EDITOR'S NOTE: Ed Stroz is a former Special Agent at the Federal Bureau of Investigation, where he was responsible for the formation of the FBI’s Computer Crime Squad in New York City. Currently he is co-president and founder of Stroz Friedberg, a cybersecurity consulting firm. Carl Young is managing director at the same firm. Prior to joining Stroz Friedberg, Mr. Young was a risk strategist and Global Head of Physical Security Technology at Goldman Sachs, and previously held a succession of senior posts at the FBI.By Ed Stroz and Carl Young, for CNN
The attacks in New York and Washington, D.C. on September 11, 2001 signified the unofficial start of the U.S. war on terror. Although the images of that day remain fixed in our memories, the ten-year anniversary of 9/11 is an opportunity to examine how we have changed the way we think about the importance of security in our lives.
At the same time, the ten years since 9/11 have witnessed an explosive dependency on information technology around the world. One statistical indicator of this growth is the 480% increase in the global use of the Internet since 2001, where the number of Internet users comprises nearly a third of the seven billion inhabitants of the planet.
Much of the U.S. information technology infrastructure and associated software is owned and operated by private organizations that conduct business using web applications that can be accessed through the Internet or utilize network devices with similar risk exposure to computer viruses. Such viruses, also known as malware, are increasingly sophisticated and have become ubiquitous on the Internet. A computer system that is infected by such malware can still work perfectly well with no signs of infection. The malware can sit silently waiting for instructions to take destructive action later. For the first time, the number of new computer viruses introduced in a single year (2011) is expected to exceed two million.
Cyber attacks continue to be directed against the full spectrum of organizations that support every aspect of our lives. Each day it seems a new headline appears about an organization, public and private, which is severely impacted by a cyber attack. Therefore, the private sector finds itself on the front lines of a war that arguably threatens our national security at least as much as the war on terror.
The difference is that in the case of cyber war, the private and public sectors are co-combatants in a struggle against invisible and diverse adversaries who possess constantly evolving weapons and lack a unifying cause.
In some instances the cyber enemy is state-sponsored. This certainly raises the stakes and supports the contention that future battles between nations could increasingly be fought on the world’s information technology networks. In that vein, the U.S. Department of Defense has recently established the U.S. Cyber Command in recognition of the implications of cyber attacks to national security.
This private-public partnership to confront cyber crime is born of necessity, since there are operational conditions that preclude each from operating independently. A private organization lacks the authority to investigate security issues that lead outside its own network property. The U.S. government must operate within Constitutional constraints, which limit its powers of electronic surveillance, as well as being subjected to privacy restrictions. Regardless of whether or not you support limits on government surveillance authority, the sheer size of the cyber landscape makes patrolling the electronic frontier an impossible task for any single government agency.
Consequently, the government, and indeed our society, must rely on private organizations to secure their respective pieces of the Internet, as well as to report on risk-relevant information in order to see the big picture. The latter is a critical task in an evolving cyber war, and is essential to identifying trends on threats, developing timely countermeasures, and in stopping the perpetrators.
The U.S. government must assume a leadership role in orchestrating the overall cyber defense effort. In particular, it should be investing in cyber security research and development as well as in education and training programs like those at the National Institute of Standards and Technology (NIST). The introduction of progressive legislation and policies such as the landmark Presidential Decision Directive 63 in 1998, Executive Order 13231 in 2001, and the National Policy to Secure Cyberspace, must continue.
However, and as with all expansive government efforts, the challenge is to ensure coherence among the numerous agencies that share cyber security responsibilities.
Certainly there is historical evidence of successful private-public partnerships. The FBI InfraGard program begun in 1996 is one example. In addition, a collaborative effort between Verizon and the United States Secret Service results in an annual Data Breach Investigations Report that presents useful statistics on breaches of electronic records.
Finally, the cyber security landscape is in a state of continuous flux, driven by the dizzying evolution of computer technology and an abundance of cyber criminals who are intent on exploiting these advances. Both the private and public sectors have important roles in ensuring the integrity of our country’s information systems. Using the tenth anniversary of the 9/11 tragedy, where our suffering was unified, is a time to focus on improving private and public collaboration on our cyber defenses, to enhance U.S. national security and to honor the sacrifice of those who died.