Saturday, July 18, 2015

Cyberattacks Have Consequences

James McFarlin

Whether it involves the Office of Personnel Management, the IRS or Department of the Navy, few days go by without news of new cyberattacks against the United States.

Perhaps because there are few examples, little is said about the consequences to the assailants from such attacks.

The Preface of "Aftershock, A Novel" [see image on right] previews a possible scenario of consequences which occur at the highest levels when cyberattack response spins out of control. In today's ever-present cyber-threat environment, this description is worth reading, particularly the foreshadowing presented in the final paragraph. An adaptation:

The early rays of the weak winter sun have yet to seep through the dense morning fog as the first attacks strike San Francisco.

     Power is the first to go, stilling electrical equipment and draping the city in a carpet of darkness. Electric Muni buses stall in the streets. Lacking control signals with which to operate, Southern Pacific trains sit motionless on their tracks. The Bank of America tower, Transamerica Pyramid and other skyscrapers hang over the city like shadowed spires, towering monuments from an age past.

     Attempts to use smart phones yield only the wailing cadence of circuits-busy signals. Land lines, cable and Internet transmissions have vanished as though they never existed, reducing television and computer screens to blank, darkened slates of glass. Only battery-powered devices cling on to their electronic lives, although without connection. It is a world where Internet connections no longer exist.

     Anxious residents cluster in small groups in the streets outside their homes, hands stuffed in jacket pockets for warmth. As to whether they had experienced an earthquake - they thought not. Nor were there claims of having heard explosions. Many clutch laptops, iPads and smart phones, anxiously searching for answers. But answers were not to come.

     The absence of sound envelopes them like a cloak. Conversations turn from nervous banter to speculation, whispers of possibilities, but to no result except to feed a spreading dread of events imagined but not known, growing fears felt but not spoken.

     Residents toss personal belongings into their vehicles and rush to leave the city, only to find bridges and arteries out of San Francisco barricaded by armed squads of National Guardsmen. 

     Growing anxieties are fueled by the sounds of military helicopters and accompanying drones clawing their way over the city like massive birds of prey. Something big, something bad, is happening in the City by the Bay.

     As residents recoil from the shock of the morning's events, 3,000 miles away in the nation's capital an aftershock of infinitely greater magnitude threatens to trigger massive worldwide repercussions in the days to come.

Monday, July 6, 2015

Exploring America's Lack of Cyber Strategy

James McFarlin

The emperor's clothes are coming off. A series of high-profile cyberattacks against government agencies are blasting open the true seriousness of the internal weaknesses in America's lack of cyber preparedness.

And the world is watching the undressing. Articles and commentary in traditional print media to professional journals and blogs are increasingly critical of not only America's cyber weaknesses but its lack of seriousness in addressing the issue.

The recent Wall Street Journal article "We're Losing the Cyber War" addresses years of Obama administration passivity in the face of repeated digital attacks. The Office of Personnel Management attack, in which 18 million or more federal employee employment records, including security clearances, is a case in point. While the data loss is calamitous in its own right, the lack of responsibility shown by the agency's management can only be viewed as arrogant, and lacking responsibility.

OPM director Katherine Archuleta, in a Senate hearing investigating this loss, stated "I don't believe anyone is personally responsible. If there is anyone to blame it is the perpetrators." This display of self-defiance was offered with a straight face in spite of the fact that the OPM Inspector General's office had warned the agency for more than three years of its widespread cyber defense weakness, warnings that largely went unheeded.

Perhaps feeling pressured by this attack as well as network breaches in the Internal Revenue Service, Department of State, US Army, and others, the White House then issued a directive for agencies to plug their gaping holes in cybersecurity. A "30-day "cyber sprint" was initiated, where agencies were ordered to shore up their defenses. This in spite of the fact that they had largely failed to do so for years.

At least two thoughts come to mind here. The first is the absolute naivete of this exercise, which has been described as everything from a smokescreen to hype to a hail Mary. The second: Where have these priorities been? House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah), stated "The cyber race started fifteen years ago," and that this action was "coming too late" to be effective.

We face a serious national security threat from the cyber realm. When will this be taken seriously? Lee Hamilton, co-author of the 9/11 Commission Report, perhaps stated our problem best. In an update to that report issued on September 11, 2014, he said: "One of the problems in 9/11 was the lack of imagination of the terrorist threat facing us. Let's not make that same mistake in the cyber realm."

Seems as though we did that undressing some time ago.