Last week, I enjoyed an unusual evening: a panel of some of the nation’s preeminent cybersecurity experts at the International Spy Museum. I didn’t have to practice any spycraft to learn more about the risks posted to national security and business in cyberspace.
Melissa Hathaway, President Obama’s former”” called for more public and private cybersecurity partnerships.
James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, described how new rules for cyberwar are being defined as cybersecurity threats grow.
Those interested in cybersecurity may find the article and posts linked to above useful.
When asked “what keeps them up at night,” each panelist responded thoughtfully.
Melissa Hathaway is worried about “our overall economic competitiveness” due to corporate cyberespionage. Assante is concerned about restoring a lack of confidence after a massive cyberattack. And James Lewis is concerned that a scenario from World War II might repeat itself in a future cyberwar.
“Think of Germans in WWII,” he suggested. “The Brits were able to break the Enigma machine through Program Ultra. That probably shortened the war by two or three years. I worry that whomever we might be fighting would know what we’re going to do before we do it.” Lewis is concerned about more than anticipation: what if opponents were to change the data, replicating the “fog of war” online?
“Look at the DOD’s ‘Blue Force Tracker – if that were compromised, the first thing is that you’d shoot your own folks,” he said. “Second, every commander would slow down.” ( The New York Times‘ excellent “At War” blog published a post today about the digital fog of war, in fact, though its author focused on the challenges of using technology in the background, not the scenario wherein it is compromised.)
Keith Epstein, the veteran investigative journalist who moderated the “Emerging Cyber Threats” panel, observed that he’s noticed a reluctance of people to really talk about this. What can be done? Assante calls the lack of public discussion a “plague of suffering and silence. “In the electric system, our regulations require entities to, if they have a cyberattack, to report them.” Despite the concerns of some in Congress, he suggested that agencies reconsider safe harbor. “We have to be willing to share information with our allies.”
What are the scenarios that will enable cybersecurity to move forward?
Start with raising public awareness, said Lewis, which would require the mainstream media to cover cybersecurity with the seriousness that the threat deserves.
“There’s a bunch of other things we could do too, “ he said. “Make better use of the DoD. Define their role in a way where they can defend cyberspace. Work with the private sector. There are many things we can do to incentivize better cybersecurity. International engagement: Reach out to allies – and maybe to opponents.”
Hathaway observed that “we are considering a national data breach law. Our allies are considering similar legislation.” S.1490, the Personal Data Privacy and Security Act of 2009, would require data brokers and companies to both establish and implement data privacy and security programs. Hathaway said that “we need to start talking about the issue: the fleecing of America.”
In her view, it’s not just consumer behavior that’s at issue: “We have the Tylenol scare in all of our computers. It’s there and they’re not telling us.”