Are we missing the Point relating to Homeland Security

June 2010

Recently there has been a lot of talk about nuclear weapons, terrorism and peace treaties. At the end of the day, the question remains how we protect a country and its citizens from attack? If that is really the purpose of the summits, the meetings and Washington, why isn't cybersecurity part of the discussion? It deserves to be.

It's true that nuclear weapons or biological warfare is much more damaging and could cause greater loss of life, but the likelihood of such an attack is low.

When you evaluate a threat there are many aspects (too many to mention in this posting) that need to be evaluated. Some of the primary ones are clearly impact, likelihood and ease of which the attack can be performed. Using this as a basis, things become very interesting. While the impact of a nuclear or biological terrorist attack is clearly very high, the likelihood is more in the medium level and the ease of which it could be performed is medium to low. When it comes to cyberattack, the impact is high, the likelihood is high and the ease is high. Therefore since national security is about managing and mitigating risk, shouldn't more attention be paid to the cyberweapons of mass destruction?

If we start to peel back the layers, things become even more interesting based on the overall exposure and scope of the problem. Physical weapons have to cross international boundaries and there are checkpoints that have to be cleared.


The three important points to remember are:

1) you cannot clearly cross international boundaries with physical weapons without going through physical checkpoints

2) weapons are illegal in most countries so clear possession of them could get someone in significant trouble

3) it is relatively difficult to obtain these weapons.


When you start to apply this to cyber, things start to fall apart very quickly. On the Internet there are no international boundaries. An attacker can seamlessly cross boundaries without even knowing they are entering systems located in a different country. Not only are the tools easy (say free) to obtain, but in some countries possessing and use of the tools are not illegal.

There is a lot of legislation being proposed to cover cyber, but are we focusing in on the correct areas? Are we looking at controlling the boundaries and in/out of countries and working on universal laws? Having different laws for different countries makes sense when there are clear boundaries and physical separation, but when connectivity is seamless that model falls apart.

While changing laws can take a long time to perform, there are things organizations can do today to help protect critical infrastructure. First, identify and clearly control and manage ALL boundaries in and out of your organization. For critical information, air gaps or complete separation should be looked at to better control the boundaries. Second, focus on critical information. Why would your organization be targeted and what information would cause the greatest impact? Third, the entry point for most attacks is the end users. Focus time and energy on protecting and controlling the endpoint, especially untrusted endpoints.

We are going to have to deal with this problem one way or another. Option one is to be proactive and fix the problem before it is too late. Option two is to wait for there to be a major problem and fix it in a reactive manner. Personally, I vote for option one.

Credit Eric Cole