Ever a man ahead of his time, Albert Einstein once said, “I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones.”
Were he alive today, the only thing he likely would change about his statement would be how World War III would be fought. He surely would look at the threats posed by cyber attacks and surmise the most dangerous weapon of the next world war to be an invisible terror delivered electronically. He would note that the threat could come from any nation state – it would not even have to be a world power – delivered with complete stealth, hit at the most sensitive systems ,cripple infrastructures, topple economies and create chaos -- all before even a single soldier was wounded.
The question is, has World War III already begun?
There is no Fate…
Two months ago, the Department of Defense (DoD), the organization U.S. citizens probably think should be the most versed in protecting itself against cyber attacks, revealed that it had been the victim of the largest digital attack on a U.S. Government agency when 24,000 sensitive files were pilfered by an unidentified nation state in March.
This revelation came shortly before a report of the General Accounting Office (GAO) that openly questioned the DoD’s ability to keep up with the threats of cyberspace. Among the chief issues identified by the GAO were the multiple and often contradictory government publications that discuss how to handle cyber threats. These documents cannot even come to a consensus regarding terminology and job responsibilities as pointed out in a recent piece on Government Info Security about cyber security, which stated:
GAO cites a U.S. Joint Forces Command report that found DoD employs 18 different cyber position titles across combatant commands to identify cyberspace forces. ‘This can cause confusion in planning for adequate types and numbers of personnel,’ the GAO says. ‘Because career paths and skill sets are scattered across various career identifiers ... there are cases in which the same cyber-related term may mean something different among the services.’
So if the government can’t figure out who does what, what means what or just plain “who is this?” how can we honestly expect it to keep everything in this country that is run or managed by a computer system from being shut down by a cyber attack? Per Government Info Security, that would include “7 million computer devices, linked on over 10,000 networks with satellite gateways and commercial circuits that are composed of innumerable devices and components.”
The Battle Has Just Begun
The Intelligence and National Security Alliance this week released a report in response to what it sees as growing concerns of the U.S. government’s ability to defend itself against a major cyber attack. The report calls for the joint factions of the government to engage in coordinated efforts with private enterprise and the educational system to:
...mitigate risks associated with the threat, enhance our ability to assess the effects of cyber intrusion, and streamline cyber security into a more efficient and cost-effective process based on well-informed decisions.
Hopefully, these joint entities will realize what the Department of Homeland Security realizes – that any cyber security policy needs to include structural analysis of application software. By identifying areas where the applications in use may not live up to optimal software quality standards, the government can work toward plugging the holes and give cyber infiltration efforts fewer points to breach.
But software is the key. The enemy, to paraphrase “John Connor” from Terminator 3, “is software in cyberspace”…although if the government cannot coordinate its efforts into one, cohesive plan, the even bigger enemy of the U.S. Government’s efforts to protect itself from cyber attack may be the government itself.