One of the recurring themes of 2009 for information security professionals has been the term “cyber”—whether used in the context of cyber security, cyberspace, cyber threats, cyber command, or even cyber war. Cyber traces its roots back to the Greek word kybernetes, meaning “governor,” and was picked up in 1948 by writer Norbert Wiener for his book on control sciences and electronic communications, and further extrapolated in 1984 by novelist William Gibson in his book Neuromancer. The term causes no small amount of consternation among industry purists who find the word imprecise and vague. Cyber security, after all, is little more than a shiny new name for what has long been known as information assurance, information security, or critical infrastructure assurance. If there is a reason for the term sticking in the current vernacular, and for simultaneously driving people crazy, it may be attributable to its sci-fi derivation, which evokes nefarious government “Big Brother” images.
Whatever we choose to call it, protecting our information networks is a big deal. This is clear not just from the number of major government initiatives launched this year around the world to address the problem, but also the news stories that gave them impetus:
- In the U.S., 2009 witnessed the White House’s 3-month cyber security review, the launch of a cyber security office, preparations for a military cyber command, plans for a $1.5 billion dollar cyber security center in Salt Lake City, Utah, and the introduction of 18-odd pieces of legislation to the U.S. Congress on the subject.
- Early this year, reports of a China-based cyber spying initiative dubbed GhostNet made headlines in major media outlets including the BBC and the New York Times. Although GhostNet seems to have targeted only unclassified systems, it was part of a series of ominous reports alleging that hackers, possibly state-supported, were systematically targeting government computers. These reports were further borne out by this summer’s still-unattributed attacks against Korean and U.S. government networks.
- In the United Kingdom, the new Office of Cyber Security, to begin operating next spring, is emphasizing its public-private coordination role amidst speculation over its possible offensive capabilities.
- NATO set up a Cyber Defense Center in Tallinn, Estonia, where damaging cyber attacks took place in 2007.
What is keeping the officials who run these powerful entities awake at night is the asymmetrical nature of the challenge, which gives small, under-funded state or non-state actors the potential, at least in theory, to cripple the most powerful of governments, the richest multinational companies, and the largest information networks. The more advanced the country or enterprise, the more dependent it may be on electronic infrastructure, increasing its relative vulnerability. At the same time, options for retaliation by a major power in case of a successful and damaging cyber attack—assuming the perpetrator can be reasonably identified—boil down to politically problematic old-fashioned options, including guns and bombs.
The potential for disaster looms large, but a new report by the Center for Strategic and International Studies argues that the world has yet to see a truly damaging, state-level cyber attack. The report’s author, James Lewis, attributes this mostly to the technical difficulty of pulling off such a stunt. Since pulling the plug on ourselves and our networks in the name of security is not an option, the best way to defend ourselves, at least for now, may be out-running and out-manning those who would do us harm. As U.S. President Obama said in his cyber security speech this summer:
It’s the great irony of our Information Age – the very technologies that empower us to create and to build also empower those who would disrupt and destroy.
This is not a comforting thought, and for information technology professionals fielded by companies and governments to compete in this new-age race, our only strategy is to think faster and smarter, if we are to stay ahead.