Cyberwarfare

Cyberwarfare raises issues of growing national interest and concern.

Cyberwarfare can be used to describe various aspects of defending and attacking information and computer networks in cyberspace, as well as denying an adversary’s ability to do the same. Some major problems encountered with cyber attacks, in particular, are the difficulty in determining the origin and nature of the attack and in assessing the damage incurred.

A number of nations are incorporating cyberwarfare as a new part of their military doctrine. Some that have discussed the subject more openly include the United Kingdom, France, Germany, Russia, and China. Many of these are developing views toward the use of cyberwarfare that differ from those of the United States, and in some cases might represent national security threats.

Cyberterrorism is also an issue of growing national interest. Many believe terrorists plan to disrupt the Internet or critical infrastructures such as transportation, communications, or banking and finance. It does seem clear that terrorists use the Internet to conduct the business of terrorism, but on closer inspection, however, it is not clear how or whether terrorists could use violence through the Internet to achieve political objectives.

Although the U.S. government is striving to consolidate responsibility for and focus more attention on cyberwarfare issues, it is not clear how successful those efforts will be. Congress may choose to examine critically the policies, organization, and legal framework that guides executive ranch decisionmaking on issues of cyberwarfare.

Wednesday, January 20, 2010

F.U.D (fear, uncertainty, and doubt)




In the above “60 Minutes” video, correspondent Steve Kroft spoke with former and current US government officials and private-sector security about the nation’s vulnerability to cyber attack.

“If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker,” Retired Admiral Mike McConnell told Kroft.

To most IT professionals, this revelation isn’t, or at least shouldn’t be, news. Before joining TechRepublic 10 years ago, I worked for a regulated utility–a power company. Even then, before anyone was seriously pushing a “smart grid” we were keenly aware of digital threats to our organization. But, just because IT is aware of a threat, doesn’t mean the business is dedicated to addressing those threats. Corporate management is usually most focused on maximizing profit. (I am not referring to my former employer, but making a general statement about the disconnect that often occurs between IT staff and corporate leadership.)

In fact, this disconnect isn’t confined to IT or even the corporate world. Whenever you have individuals or groups with different and/or competing interests, disconnects are common. Yet it is IT’s job to help protect the organization from cyber threats, and in many cases the stakes are too high to allow a communication gap, lack of understanding, or just pure apathy to prevent good security.

Part of IT’s security mission must therefore be to educate the greater community about relevant security threats and convince them to take or approve the necessary countermeasures. It’s the second goal that’s often the most difficult. Even your best descriptions of DoS attacks, rootkits, SQL injection attacks, social engineering, and all the other threats we face can fall on deaf ears unless you impress upon your audience the consequences of inaction. This is when fear can help.
Fear does not equal F.U.D (fear, uncertainty, and doubt)

Whether you’re trying to convince senior management to ban USB drives or your three-year old not to touch the stove, fear is a powerful motivator. Yet, fear is a double-edged sword. If used inappropriately fear will win you more enemies than supporters and can undermine your ultimate goal of improved security. Therefore, I recommend the following guidelines:

1. Avoid the hype. Be truthful and realistic. Don’t make outlandish or unsubstantiated claims of IT destruction and massive financial loss, if the threats you’re discussing aren’t likely to cause such outcomes. Present the threat as you understand it, explain the likelihood of occurrence, and describe your organization’s level of exposure.
2. Temper fear with solutions. Once you’ve explained a threat, follow up with your best recommendations on how to mitigate it. You’re goal is to motivate the audience into changing their behavior or giving their approval for an action, not merely to scare them. And, don’t come in with an all or nothing plan. Be prepared to offer a range of mitigation options, which vary in scope and cost.
3. Don’t overuse fear. Remember the tale of the boy who cried wolf? If you constantly predict IT catastrophes that never materialize, your audience will eventually stop listening to you.
4. Focus on an audience who can act. Narrowly target your message to those who can address the threat or have significant influence of those who can. Inducing fear in those who can’t benefit from point 2 is counterproductive.

Is fear effective?

Yet, not everyone agrees that fear is an effective motivator. In April 2009, I published a ZDNet video on the possibility of a digital Pearl Harbor event. On the video, Bruce Schneier, noted cryptographer and Chief Security Technology Officer of BT Counterpane, suggests IT is better off avoiding fear as a motivator. “We’re better as an industry, if we don’t stoke fear, if we don’t talk about the digital Pearl Harbor. People turn off from that,” Schneier said.

I agree with Schneier’s statement that IT shouldn’t “stoke” people’s fears unnecessarily–see all my above points. But, I still think a little fear can be a powerful motivator. And remember, all fear isn’t created equal. Rationally explaining the negative consequences of not upgrading your network’s intrusion detection system is a far cry yelling fire in a crowded theater. What do you think?

No comments:

Post a Comment