Individuals illegally enter the United States bypassing controls in U.S. Military facilities to steal top-secret military data. Forensic investigation shows that the individuals are professionally trained, state-sponsored members of a foreign military such as the PLA or DPRK, our response to the aggressive action would be swift and potentially severe. Should we respond any differently to a similar security breach in the digital world?
“Allegedly” in August of 2006 a highly professional and well trained group systematically broke into 4 US defense installations over the period of about 8 hours in 10-30 minute blocks and stole flight plans for US military aircraft, the information was then transferred through Taiwan and Korea to China, clearly this was a military operation. Recently there have been a series of high-profile security incidents involving China and several US allies, although nothing as blatantly aggressive as the cyber attacks against Estonia they are none the less as provocative. It is safe to say that there have been significant and wide-spread, state-sponsored cyber attacks and security breaches. This shouldn’t surprise anyone, in fact most of us are probably numb to the extent of our collective cyber security posture, especially after the dismal results of the nations first cyber warfare simulation last year.
There is a lot of information in the public domain that many nations possess or are aggressively developing defensive or offensive cyberwarfare capabilities, North Korea has maintained training facilities for cyverwarfare as part of Mirim college, their advanced electronic warfare research facility, for the past decade plus and there should be no doubt that the United States and their allies are moving to develop a “cyber army” but just as armed conflict has moved from the battlefield to highly-populated urban environments the impending digital conflict will span beyond the control of military control and require cooperation between public, private, and military entities, something we are woefully ill-prepared to accommodate.
What if the cyber attacks went beyond military targets and focused on civilian infrastructure? Would we look at this any different than a physical attack on our infrastructure? Given our reliance on digital technology is there really a difference?
Early in 2006 I was researching the NERC CIP standards and although I felt they were fairly prescriptive, reasonable and structured it was clear that the energy industry had a long way to go to meet even a minimal baseline of technical controls, processes and the people to support them. I set forth a prediction that by 2009 an energy utility would experience a significant security incident resulting in wide-spread disruption (.09 probability) and although there has been no public information suggesting that such an event has occurred the Department of Homeland Security launched an experimental cyber attack (Aurora) which caused a generator to self-destruct (here) reports indicate that the same attack scenario could be used against the nations huge power generators – still think that a digital attack cannot result in wide-spread disruption to our physical infrastructure? Do you still think that the US should not aggressively develop digital first-strike capabilities and use them as assertively against provocative state-sponsored security breaches just as we would if the same result occurred in the physical world?