Are we getting the right message about cybersecurity?
The US Government uses every opportunity to inform the American public of the immediate threat to National Security posed by increasingly sophisticated cyberweapons. In light of the blame games surrounding the Flame virus and pseudo-official revelations on US involvement with Stuxnet, the opportunity to attract attention and talent to the field of cybersecurity has never been better. The question is, whether an accurate threat profile is being communicated to the American public.
Since the Department of Defense acknowledged cyberspace as a military front, billions of dollars and numerous resources have been reallocated toward expanding US cyber capabilities. The resultant industry has found itself flush with cash and support, which has seen defense contractors snapping up cybersecurity expertise and encouraging US students to concentrate in technical fields. There is nothing wrong in promoting cyber as the greatest current threat to US national security; however, justification for this focus on all things cyber has a tendency to border on misinformation.
Cybersecurity is often framed in a cyberwar context: a hacker (or nation or terrorist organization du jour) gains access to US military networks and infrastructure. The successful disruption of operations on these networks can cause critical systems to fail. In the end, we are told, the US is left powerless to defend against incoming conventional weapons attacks launched as a follow-up to the cyber attack.
It got your attention, right? Realistically, though, what nation is going to march an army on or fire missiles at the mainland US without our having an inkling of something being amiss prior to an electronic takedown? If relegated to a US position overseas – say, Afghanistan – where the US relies on military networks to run field operations, this scenario is slightly more plausible. Even more legitimate is the concern for economic damage potentially inflicted by a power grid disruption or financial market failure. Still, the marketing message misses what should be, and in fact is, among the primary concerns of cybersecurity experts: espionage.
Corporate espionage is frequently overlooked in mainstream discussions of cybersecurity, yet to date it has accounted for more damage to US interests than any cyber event. Conservative estimates of damage vary widely, from US$100 to US$240 billion lost in intellectual property, trade secrets, and technology, not to mention the risks posed to defense intelligence. Strategic espionage aids the enemy in having the ability to anticipate the next move and exploit this information to an advantage.
Cyber espionage hardly makes the front page news: it is neither flashy nor glamorous, and is frequently addressed alongside cybercrime, a very different animal. Espionage is inherently undetectable and it is because of this feature that it does not receive proper attention. Many in the US cyber community recognize espionage as a preeminent threat to US cybersecurity, but the message to the American public is consistently hijacked by threat scenarios with more panache.
Rapid and appropriate responses are necessary in any conventional or cyber attack scenario. If the enemy can anticipate the range of responses based on information collected clandestinely, any response is rendered ineffective from the outset. Even in the most apocalyptic of cyber attack scenarios, espionage holds a trump hand as far as threats go. And if the US expects its cyber capabilities to properly account for and mitigate the impact of cyber espionage, it needs to adjust its marketing message to fit the threat profile.
[…] Boyle: Are we getting the right message about cybersecurity? […]