On July 8, 1940, writing in the pages of Life Magazine, Major George Fielding Eliot provided Americans with a grave assessment of our weak national defense at the time. It’s a terrifying article to read, even now, with statements such as this: “Working at top speed under a full war system, it would take us two or three years to train and equip a new defense that would have a chance against Germany in Europe.”
As in any military piece of the time, the article comes replete with the usual grey tone map of the world, including handwritten font diagrams of proposed hemispheric strategies for protecting our homeland from invasions by Germany or Japan. Eliot makes this chilling point: “Allowing a year or 18 months before we may expect a real attack, we still have not time to complete an adequate hemispheric defense.” We know now that the Pearl Harbor attack came exactly 16 months later. And we were not ready.
It is my view, based on a careful analysis and lifelong direct involvement in the management of the critical infrastructure sectors that support our great country, that we will experience serious and consequential cyber attacks within the next 48 months – the planned period of our new Presidential Administration. This view is based on two factors: The dramatic rise of capability amongst clear adversaries to the United States, and the dramatic fall in our ability to defend our sixteen critical sectors (see diagram at the head of this article).
Regarding increased offensive adversary capabilities, it should not require extensive logic here to convince even the most casual observer that cyber attack tools have become more lethal, more generally available, and dramatically less expensive to obtain than was ever true in the past two decades. What’s worse, the disclosure-oriented attack exploit techniques we’ve seen aimed at companies and agencies in the past few years can be trivially adjusted by determined enemies to focus on wanton destruction of our essential resources.
Consider this: The advanced persistent threat (APT) attack so popular with cyber criminals, terrorists, and casual hackers, involves gaining remote access to an enterprise to steal secrets, intellectual property, and customer data. But anyone with five minutes training in computing knows that it is significantly easier, once access has been obtained, to destroy information, systems, and services than it is to steal them. Anyone should see that once the bad guy is in your enterprise, it’s easier for him to just torchthe place, than to search around for good information worth stealing.
Regarding our reduced defensive posture, I would also posit that the sixteen critical infrastructure sectors of our country are in a state of full exposure to destructive malware, advanced denial of service attacks, insider-driven corruption of systems, and continued problems with disclosure. What I mean by full exposure is that the defenses currently in place presume a level of reasonableness on the part of the adversary. They are all designed to stop the average case rather than the worst case. And purveyors of infrastructure know that this is a dangerous shell game to play.
As an illustration, it would be surprising news to me if any of these sectors possess the ability to reliably stop an intense and continued multi-day, 24/7 barrage of Internet of Things (IoT)-based, botnet-originating, distributed denial of service attacks, jumping between routing and application layers, and involving a continued mix of different botnets with strengths approaching multiple terabytes of traffic. Such an attack, which could be launched at virtually no cost, by virtually any determined adversary, would have the effect of bringing down at least portions of any critical infrastructure sector for non-trivial amounts of time, during which lives would likely be lost. I know of no cyber security expert on the planet who would seriously dispute this claim.
I’ve argued previously that our nation must do three things immediately to solve this problem, and I will repeat them here: First, we must cease the time-wasting compliance and regulatory nonsense embedded in so much of our cyber security work. President Trump should declare the NIST framework as the only reasonable compliance standard in our country, and should make it clear to other agencies and states that overlay requirements will not be tolerated. By doing this, we free up time for our enterprise security teams to roll up their sleeves and begin to improve their real-time cyber defenses.
Second, we must demand that every sector provide our new President with a plan to remove dependency on their existing perimeter. Every consequential cyber attack, including the DDOS example cited above, takes advantage of the weaknesses inherent in a firewall-defined perimeter with limited gateway external access. A much better scheme involves distributing workloads to hybrid cloud infrastructure with micro-segmented protections augmented by network-based controls. Regardless of the actual enterprise security design, every sector should provide a perimeter migration plan to the President at once.
And finally, just as our country has done in advance of every other major military conflict in our history, we must bolster the human element of our defense. But unlike previously, where lottery drawings presumed that one enlisted man equals another, we are faced with a unique crisis in technical talent – one that we are clearly losing to Russia, China, and other nations. Therefore, it is imperative that we dramatically increase our massively underfunded Cyber Corps program, perhaps with a goal of one billion dollars annually. This must attract the best and brightest students, including existing college students, who will obtain their tuition in return for service time spent doing cyber defense for one of our critical sectors.
Do the math: If we fund at one billion dollars and allocate the funding at an average of ten thousand per student (yes, the colleges will need to help), then 100K students would be in the program each year. If one fourth of them graduate each year, then this would be an infusion of 20K new capable minds into the cyber defense of our country. One could argue that this might not even be enough, but it’s better than the trickle of new hires we see coming from our nation’s computer science programs today into government.
If you feel you need any more motivation to act, let’s return to Major Eliot’s warning to Americans seventy-seven years ago, and just a short time before we became embroiled in the most consequential war of our time: “The speed of the German conquest,” he wrote, “has brought much closer the period of maximum danger to the U.S. With France conquered, and England, the citadel of sea power, gravely imperiled, we must be prepared for a new world balance of power in the near future.”
Thankfully, our parents and grandparents rose to the occasion, and the new balance of power resulted in seven decades of relative world prosperity. I shudder to think of the potentially terrifying new world balance of power that will come to our globe if the wrong groups learn to reliably crush our critical infrastructure through cyber attacks. This is no time for our citizens, and especially anyone in a unique position to effect change in government and industry, to sit down and wait.
So get up and do something now. And if you are not sure what else to do, then you can start by forwarding this article to your local Congressional representative and ask that they take this matter much more seriously. Tell them that you believe proper cyber defense to be a fully non-partisan issue, but also one that has significant potential consequence for all Americans. Tell them that ignorance of cyber security is reasonable cause for them to be replaced in the next election. Be tough and stand your ground on this one, because we all have so much to lose if you don’t.
This is our generation’s time to act.