Is America Building a Cyber Security Sand Castle?

William Crowell, former Deputy Director of the National Security Agency, helps explain how private sector efforts coupled with public sector policies can mitigate cyber threats

Loss of trade secrets to foreign entities — as well as loss of information on sensitive projects by private government contractors — could bolster the economic and military strength of other countries at the same time. “A recent report to Congress from the National Counterintelligence Executive highlighted that over 108 countries, both friend and foe, are actively stealing intellectual property from U.S. businesses to help bolster the competitive posture of their own economies,” says Lynn Mattice, former CSO of Boston Scientific and Chairman of the Board of Advisors of the Security Executive Council.

The public sector and the private sector — both critical infrastructure and other business — are inextricably linked; a cybersecurity failure on the part of one could mean a new threat for all.

Why All the Attention Now?

Of course, the federal government, critical infrastructure and other private companies have all been working for years to shore up cybersecurity gaps, some more wholeheartedly than others. Why suddenly is the spotlight shining so brightly on this issue?

One reason is the election of a new U.S. President who has promised to give it a hard look. “You have an administration coming in that’s increased the focus on leveraging social collaboration technologies, and the focus on furthering the agenda of the nation and leveraging technology,” says Theresa Payton, former White House CIO under President George W. Bush and a Security Executive Council Emeritus Faculty Content Expert. “With that change in administration, the media has really started to look at and have an enhanced understanding of what’s going on with cyber globally and in the United States. So in a sense, it’s all about timing.”

Another reason is the documented increase in the sophistication and number of cyberattacks. Experts agree that the types of threats we are facing now are dramatically different than they were even 12 months ago. “The nature of the threat has changed from casual attacks to very well-financed, substantial, well-delivered attacks. These advanced threats require equally advanced countermeasures for everybody now.” says Tom Patterson, a business advisor on security, commerce, and governance and author of the book “Mapping Security — Corporate Security Sourcebook for Today’s Global Economy.”

Hord Tipton, former CIO of the U.S. Department of the Interior and current executive director of (ISC)2, explains, “We have always played this game with the hacking and attacking community, trying to catch up and get on an even par with them. But the evidence and data collected seems to indicate we’re falling behind. Annual reports show as much as a 40-percent increase in exploits in ’09 than ’08, and we have seen a trillion dollars of fraud and identity loss in ’08.”

These increases can be chalked up in part to the slump in the world economy, according to Payton. “In desperate times, you see a run-up on traditional crimes, and now that cybercrime is becoming more mainstream, it’s following the same pattern. I think this does put us more at risk; obviously the more somebody tries to get into your fortress, the more potential they have to find the weak link in the chain, so to speak. But at the same time, from a leadership perspective, the media attention on this topic is creating the positive impact of a heightened awareness of the threats.”

Initiatives Already on the Table

The federal government has a number of executive and legislative initiatives on the table aimed at changing how cybersecurity is handled both in the public and the private sector.

The Comprehensive National Cyber Security Initiative (CNCI) was introduced in early 2008. Its overarching purpose is to better protect the nation’s cyber infrastructure, starting with federal computer systems and networks. The initiative intends to reduce external points of access to federal networks, improve situational awareness across agencies, shift the focus from passive to aggressive intrusion detection and prevention, and enhance existing information-sharing efforts between the government and the private sector. The details of how all this will be accomplished remain highly classified.