The spy gadget guru "Q" in the Bond movie Skyfall claims he can do more damage from his laptop sitting in his pajamas than Bond can do in a whole year. The movie is a fairly accurate, if highly dramatized, account of where global society is headed in the 21st Century. That is -- If we don’t get our collective cyber houses in order.
W. Hord Tipton is executive director of (ISC)2, the International Information Systems Security Certification Consortium. He is a former chief information officer at the U.S. Department of Interior.
We just can’t reach our potential as civilized societies under today’s unfettered, state-of-nature approach to cybersecurity. For a while it looked like the wilderness of cyberspace was a national security advantage for the U.S., given our technological edge over nearly all others. I’m just not sure that edge exists anymore. If it does, it’s quickly eroding, and we see it in the headlines nearly every week.
The organization I lead, (ISC)2, the International Information Systems Security Certification Consortium, places its stake in building a safer cyber world by certifying information security professionals throughout their careers. These professionals, however, are only as good as the cybersecurity construct they operate within.
Here’s a few things we as a nation should do, and soon, to improve our security:
• Establish an international cyber code of conduct or treaty
We need to establish rules for engagement in cyberspace, whether we like it or not. As the country that invented the Internet, the U.S. should lead this effort.
In the physical world, the existence of established norms of warfare provides influence -- some call it soft power -- to those who live up to those norms. The same can be true for actions in cyberspace.
We need to start this process by clarifying what constitutes an act of war in cyberspace.
Was targeting Iranian centrifuges with the Stuxnet virus an act of war? Arguably it was. Establishing a foolproof, internationally recognized means of attributing such an attack remains a major hurdle for governments. But if a nation state or non-state actor had shut down an American nuclear plant with a weapon like Stuxnet, I’m confident we’d consider that an act of war.
What do we do then? We need to define what would constitute a just, proportional response, and get others to agree. Once we do that, those who might consider attacking our critical infrastructure or that of our friends would have a clear sense of the retaliation they would risk.
• Stop glorifying hackers
I hear too many people in the three-letter agencies claiming they need to hire former hackers to help protect their networks. We need to stop glorifying hackers with claims like that. It only serves to inspire the next generation of those folks.
In reality, at a moment’s notice I could assemble a corps of certified security experts to do anything those hackers can do. Our 90,000-strong members must meet the highest ethical standards in order to earn and keep the certifications we issue. In a government of law and order, there are some rights that convicted criminals forfeit forever. Someone who commits a crime with a gun should never be allowed to buy a gun. Someone who abuses children in school shouldn’t be allowed into a school again. It doesn’t matter if the person has done his or her time. It should be the same with hacking and other cyber offenses.
• Pass comprehensive cyber legislation
Just as with so many other issues before Congress, we’ve reached paralysis on cyber legislation at a time when the threats are so great that we can ill afford it. By now it should be clear that volunteer measures and lists of best practices will not be enough to secure financial institutions, defense contractors, and other sectors. The cyber threat has been well recognized for years, but a stubborn 90 percent of break-ins continue to result from simple to intermediate sophistication levels of attack. Nearly all could be avoided if basic control measures and human expertise were in place.
Reasonable regulations, a cyber treaty, and the highest possible hiring standards should not be feared. They should be embraced for the economic vitality and stability they can help guarantee.