Cybersecurity: The Director's Perspective

Yesterday, the House Permanent Select Committee on Intelligence held a hearing on "World Wide Threats." During the unclassified part of the hearing and in his statement for the record, James Clapper, the Director of National Intelligence, provided an assessment of global threats. While much of his testimony focused on terrorism and the various states of stability and unrest in numerous countries, his statement included a section on "Intelligence Threats and Threats to US Technological & Economic Leadership" that addressed cybersecurity.

The national security threat, at least in the unclassified space, is not being described that differently than the economic threat to cyberspace. The two continue to be used interchangeably, making it hard to discern who should be in charge in the government for overseeing the cybersecurity issue.

In his testimony, Director Clapper identified several issues of concern:

Convergence: The merging of telecommunications, Internet, and video devices, along with the increasing range of processes and applications those devices can handle, are creating new security challenges. While not explicitly stated by Director Clapper, this convergence lacks a coordinated policy for the development of cybersecurity requirements, standards, and protocols.

Malware: Clapper cited a dramatic increase in the volume of malicious software on U.S. networks, with more than a three-fold increase since 2009. He also reported that more than two-thirds of U.S. firms have indicated they have been victims of cybersecurity incidents. Both of these stats are interesting.

On one hand, while there may have been an increase in the volume of malware, we have not seen the types of attacks that we saw in the late 1990s and early 2000s that crippled entire systems and resulted in calls for reform. There hasn't been a Melissa or I Love You virus or even an attack on the scale of the Feb 2000 DDOS attack against Yahoo and other sites. Without such an attack, cybersecurity may remain too abstract an issue to really be seen as a threat -- economic or national security -- to the average citizen.

With regard to the increase in reporting by U.S. firms, I wonder if this represents a changing trend among companies to now report when previously they chose not to for fear of liability and bad press. Or is the two-thirds number overblown, not representing a trend, but a "check the box" approach to the issue that doesn't duelve into the problem? It would be interesting to know what the Director was referencing.

The "Chinese" Connection. Director Clapper noted an incident last April where a large number of routing paths to IP addresses were redirected through networks in China for 17 minutes due to inaccurate information posted by a Chinese ISP. That incident, which affected U.S. Government and military sites, among others, raises questions about how to protect our systems in a globally connected world. Years ago, many of us in the industry would refer to networks as only being as secure as their weakest link. You don't hear that term being used as often, perhaps because in today's networked environment, every link can be the weakest link.

Foreign Military Capabilities in Cyberspace. The Director noted the emergence of foreign military capabilities in cyberspace in the past year. This emergence begs the question of what rules of engagement should prevail in a cyberwar scenario. If capacities are growing beyond spying and information theft, then addressing cybersecurity in treaties and the Geneva Convention may be critical, even though doing so would be a tremendous lift.

Counterfeit Computer Hardware and Intellectual Property Theft. While often overlooked in the larger cyber debate, the prevalence of counterfeit and gray market goods is a threat to our national security. Not only do such goods cause economic harm, the lack of quality controls and the potential for compromise is significant. Likewise, intellectual property theft generally compromises our nation's systems and increases the opportunities for economic espionage.

Identity Theft/Finding Vulnerable Government Operatives. In today's data-mining social networking world, the potential for identities to be stolen and misused is one of the most prevalent threats on the cybersecurity front. As the Director mentioned, there is another side of this issue as potential enemies could employ the same tools used for identity theft to stalk and gather information on potential targets, especially government employees and other sensitive personnel, for compromise. As the scandal involving Rep. Chris Lee this week demonstrated, many of us forget how public our actions really are in today's networked world.

The threats outlined by Director Clapper lay out part of the complex nature of addressing cybersecurity. Interestingly, while he mentioned it in passing, he did not focus on the larger threats to critical infrastructures, including control systems and networks. In light of the recent reports on computer attacks on five multinational oil and gas companies, one would expect more of a focus on that area, especially in industries which are heavily regulated by the U.S. government.