Joel Brenner’s new book, America the Vulnerable – Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (The Penguin Press, 2011), is another book of the genre of Richard Clarke’s several volumes of non-fiction, such as his most recent book, published with Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (Ecco, 2010) and a couple of novels, including Breakpoint (Putnam, 2007).
In these works, we get the real inside scoop about the frightening threats to, and vulnerability of, our critical agencies and sectors and about terrifying cyber events that have taken place within government. This is not the speculative hearsay often seen elsewhere. Among other influential positions, Brenner was senior counsel at the National Security Agency. So he really knows what was going on.
Brenner’s book describes the horrific state of affairs in the cyber world at great length and then prescribes, in a final chapter, a set of mitigation strategies. The recommended approaches depend on the responsiveness of government, collaboration between the public and private sectors, and the like, which are neither forthcoming in the current economic environment nor likely to gain much traction even in more prosperous times. In all such appeals for action, the problem is that those who get it don’t have the power to fix it; and those with the power don’t get it.
Unfortunately, those, such as Brenner, who raise issues regarding the Nation’s cyber vulnerability and the need to do something about it, are mild-mannered, well-meaning intellectual types, who are highly respected by those of us who care about protecting the U.S. against cyber attacks from within or from abroad. However, they generally have difficulty generating an appropriate level of concern, enthusiasm and action. The go-get-’em tough guys are mostly into kinetic attacks and responses and many of them seem to have little understanding of the cyber world. As described in my March 29, 2010 column “Cybergeddon … Ho Hum” (see … http://www.bloginfosec.com/2010/03/29/cybergeddon-%e2%80%a6-ho-hum/ ), I was particularly affected by Vice Admiral Michael McConnell’s testimony that nothing substantive will be done by the government until we experience a “catastrophic event.” This is not a happy situation,
I was asked to take a look at Brenner’s book on cyber threats and vulnerabilities facing the U.S. and on what the consequences of not facing up to these attacks might be, and, in a number of cases, may have already been. Brenner runs through the usual suspects in chapters about organized cybercrime, nation-state pilfering of intellectual property from private industry and the military-industrial complex, attacks against industrial control systems, and deficiencies in the intelligence agencies. Much of this material has been documented elsewhere, though without Mr. Brenner’s particular perspective, since, as he specifies in the introduction to the book, he only discusses unclassified material. For many who follow these matters, there are few surprises. However, for those not familiar with the nefarious goings-on in cyberspace, the book provides a good synopsis of the dangers that the Nation faces.
What I really want to focus on are Brenner’s recommended mitigation strategies, which are all bunched into Chapter 10 on “Managing the Mess.”
First off, Brenner suggests a software-security rating service, along the lines of Consumers Reports, which issues plain English recommendations. I think that this is a great idea and have personally advocated such an arrangement in various publications and presentations. The question is: How do you put it together? Who will support it? And who will fund it? My September 26, 2011 column “So so SASO … So What?” describes my own attempt to institute such a software test lab for the banking and finance sector, which attempt did not meet with success for the reasons that I cite in the column. This is a critical key resource, yet no one seems to be willing to collaborate and provide for its creation.
On the government side, Brenner has come up with specific recommendations in seven areas. These are worth repeating, as follows:
1. Trade regulation and contracting
- Use the government’s enormous purchasing power to require higher security standards of its vendors
- Forbid federal agencies from doing business with any Internet service provider that is a hospitable host for botnets. And publicize the list of such companies
- Direct the Department of Justice and the Federal Trade Commission to definitively remove the antitrust concern when U.S.-based firms collaborate on researching, developing, or implementing security functions
2. Roles of service providers
- Require Internet service providers to notify customers whose machines have been infected by a botnet
3. Energy standards
- Direct the Federal Energy Regulatory Commission and the North American Electric Reliability Commission to establish standards that limit the ability of utilities to connect their industrial control systems directly or indirectly to a public network
4 Tax code
- Use the Internal Revenue Code to drive corporate behavior, e.g., to encourage investment in cybersecurity
5. Research areas
- Attribution techniques and identity standards
- Verifiable software and firmware, and the benefits of moving more security into hardware
- Feasibility of an alternative Internet architecture
6. Securities regulation
- Electric utilities that issue bonds should be required to disclose … whether the command-and-control features of their SCADA networks are connected to the Internet or publicly accessible networks
- Public audit standards for cybersecurity should be toughened
7. International relations
- The United States should engage like-minded democratic governments in a multilateral effort to make Internet communications open and secure
Brenner then suggests the following steps that entities in the private sector should take to enhance cyber security:
- Clean up their act
- Control what is on their systems
- Control who is on their systems
- Protect what is valuable
- Patch rigorously
- Train everybody
- Audit for operational effect
- Manage overseas travel behavior
Brenner’s suggestions are all good, although they are not new. And there’s the rub. If someone of Brenner’s stature is advocating cyber risk mitigation strategies, many of which have been recommended many times before, without any specific guidance as to how to effect them, then the issues will continue to be unresolved. It is commendable that Brenner tries to educate us on the dangers of cyberspace, but unless we get specific actionable recommendations with names, roles, responsibilities, work plans and deadlines, along with painful consequences for those “owners” who do not perform, little or nothing will get done. And even we get these plans in place, success remains questionable. Those in the know will continue to rail against the current state of cybersecurity and lament the lack of response to their remonstrations. But will it do any good?
We need people like Brenner to raise public awareness and suggest how to protect the Nation against attacks on our cyber infrastructure. But while such diatribes are necessary, they are far from sufficient. Unless we see specific action plans, which can be effectively implemented and enforced, then we are no further ahead. The potential consequences of not making headway against the tsunami of cyber attacks are so dire, as Brenner describes, that we can no longer tolerate the normative approach to protecting the Nation’s critical cyber infrastructure.
We need solutions, not merely suggestions. And other than possibly in the Defense Department, we are not seeing solutions. Alas, Brenner’s book, while being a good read and educational for those not already knowledgeable about such threats, vulnerabilities and successful attacks, does not give us the implementable solutions that we need..