Officials sound the cyberattack alarm, but tend to leave business to fend for itself. Time for less talk and more deeds.
In October 2008, Shawn Henry, newly appointed head of the Cyber Division of the Federal Bureau of Investigation (FBI), told a group of reporters: “There are a number of countries who have an interest in stealing information from the US,” with as many as two dozen taking an “aggressive interest in penetrating our networks”. In the past year, he said, “the malicious activity has become much more prevalent”.
This was interpreted as saying that the US is under attack – cyber attack.
Similar comments have been made by UK officials. In December 2007, MI5 spy chief Jonathan Evans openly warned UK businesses of attacks on them by “Chinese state organisations”.
So high-ranking government officials from both the US and the UK have explicitly warned that foreign states (such as China) are attacking US and UK business and government cyber assets. The response? Nothing much – certainly, not a comprehensive one involving the private sector. It seems it is up to business to learn how to protect itself.
Henry's sort of comment is the 21st century equivalent of “the boy who cried wolf”. Apparently, such comments from government officials are intended to raise security awareness. However, since no supporting information is released to back up these statements or suggest countermeasures, their credibility is called into question.
“It's classified” is the usual refrain. So why bother? Is the real purpose to show officials appearing to do something? Remember the Department of Homeland Security (DHS)'s Homeland Security Advisory System and its colour-coded alert levels? Does anyone run their IS programmes based on those alert levels?
If government is not going to share with business any sensitive information on these attacks, it would be far better for these same officials to at least facilitate information-sharing among businesses. Business would then have some awareness of the attacks it is potentially facing.
At least one UK government agency appears to “get it” – the Centre for Protection of National Infrastructure (CPNI), which gives, it says, “integrated security advice to businesses and organisations which make up the national infrastructure”.
In the US we have a mess. The FBI (Department of Justice) is always battling with the US Secret Service (DHS) about which is responsible for cybercrime. According to the FBI's website, cybercrime (such as computer intrusions, online predators, piracy, intellectual property theft and internet fraud) is the bureau's number three priority. According to the Secret Service's website, it has two missions, one of which is to “safeguard the nation's financial infrastructure and payment systems to preserve the integrity of the economy”. According to DHS' website, the USSS “investigates financial crimes, including financial institution fraud, identity theft, computer fraud and computer-based attacks on our infrastructure”.
So, the two statements are not even aligned. Other components of DHS are also involved in infrastructure security. “The Office of Operations Coordination is responsible for monitoring the security of… infrastructure operators.” And, the “US Immigration and Customs Enforcement (ICE), the largest investigative arm of the Department of Homeland Security, is responsible for… infrastructure security”.
So, the US government has multiple entities supposedly part of protecting critical infrastructure (including IS), but none of those entities actually protects the parts of critical infrastructure that are in the private sector – the vast majority of assets. Nor is any US government entity tasked with providing such advice to US business.
The UK Government has had its embarrassments around information security, but in the CPNI it has one entity tasked with providing advice to business and trying to be part of the solution to this problem.
Maybe the US government could learn a lesson here from our UK counterparts. There is certainly no US monopoly on good ideas for preventing cyber attacks.
Tim Mather is chief security strategist for RSA Conferences