|
By Tom Groenfeldt
The United States has the world’s broadest use of the Internet -- supply chains, financial services, virtual teams, virtual IT resources (cloud, SaaS), accounts payable/receivable, corporate and personal communications and military planning and logistics, just to begin the list.
That makes the U.S. the most vulnerable to cyber attack. And, as Richard Clarke, former anti-terrorism chief under presidents Bill Clinton and George W. Bush, demonstrates in his new book “Cyber War,” no one is doing anything about it.
"We have connected more of our economy to the Internet than any other nation," he writes. And the U.S. has no capacity to disconnect from the global Internet. Significantly, China can block itself off from the global Internet and protect its assets.
While American cyber experts boast, privately, about their ability to hack into systems around the world and leave no trace, they appear oblivious to the possibility -- likelihood -- that others are doing the same thing to systems in the U.S. Arms of the military are making some effort to protect their own systems, although the Army lags way behind the Air Force and Navy, but no one is responsible for protecting the civilian Internet.
CIOs should understand that if their companies have important intellectual property (IP), their own security efforts are their firms’ first and only line of defense. China, says Clarke, has engaged in unprecedented theft of IP, amounting to billions of dollars from firms in the U.S., Europe and Japan.
In 2007, the director of MI5 in England wrote to 300 English companies telling them their systems had been penetrated by the Chinese government. Canadian researchers found that the Chinese had hacked into the systems of groups supporting Tibet and arranged to turn on their computers’ cameras and microphones in a way that users could not detect. The hack ran undetected for 22 months. Meanwhile U.S. intelligence discovered that the Chinese had set up ways to penetrate the American electric grid so they could pull it down at will. Someone, probably the Chinese, stole terabytes of data about the F-35 fighter, but since they encrypted it on the way out, no one can even determine what they took.
Without new regulations, the situation will not get better, Clarke says. In China, the government is the ISP. In the U.S., the ISPs fight any proposal to require them to add security to their networks, and the federal government, under Clinton, Bush and Obama, has opposed new regulation. Clarke runs a scenario of a foreign government attack on the U.S. -- blackouts as electrical grids go down, generators that can't be replaced for months blown up by power surges, refinery fires, air traffic control failing, train collisions, and food distribution networks crashing. (You can get an idea of what this would look like by watching Bruce Willis in “Live Free or Die Hard.” Clarke notes, "high-level policy officials apparently seldom make it to the movies.")
The military, which depends on contractors to keep it operational, couldn't move if the public Internet went down, and many of its internal systems are running on Microsoft Windows operating systems. Interestingly, China demanded to see Windows source code and added some security before allowing it to be distributed; in the U.S. the Financial Services Roundtable was refused similar access. Clarke says Microsoft would rather lobby government than improve its security.
Commissions have studied this issue since 1996 and issued recommendations such as separate public and private networks. Although the Pentagon maintained an air gap between networks, a Russian program to search for thumb drives managed to contaminate military computers around the world in just hours as poor security allowed users to transfer data from publicly connected machines to the internal, supposedly secure, network.
Clarke said few companies even bother informing the FBI about hacks because the agency is useless; similarly U.S. attorneys general tend to be computer illiterate. He has several suggestions, starting with isolating the electric grid from the Internet and compelling ISPs to improve security. Long-term, he advocates upgrading the Internet to provide a secure network, perhaps running in parallel with a public Internet.
For CIOs, two messages are clear: 1) You're on your own when it comes to securing the company network; and 2) This problem won't be solved without national regulation.
“Cyber War” is a fast and alarming read.
Only registered users can write comments.
Please login or register. |
