I spoke recently at a regional cyber security conference on America’s need for a unified cyber policy. In my view, the country is exposed to excessive cyber risk due to weaknesses in policy. It’s far too easy for foreign adversaries to breach American government and corporate targets. Certainly, as I pointed out, any visitor or package arriving in the US faces far greater scrutiny and control than a cyber visitor.
As evidence for my worries, I cited the theft of the F-35 fighter plane’s plans from Lockheed Martin by the Chinese, who have now built a replica of our trillion-dollar weapons program on the cheap. The audience nodded in agreement. They, too, are concerned about such brazen acts of espionage that put the US at risk. When I offered some suggested policy changes, however, I encountered an attitude that I can only describe as pathetic and resigned to failure.
My cyber policy suggestions
While I do not presume to know better than the thousands of very smart people working in this huge industry, I firmly believe the time has come to discuss new approaches to securing the nation’s infrastructure and national security assets. The current approaches are deficient. That is not my opinion. That is a fact. When our enemies steal our national security secrets with impunity, it established how our security practices are sub-optimal.
To counter these threats, I offered three ideas: 1) Require some sort of licensing and authentication of users before allowing them access to corporate and government networks; 2) Implement more rigorous vetting of digital traffic from abroad; and 3) Create more accountability and consequences for individuals who oversee national security data breaches.
Each of these is a lot easier said than done. Each would require new laws and the kind of grinding industry-government negotiations that make most sane people want to hide under the bed. Some audience members agreed that there should be more personal accountability. That was a minor win. Regarding the access restrictions I suggested, I heard that these ideas were beyond impractical. They simply could be done. And, they were not necessary in the first place.
Reliance on frameworks and Rules
According to my audience, new ideas are not needed because we already have a number of frameworks and rules in place governing cybersecurity for the Department of Defense and its contractors. One person said if only everyone implemented the Risk Management Framework (RMF), we would all be safe. Others said that defense contractors are obligated to maintain certain security policies. (So therefore, additional rules are redundant.) I pointed out that while it may be the case, it’s also true that the Chinese stole the F-35 while these rules were in effect. Crickets.
Now, we have DFARs, including NIST 800-171, which specifies, “All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.”
Six months into this mandatory compliance, we can see how well these “minimum security standards” are working. On June 10th, the Washington Post reported that some of the US Navy’s most sensitive secrets had been stolen from a contractor’s unclassified network by Chinese intelligence operatives. The Navy shared few details except for the fact that the stolen information could give China a big tactical advantage in anti-submarine warfare. The contractor was supposed to have stored this information on its classified network. It didn’t, and now the lives of thousands of sailors are in jeopardy.
Frameworks and rules don’t work very well. Their implementation is subjective. They’re compliance is largely based on self-assessment. Penalties for lapses are financial in nature, if they’re enforced at all. There doesn’t appear to be much personal accountability or consequences for recklessly endangering US military personnel through sloppy security practices. Yet, most of my audience felt the frameworks were adequate for securing the US. A psychologist would call this ability to maintain two contradictory ideas in one’s head at the same time “cognitive dissonance.” Whatever you call it, it’s dangerous.
The “It just can’t be done” mindset
Wishing that frameworks could keep us safe is a disappointing but understandable reaction to serious threats. What was worse was a resigned mindset, one that viewed changes to Internet security as being simply impossible. Make it harder for packets originating in foreign countries to reach US defense contractors? Can’t be done… You see, the way the Internet is organized, the registrars won’t let it happen. I get it. We might all die because the Internet registrars are immutable.
Would it be possible to change the way IP addresses are assigned if it could save American lives? It is possible, of course, but it wouldn’t be easy. Securing a nation seldom is. What’s troubling is the resignation that it can’t, won’t ever happen. That’s the kind bureaucratic defeatism that leaves us vulnerable. It’s like arguing that you can’t protect your home from a burglar because your lock is broken… and calling a locksmith is simply out of the question.
I doubt everyone in cyber security feels this way, but the experience left me feeling a bit apprehensive about what’s coming. The pace and severity of attacks, coupled with this pathetic, resigned attitude suggests we should be worried.