Does it really matter if attacks are being generated by the Chinese military or criminal syndicates?
Those of us following cybersecurity were expecting 2013 to be busy. If the first two months are indicative of the rest of the year, then those expectations were well-grounded. A few of the events and reports that have garnered attention so far:
- The suicide of Internet activist Aaron Swartz, who had been charged with illegally downloading millions of articles from a subscription-only service. His death resulted in a call for revisions to the Computer Fraud and Abuse Act.
- The Pentagon said it plans to expand Cyber Command from 900 personnel to more than 4,900.
- Hackers gained access to Twitter’s networks, possibly compromising 250,000 users’ information.
- The Federal Reserve confirmed that one its internal websites was hacked.
- The New York Times reported that Chinese hackers broke into the company’s computers and stole reporters’ passwords.
- President Obama signed a much anticipated executive order on cybersecurity. As an added bonus, the Administration also released Presidential Policy Directive PPD-21 on Critical Infrastructure Security and Resilience, an update of similar policies implemented by President George W. Bush in 2003.
- Reps. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md., Chairman and Ranking Member of the House Intelligence Committee, rolled out the Cyber Intelligence Sharing and Protection Act that passed the House last Congress.
- Representative Mike McCaul, R-Texas, chairman of the House Homeland Security Committee, said he would addressing cybersecurity in the coming week.
- The Government Accountability Office reported that existing cybersecurity efforts are not enough.
- Facebook discovered that its internal systems had been hacked through the exploitation of a Java vulnerability.
- Apple discovered that it has been hacked – likely by the same entities and in the same manner as those attacking Facebook.
- Security firm Mandiant alleged that a Chinese military unit hacked into almost 150 businesses, mostly to steal information.
- Both the New York Times and the Wall Street Journal ran editorials today on the need for action in cybersecurity.
- Attorney General Eric Holder, Commerce Deputy Secretary Rebecca Blank and Intellectual Property Enforcement coordinator Victoria Espinel announced a trade secrets strategy.
It’s not clear how all the recent attacks might affect proposed policy actions. We know -- and experts are quick to point out -- that our critical infrastructure is vulnerable and that we are fortunate not to have experienced a cyber 9/11 type attack. The policy solutions being offered by Congress and President Obama address protecting our critical infrastructure, but what about the attacks on our media outlets, companies generally, and our social networks? In the end, does it matter if the attacks are being generated by the Chinese military, Eastern European criminal syndicates, Anonymous hactivists, or the kid down the street?
As the government struggles to agree on an approach to protecting critical infrastructure, 2013 may very well demonstrate that the problem is bigger than what a U.S. public-private partnership can fix. Cybersecurity is a global issue and without some international agreement on how we can address cybersecurity, we can expect to continue to see the headlines of the last few months.