Both ideas have merit, but there’s an even more profound consideration, one that relates to understanding who our cyber adversaries are and how they operate.
If such an easy bifurcation were ever accurate, it no longer is. As a result, government agencies, lawmakers and the private sector need to change their approach to cyber defense.
Certain nations increasingly see criminal organizations as useful allies, both for their hacking skills and the “cover” they offer to a rogue nation to distance itself from an act it sponsored that might be termed an act of cyber war.
For examples of this growing phenomenon, one must only look at the cyber attacks that followed recent military strife between Russia and Georgia or, closer to home, the July 4 denial-of-service attacks that pounded U.S. federal agencies, the New York Stock Exchange, Nasdaq and many major private-sector networks. While investigations into both events are ongoing, it is unlikely either will produce definitive answers.
Were the perpetrators common criminals, foreign agents, or perhaps a little of both? Does it matter?
Rather than continue with this false framing device — that is, cyber crime carried out by criminals and cyber war carried out by adversarial nation states — Congress, federal agencies and the private sector will be better served by deploying technological, diplomatic, military and law enforcement solutions that reflect the borderless reality of the cyber world.
Grouping the private sector with governmental organisms may strike some as odd, but the breaking down of barriers among perpetrators is also happening among targets. The simple fact is that private-sector networks inevitably will find themselves caught in the crossfire of attacks intended for government targets. Or, to use another metaphor, private-sector networks are part of the collateral damage.
However, while the potential fallout of cyber attacks knows no borders and does not distinguish between victims, it is, inevitably, the U.S. government that has the most power to make positive changes — even if the collaborative role of the private sector, especially for technology development, is a vital one.
To that end, here are three things the U.S. government would be well served to do as it moves to strengthen cyber defense across the public and private sectors:
• Define public/private partnership. Create an entity that has the ability to transcend corporate competition. This will allow trust to be brokered and will build relationships so that the best counsel is provided to the national leadership before, during and after cyber attacks happen.
• Develop security standards and best practices collaboratively. Define U.S. government cyber security standards with input from the private sector and government agencies that have experience with cyber security. Specify process, performance criteria or functional specifications, not specific products or technologies.
• Reform FISMA. Transform the Federal Information Security Management Act into a standard, measurable, repeatable, relevant and meaningful measure of security. Agencies must be required to conduct an annual gap analysis to identify security deficiencies, while creating objectives and milestone plans to close these gaps and acquire necessary funding.
These aren’t the only measures that can or should be taken, but they represent a positive direction and, most importantly, reflect the world as it is.
DeWalt is the president and CEO of McAfee Inc., a security technology company.