Cyber Warfare Needs Cyber Civil Defense

Hardly a day goes by with some news article, op ed piece, or screaming commentator on a bottom of the dial cable channel proclaiming the dire prospects of cyber war. But unlike traditional kinetic wars with identifiable enemies, overt acts of war, and some notion of what constitutes victory, we’re still at the stage where the concept of cyber war is a carnival of ambiguity, speculation, red herrings and heated debates on topics that may turn out to have no lasting importance at all.

Granted, I view the world from a vantage point suspiciously close to Berkeley, California and far from the seats of power, but I hear a confusing din of questions and bureaucratic turf disputes when it comes to cyber warfare. Are we already in a cyber war? With whom? Sovereign nations? Sophisticated criminals? The Tflis Youth Computer Club? Which government organization(s) should lead the nation’s cyber defenses? Three letter agencies? An Air Force cyber command or an Army Signal Corps newly infused with oorah! warrior spirit?

This is a debate that I really don’t want to get involved in except to say that: a) Cyber war should be fought by dedicated cyber warriors, whoever gets budget money from Congress. b) Let’s also look at the question of cyber civil defense. In other words, what actions and practices can businesses, public sector organizations and other targets for potential cyber warfare attacks take to minimize potential for damage to themselves and society?

By cyber civil defense I don’t mean building home Faraday cages from plans in Popular Mechanics magazine or ducking and covering under computer desks when a zero day exploit rampages across the land. No, the best thing that private and public infrastructure managers can do is take care of the IT security and system management fundamentals that reduce their target surface and enable effective damage control when breaches, attacks, viruses/worms, and other bad things occur. Basic fundamentals include maintaining accurate and thorough inventories of enterprise computing assets, endpoint protection, data security, patch management, vulnerability management, real-time situational awareness, and continuously reviewing and updating business continuity and disaster recovery plans.

I say this in the knowledge that in 25 years working side by side with smart, sophisticated IT managers and leaders in business and government, they would be the first to admit that the state of security and system management practices remains haphazard, subject to gaps, and chronically underfunded. They realize that while they have been able tolerate lax security and system management processes thus far, sooner or later, they or colleagues will find themselves in a cyber combat zone with their world crashing around them.

From a cyber civil defense point of view, the London Blitz of 1940 provides some valuable lessons. The Royal Air Force did a magnificent job battling the Luftwaffe, no doubt. But on the ground, for every person serving in the RAF, 1,000 air raid wardens, rescue personnel, medical staff, fire fighters and ordinary citizens did the little things that contained damage and kept society functioning even as the bombs fell. Mundane precautions such as black out curtains, taping windows to prevent shattering, and turning off the gas during raids, did not make things any easier for the enemy and ultimately helped convince them that their attempts to subdue Britain from the air were unavailing and that ground forces would meet stiff resistance should they attempt an invasion.

We don’t have to devote every waking moment or IT budget dollar (as much as fear mongering security companies would like us to) to cyber civil defense. It would aid our cyber warriors to no end, however, if we supported their efforts by doing the simple, responsible things to make our IT infrastructure less vulnerable to disruption. Or, to adapt a slogan once quite popular on the Berkeley scene: “What if They Gave a Cyber War and Nobody Had Anything to Break?”

Advertisements

3 thoughts on “Cyber Warfare Needs Cyber Civil Defense

  1. An excellent parallel – and thanks for stealing my idea!

    I’ve been doing some research on effective strategies used in civil defense and how they might be applicable in today’s environment.

    The time leading up to WWII was a time where a few major technological advances (faster and more efficient forms of travel and communication) were still in the adoption phase and were new springboards to attack (cracking of diplomatic communications, telegraph fraud.)

    Once WWII broke out and more technology began to flood the market it took quite a bit more than professionals to protect infrastructure – it took a dedicated effort to recruit and train the public.

    There’s a famous photo of St. Paul’s Cathedral amidst the incendiary bombing of London (http://bit.ly/9X0C0V) that I’ve always found amazing. While not at all visible in the photo, the Cathedral and many other structures in London owe their continued existence to the “people on the ground” as you mention, who often scurried along those roofs in the presence of great danger.

    The ultimate effectiveness of civil defense groups was by no means guaranteed, of course. This WW2 Fire Services Preservation Group page is an interesting read, as it describes the large barriers of “morale, recruitment and retention” to be overcome. (Hmm, sounds familiar.)

    While this perception of their services drastically changed once the bombs started to fall, it was the subsequent reorganization into a national program to standardize response and tools that is the learning moment.
    (WWII Fire Brigade History:
    http://www.wwiifire.co.uk/History.htm )

    The latest report of federal funding for cyber security might present a hopeful eye towards the future, but we all know there’s plenty of room for cynicism there and usually little forward momentum in efforts that span such a large responsibility area.

    We already have a number of volunteer organizations with missions relating to cyber and physical infrastructure security, but none have been truly effective in driving change. (Disclosure: I am an InfraGard board member in NY.)

    As you said, mundane precautions can be an effective protection. I also believe the real potential of existing security groups is in fostering a stronger community so that we begin working proactively, rather than the continued building of a large, lethargic membership with useful and advanced skills but no specific goals or focus and who expect a top-down, rather than a more resilient peer-to-peer approach.

    One positive example of such a community effort can be found at crisiscommons.org and their recent efforts toward creating tools to aid in Haiti relief efforts. People, ideas, tools, execution.

    We are continually dealing with salami attacks – we need to light some fires and start using a Salami Defense.

  2. There are various penetration testing methods available. It is an art to perform a pen-test details of which could be found athttp://www.valencynetworks.com/penetration-testing-services/how.html . Pen-testing should be an integral part of product SDLC cycle.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s