Hardly a day goes by with some news article, op ed piece, or screaming commentator on a bottom of the dial cable channel proclaiming the dire prospects of cyber war. But unlike traditional kinetic wars with identifiable enemies, overt acts of war, and some notion of what constitutes victory, we’re still at the stage where the concept of cyber war is a carnival of ambiguity, speculation, red herrings and heated debates on topics that may turn out to have no lasting importance at all.
Granted, I view the world from a vantage point suspiciously close to Berkeley, California and far from the seats of power, but I hear a confusing din of questions and bureaucratic turf disputes when it comes to cyber warfare. Are we already in a cyber war? With whom? Sovereign nations? Sophisticated criminals? The Tflis Youth Computer Club? Which government organization(s) should lead the nation’s cyber defenses? Three letter agencies? An Air Force cyber command or an Army Signal Corps newly infused with oorah! warrior spirit?
This is a debate that I really don’t want to get involved in except to say that: a) Cyber war should be fought by dedicated cyber warriors, whoever gets budget money from Congress. b) Let’s also look at the question of cyber civil defense. In other words, what actions and practices can businesses, public sector organizations and other targets for potential cyber warfare attacks take to minimize potential for damage to themselves and society?
By cyber civil defense I don’t mean building home Faraday cages from plans in Popular Mechanics magazine or ducking and covering under computer desks when a zero day exploit rampages across the land. No, the best thing that private and public infrastructure managers can do is take care of the IT security and system management fundamentals that reduce their target surface and enable effective damage control when breaches, attacks, viruses/worms, and other bad things occur. Basic fundamentals include maintaining accurate and thorough inventories of enterprise computing assets, endpoint protection, data security, patch management, vulnerability management, real-time situational awareness, and continuously reviewing and updating business continuity and disaster recovery plans.
I say this in the knowledge that in 25 years working side by side with smart, sophisticated IT managers and leaders in business and government, they would be the first to admit that the state of security and system management practices remains haphazard, subject to gaps, and chronically underfunded. They realize that while they have been able tolerate lax security and system management processes thus far, sooner or later, they or colleagues will find themselves in a cyber combat zone with their world crashing around them.
From a cyber civil defense point of view, the London Blitz of 1940 provides some valuable lessons. The Royal Air Force did a magnificent job battling the Luftwaffe, no doubt. But on the ground, for every person serving in the RAF, 1,000 air raid wardens, rescue personnel, medical staff, fire fighters and ordinary citizens did the little things that contained damage and kept society functioning even as the bombs fell. Mundane precautions such as black out curtains, taping windows to prevent shattering, and turning off the gas during raids, did not make things any easier for the enemy and ultimately helped convince them that their attempts to subdue Britain from the air were unavailing and that ground forces would meet stiff resistance should they attempt an invasion.
We don’t have to devote every waking moment or IT budget dollar (as much as fear mongering security companies would like us to) to cyber civil defense. It would aid our cyber warriors to no end, however, if we supported their efforts by doing the simple, responsible things to make our IT infrastructure less vulnerable to disruption. Or, to adapt a slogan once quite popular on the Berkeley scene: “What if They Gave a Cyber War and Nobody Had Anything to Break?”