Security Notes

Security Notes

We Need Leadership for the Coming Challenge

Gideon Samid • Gideon@AGSgo.com

This column gives me a platform to say things that I can’t say to my clients face-to-face. We usually deal with major security targets who, like everybody else, are busy with daily operational challenges, trying to stay competitive. They hardly have any spare attention for what I call strategic preparation for what we might call a Cyber 9-11.
They nod when I quote highly credentialed officials warning of a prospective paralysis of our civil infrastructure. They express genuine alarm about intelligence that exposes what state-sponsored hackers do to us. They agree with me that the best way to prevent, and alternatively win, a cyberwar is to be ready for one. And they are sympathetic to my ideas to put together a task force dedicated not to the daily security threats but to the strategic ones. “Sounds good,” they say. “Bring it up again in the spring!”
On one rare occasion, a close friend, a top financial executive, said to me: “I think you are right, but I simply don’t have the time to act on it, and further, I am afraid that when we take a strategic look we will find some major deficiencies that would make me culpable if something eventually happens and the record shows that I was aware of this prospect and did not do enough to prevent it.” “You have my sympathies,” I answered. But of course expressing sympathy back and forth does not do a thing to help with the problem.
In another case, the message was much less friendly. A client pointed to the case of Dennis C. Blair, the former director of national intelligence who paraded his chilling warnings about how China, Russia, organized crime, and Al-Queda have all penetrated our networks with their dormant software that can spring into action when hostilities break out. “You know what happened to him, don’t you?” the client asked. President Obama sacked him last May after just 16 months in office.
That’s why this column is my frustration outlet. Any medium-to-large-size security target must establish a strategic analysis group distinct and removed from the daily security apparatus. We need people who will out-think our adversaries. No amount of glitzy technology will save us if the hackers out-think us. We simply can’t let this happen.
We need to think of more attack possibilities than our enemies do. We need to spot our vulnerabilities before they do. We need to imagine the most spectacular attack path faster than they do. We need to spell out what they can do to us if they are smart, well-organized, patient, persistent, and if they think strategically. Once we spot all the possible and likely attack avenues, we must design means to spot the subtle steps of implementation of each one of the long-range strategies they might challenge us with. And we must come up with an action plan for any eventual discovery of signs of being a victim-in-progress. We must write the policy and train our executives how to handle the situation when all hell breaks loose. And finally we must think of the day after and the long haul to recovery.
In an upcoming column, I will write about some of the long-term plans that our adversaries are preparing for us. Here’s a clue: We find more and more strange binary strings at critical junctures throughout busy networks. They look encrypted and ready to spring to life at the command of whoever put them there. To attack the payment system, well-financed, long-range strategic hackers (or strackers) will set up merchant accounts, establish key access to issuer and acquirer databases, test security responses, establish fake credibility for buyers and sellers, use “chosen plaintext” or “chosen ciphertext” to extract encryption keys, and so on.
The doomsday scenario is that encryption methods will yield to the powerful cracking efforts exerted by any and all major crypto players around the world. The residual intractability of these ciphersystems diminishes as we speak. And if any of our adversaries scores a hit on any major U.S. ciphersystem, they can create total chaos by shutting down the payment system.
This particular strategic threat is so easy to counter, so inexpensive, and so effective, but the fear from strategic issues still dominates the hearts and minds of the people who count. Our technical shortfall vis-a-vis these strategic threats is worrisome, but the real challenge is not technical complexity but good, old-fashioned leadership!