This is WAY Beyond Your Facebook Account
By now, we all know about the Russian interference in our elections. Let’s not kid around by calling it meddling. This is an attack of the most fundamental nature.
But an important element of this aggression has gotten lost in the background for many of us. I am referring to the targeting of our electronic infrastructure writ large.
Russia has been probing our utilities infrastructure. They are trying to understand its connectivity and to find its vulnerabilities. This would make sense if one wanted to have a standby capability to disrupt a modern society. Imagine wide spread, rolling outages at critical weather peaks. Imagine a runaway nuclear plant that will not shut down.
Others (China, North Korea, ???) are doing the same sort of poking about and testing. Our vulnerabilities are very real and exposed.
The Director of National Intelligence has noted that there are many critical vulnerabilities . Think about what life would be like in the following scenarios:
- In the wake of 9/11, there was concern about the financial trading sector being down for too long. The system was back in full operation in a very few days.
- Imagine an attack that kept changing its process. It could shut down down all aspects of the financial system for weeks.
- How about GPS systems going awry? It would cripple ground and air transportation, as well as emergency services.
- Large scale modern commerce depends on just-in-time logistics. This is an exquisite ballet that depends upon sophisticated communications and computing. Imagine that framework dissolving into a nonfunctioning status for several weeks.
- Think about large scale denial of service of enterprises such as Amazon or UPS.
- The vast majority of data storage is remote these days, in the cloud. Security for this has been good and getting better. But imagine attacks that disrupted all this , or that destroyed the stored information.
- Take out email. Disrupt telephone communications (cellular and land lines). How does that feel?
- Wouldn’t it be interesting to drive in a major metropolitan area with no working traffic lights? You might not notice; you could be too busy trying to control your car with its electronics gone berserk.
Much of the risk described above represents a failure of government. This goes back quite a way. We have known for decades that the risk is evident. At least as far back as the last Bush administration we knew that our adversaries were working in this area with new intensity. Yet we have done little in the way of a coordinated response or in-depth planning.
This is a functional area that the private sector cannot address alone. The absence of government standards makes individual efforts haphazard at best. Lacking a government mandate for specific steps asks businesses to accept high costs. Their competitors may choose to forego such costs, leaving the former at a business disadvantage.
So, what to do? One hopes that there is more classified going on and thus is unknown to the citizenry at large. Standing up the US military’s Cyber Command is an excellent step towards getting well. Some of other steps come to mind:
- We all take this as serious as it is. Miss no chance to ask officials and government employees what is being done to secure us.
- Government steps up to its responsibility. Convene a working group to develop standards and tools on a tight but realistic timeline. Membership draws from government, industry, academia, and the intelligence community.
- Emphasize early detection and more proactive, rather than reactive, courses of action. We need not publicize counter strikes, but take them. Those who wish us harm need to know we will spare no effort. We will a exact a steep price, often in the same domain, on those who persist. The Stuxnet program set the Iranian nuclear program back to an impressive degree. We could do similar with those we find attacking or searching in our structures.
There are a few overriding factors that should guide us going forward.
- One, the threat is real and exceptional. No more denying it.
- Two, both industry and government have been too passive and too defensive in this fight. We should take it home to perpetrators – the price to be in this arena against us is high and long running.
- Three, we must get out of the model of reacting to the last challenge. We should have the technology by now to get ahead of perpetrators.
I have little confidence that this Administration will meet this challenge. The responsible agencies are doing what they can, but it is not enough.
A national strategy and protocols including industry and academia requires political leadership. In this regard, past administrations failed us. This one is as well, spectacularly and even deliberately.
When the reckoning comes, remember those in power knew the risk and they chose to ignore it.
If you find this blog worthy of your time and curiosity, I invite you to do two things:
(1) Join the conversation. Your voice counts here.
(2) Share the word about this post with friends and colleagues. Share a link in your emails and social media posts. Let’s grow our circle.