In a major policy speech delivered last week, Secretary of Defense Leon Panetta sparked a new discussion of cyberwarfare threats, warning that cyberattacks “could virtually paralyze the nation.” The three-part response Panetta outlined emphasizes new cyberwarfare capabilities in the Department of Defense, new policies and organizations across the federal government, and stronger partnerships between the government and international partners and domestic industry.
I would add a fourth area of emphasis. We need a research and development effort that brings new cybersecurity solutions into the public domain and encourages their implementation.
The need for publicly available security solutions was illustrated by the Shamoon virus attack last summer. This virus virtually destroyed at least 30,000 computers at the Saudi Arabian Oil Company Aramco and Qatar’s Ras Gas Company. Although the computers were not controlling oil and gas production, they probably contained valuable business data, the loss of which could severely impact business operations. Businesses like these need solutions that will allow them to protect and access their data and to continue operating during and after cyberattacks.
Another recent attack illustrates the need to make sure known defenses are widely implemented. U.S. financial institutions were hit by “denial of service” attacks designed to flood websites with bogus requests that overwhelm server capacities. Researchers have published techniques to prevent such flooding attacks, but they have not been widely deployed even though they are considered inexpensive. This underscores the need to bring technology researchers, government, and industry representatives to the table to make sure cutting-edge solutions make it into widespread use.
Finally, and perhaps most importantly, government and industry need to share best practices. Panetta noted in his speech that the United States has made great strides in addressing the attribution problem — the problem of identifying the origin of cyberattacks. Identifying attackers is essential if the United States must justify retaliation against a serious cyberattack, so it’s encouraging that strides are being made. But those advances aren’t of much use to the private sector if they are considered as classified information.
Effectively preparing the private sector for cyberattack may require the relaxation of security classifications on some material. While classification provides the government with a tactical advantage in defending the nation, one has to weigh this against the strategic value of a secure global Internet. Decisions about such matters are not easy but they are important.