Cybersecurity attacks abound for federal and government websites, and the rift between technology and policy has only gummed up efforts to stop them.
Richard Stiennon, host of the “Threat Chaos” blog and author of Cyberdefense: Countering Targeted Attacks and Surviving Cyberwarefare spoke to Federal News Radio about the growing Internet security problem, and how little is being done to solve it.
“There’s a big disconnect between our generals and the people who are actually doing cybersecurity. There’s a big disconnect between presidents and the chairmen of the boards of our companies, and a very, very large disconnect in our legislative bodies. The Constitution didn’t set up anything about their email accounts, so that is a learning curve we have to get up fairly quickly.”
From a policy standpoint, Stiennon’s worry is that officials only address worst-case scenarios, without working from the bottom-up.
“The policymakers are getting way too high-level input – scary talk about ‘cyber-geddon’ and the Smart Grid being attacked, and all of a sudden the country’s out of business,” said Stiennon. “There’s too much talking about the high-level instead of getting down to the details and addressing the individual critical infrastructure vulnerabilities.”
Without addressing those vulnerabilities, Stiennon said government officials may have already missed some major attacks.
“My opinion is that the impending cyber doom has already occurred multiple times. The Defense Industrial Base, completely hacked into, and reams and reams – terabytes of data – stolen on our most critical defense systems,” said Stiennon. “The IMF — somebody’s broken in. They’ve got all internal communications of the IMF and there’s damaging things in there.”
The problem with fighting back from a hack, said Stiennon, is that is requires another (and currently, just as illegal) hack on the perpetrator.
“It has actually put handcuffs on the good guys because they see an attack coming in, their predilection is, ‘These guys are attacking us, let’s go see what their servers are all about,’ and back-hack, essentially,” said Stiennon. “That is apparently what Google did when they discovered the Google Aurora attacks on them,” said Stiennon. “Their first blog post was they followed the attack back to a server in Taiwan and found all these documents on that server. [But] you can’t investigate a remote server without encroaching on the law; you’re not supposed to do that.”
In light of this catch-22, Stiennon recommends government-issued “letters of mark,” that enable select users to back-hack on criminal offenders.
“There are individuals that you can trust to behave properly and not take advantage of that, that wouldn’t be criminals, and they could learn of attribution [to the attacks] and we could stop a lot of these attacks.”
Stiennon said that having these free agents go after hackers remedies the situation much better than the slow process of passing legislation.
“Technology and the Internet are moving a lot faster than any policymaking body can even comprehend. So you have to start going after the fundamentals, and that’s responsibility. How do you assign that responsibility and how do you enforce it?”
Stiennon said that the government lacks the kind of internal control necessary to stay vigilant on attacks.
“In private enterprise, when you’ve got a security issue you assign the responsibility to someone,” he said. “You say, ‘Look, if we get attacked, it’s going to be your fault that we got attacked and you might lose your job.’ That doesn’t exist inside the government or the military. The attacks happen all the time and everyone’s got plausible deniability that it wasn’t their responsibility.”
Before any action is taken, Stiennon said the government needs to have a clear plan in mind. “Strategy has to be on top,” he said.
“You don’t necessarily have to create all new positions and all new departments and agencies. But within each agency, within .gov and within .mil, assign that responsibility and allow them to make the steps,” said Stiennon. “Then you need an oversight capability to measure whether or not they’re fulfilling their obligations and that will create those checks and balances.”
Despite the evident errors in the current system, Stiennon remained optimistic about short-term goals. He said technology could realistically block all hacks on .gov and .mil websites. “Bureaucratically, of course, that’s pie in the sky,” said Stiennon. “But I think a year from now, that’s where I’d like to see us.”