Last week’s revelation of a March cyber-attack on a U.S. Department of Defense contractor by an “unnamed foreign entity” demonstrated just how vulnerable this country has been to this “new warfare domain” as the government categorizes these cyber-attacks. Of course, as is typical of a government admission, it took four months for the Department of Defense to own up to the breach and it did so only as a means to bolster support for its new cybersecurity plan.
Still, the incident has left many, including yours truly, asking two questions: “Why weren’t we better prepared?” And “Why did it take having 24,000 files stolen by a foreign government to wake up the U.S. government to the realities of security in the 21st Century?”
The answer to both questions, unfortunately, lies in the fact that that the Department of Defense considers cyber-attacks such as this one to be a “new warfare domain.”
Almost as soon as someone wrote the first computer program, someone came up with a virus or worm to break into it and steal information. As such, Corporate America has been aware of the threat of cyber- attacks since the dawn of the cyber-age and has made efforts to secure itself against them.
Granted, as we’ve seen this year at Sony, Sega, Citi, RSA and other high-profile companies that have fallen victim to security breaches, defending oneself against a cyber attack is not easy and not always successful. At least they were trying, though, and they acknowledged the presence of a cyberthreat. Who knows how much worse it could have been for them if they had nothing in place? As my golf instructor once told me, “If you aim at nothing, you’ll hit it every time.”
Now, it would be shortsighted to believe the government did not have any form of security in place prior to the March breach. Still, one would think the U.S. Government, the largest employer in this country, would be one of the more technologically advanced and best prepared against a security breach and it shouldn’t take having 24,000 files stolen by “an unidentified foreign entity” to enact a pre-emptive cybersecurity plan.
The one semi-positive takeaway from this is that the proverbial “ton of bricks falling on their heads” has woken up the Federal government to the need to enact change in its cyber security provisions. While the official plan of the Department of Defense was not revealed until last week, a fact sheet from the White House alluded to efforts to establish such a plan back in May.
According to the fact sheet on WhiteHouse.gov:
Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusions, and cyber crime has increased dramatically over the last decade. The President has thus made cybersecurity an Administration priority.
While it is easy to take an “it’s about time” view of this, we do need to look forward.
As noted in the White House’s fact sheet, the Department of Homeland Security has taken the lead on establishing and instituting policies that will help secure not only the Federal government, but also state governments and businesses. Many of these measures involve improved relationships with outside organizations and cooperative efforts between business and government to sniff out security threats.
There’s also a not-as-well-publicized portion of the plan, however, that could hold the key to its success. Thanks to independent advisers, the government will perform static analysis of new and existing software. This undertaking will involve dynamically reviewing software applications using something like automated analysis and measurement and assessing them for key health factors - security being chief among them, but also robustness, transferability, changeability and performance - and identify areas of vulnerability.
It stands to reason that if the government can ferret out areas of potential exposure, it can eliminate those holes and strengthen its defenses internally. This not only buttresses external relations efforts, but also makes them more sustainable. After all, you can’t steal what you can’t access.
Now that these wheels are in motion and even Congress is on board – various members of Congress have jointly and independently filed more than 50 pieces of legislation aimed at addressing cybersecurity – the only remaining concern is that the government not wait for another attack in this “cyberwar” to implement these strategies.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.