companies can adequately defend themselves and their networks against cyber attacks. This is a pressing concern that the federal government and the private sector must negotiate if we are to protect one of the United States’ most strategic national assets.
To learn more about the business impact of cyberwar on the United States, you can watch the webcast in full here.
If you will be attending RSA next week, join Tripwire at Booth 3301 during Happy Hour on Tuesday, April 21 from 4-6 PM to meet Shane Harris! The first 500 visitors will receive a free, signed copy of “@War: The Rise of the Military-Internet Complex.”
If you won’t be attending RSA, answer the poll question above for a chance* to get your signed copy, as well. *Quantities limited.