Fear, Uncertainty, and Doubt Won't Protect Us from the Real Security Threats

Anthony Freed
By | October 22, 2012

Posted in: Network Security Trends

Dire warnings of an imminent and catastrophic attack that could take down the power grid or cause domestic water supplies to be interrupted may serve to alarm policy makers and the public, but it does little in the end to draw attention to the real security issues the nation is facing, according to the Internet Security Alliance's Larry Clinton.

"While the unrealistic threats of crumbling critical infrastructure may be useful rhetoric to scare senators into voting on issues they have not studied adequately, the real cyber problem lies elsewhere," Clinton writes in a New York Times Op/Ed piece.

Clinton asserts that recent legislative proposals such as The Cybersecurity Act of 2012, which was blocked in Congress late this summer, would have little affect on the most sophisticated of attacks, often referred to as Advanced Persistent Threats, given that by their very nature they are designed to circumvent available defenses.

"It’s wrong to say that the recently failed Senate bill, which would have established government standards for private-sector cyber security, is an answer to catastrophic cyber threats," Clinton explained. "Ultra-sophisticated attacks are not going to be stopped by the adoption of best practices and standards. These are nonstandard attacks that overcome defenses like intrusion detection, firewalls and passwords. This is a much more sophisticated problem than would be solved by the Senate bill."

Clinton's article was drafted in part as a response to comments offered by Secretary of Defense Leon Panetta, who recently stated that a cyber attack carried out by a nation state or extremist group could be "as destructive as the terrorist attack of 9/11"  and potentially "paralyze the nation.”

While Clinton agrees that nations like China have the capability of carrying out such attacks, they also recognize that they would not benefit from such extreme measures. "Why would the Chinese want to destabilize the U.S. economy by taking down our electric grid? China owns about half our debt, and destabilizing our economy would also destabilize China's economy," Clinton said.

As for independent actors, Clinton points out that they do not possess the technical savvy or have access to the resources required for engaging in such large-scale operations, and probably won't for some time. The real threat comes in the form of cyber espionage which is directed at private companies who have a wealth of proprietary information that is worth billions. "Nation states and criminals are not trying to take down the Internet; they want to use it to steal intellectual property," Clinton says.

Improving the nation's cybersecurity posture will require more than mandates being handed down from on high, and Clinton recommends exploring the development of a public-private partnership which would promote collaboration and the exchange of information between private industry and the government, as opposed to legislating punitive regulatory requirements.

"Cyber security is not simply a technical or standards issue. It has strategic and economic dimensions as well, and none of the current proposals deal with it in a truly comprehensive way that goes beyond standards to deal with economics and incentives at both a domestic and international level," Clinton said. "We need to start by clearly defining which problem we are trying to solve. Our government has not yet done that."

You May Also Be Interested In: