DorobekINSIDER: Is cybersecurity over-hyped?
I had the pleasure last night to attend the Intelligence Squared debate series — the first one held in Washington, DC. (Yes, it was a wonk-fest. After all, there were some other big events in DC last night. Washington Nationals pitching sensation Stephen Stassburg was proving worthy of all the hype over at the Washington Nationals ballpark… and James Taylor and Carole King were in DC for their tour. Moderator John Donvan from ABC News joked that people had to be really wonky to show up given the competing events.)
The packed house at the Newseum were treated to a fascinating debate focused on the “motion”: The cyber war threat has been grossly exaggerated.
Arguing in favor of that contention:
* Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC)
* Bruce Schneier, the cryptographer, computer security specialist, and writer who is the founder and chief technology officer of BT Counterpane, formerly Counterpane Internet Security. He writes the popular Schneier on Security blog.
Arguing in opposition to that contention:
* Mike McConnell, former vice admiral in the Navy, the former director of the National Security Agency and the former Director of National Intelligence. He now works for Booz Allen Hamilton.
* Jonathan Zittrain, professor of Internet law at Harvard Law School and a faculty co-director of Harvard’s Berkman Center for Internet & Society. He writes the Future of the Internet blog and is on Twitter.
The debate started out by polling the audience asking us the question: The cyber war threat has been grossly exaggerated.
* Yes: 24 percent
* No: 54 percent
* Undecided: 22 percent
Before we offer more about the debate, how would you vote?
The debate actually focused on the question: Yes, there is a treat, but is it war?
The proponents of the arguement essentially made the point: Show me the war. Schneier said that the Internet has proven to be more resiliant then expected then anticipated or expected. While both he and Rotenberg acknowledged the threats, they argued that the “war” terminology is exaggerated… and dangerous.
“What you do with a threat of war is you call in the military, and you get military solutions,” Schneier said.
Rotenberg argued the militarization of the Internet is part of a long effort by the military and intelligence organizations to take the reins of the Internet — and he pointed to the infamous “clipper” chip from the 1990s, which would have given the government the keys to strong encryption. The argument: If something becomes a “war,” then other important issues — such as privacy — get shoved aside.
McConnell argued that the treats are very real, and, essentially, the country needs to understand how significant they are. And yes, there hasn’t been a “cyber Pearl Harbor,” but… during the Cold War, there were no nukes fired. The question is how you best prepare and defend these mission critical systems. He argues that society depends on trust and interdependency.
Zittrain said there is little argument that these are, in fact, hostel actors out there who are interested in attacking U.S. interests and livelihood. And he argued that these technologies are more fragile then we might believe.The two sides even disagreed about the now infamous Russian — or, more accurately, believed to be Russian — cyber-attack on Georgia. Schneier argued that it amounted to a fancy denial of service attack and he scoffed arguing that is it really a war if you can’t go to the Department of Motor Vehicles? McConnell, however, argued that the Russian attack helped bring Georgia to its knees.
Somewhat surprisingly, there wasn’t much discussion about the motivation of those stoking the cyber-war stories. Let me just say I’m not saying that the threat is exaggerated. From the people I talk to, there are real threats out there. And I have spoken to the people who, for example, are responsible for the the network at the Pentagon itself, which sustained a major attack back in 2007. That attack forced DOD officials to spend years even trying to determine what data was stolen. I am also keenly aware of how dependent we are on technology. But I thought there would be some discussion of the Threat Level piece from earlier this month that raised the issue of whether we can trust the people assessing the threats. From Wired.com’s Danger Room blog:
Coincidences sure are funny things. Booz Allen Hamilton — the defense contractor that’s become synonymous with the idea that the U.S. is getting its ass kicked in an ongoing cyberwar — has racked up more than $400 million worth of deals in the past six weeks to help the Defense Department fight that digital conflict. Strange how that worked out, huh?
The panel was asked to make policy recommendations. McConnell stressed that we are a nation of laws, and therefore we need to get the laws correct. Although somewhat unrelated, Rotenberg scoffed at that idea and pointed to NSA’s warrentless wiretapping as a case where he says the laws don’t get implemented.
Rotenberg policy proposal: More openess and transparency. And this is one that I think is important. In fact, I’m hearing a lot of cyber-security minded people talk about the importance of sharing some information. Earlier this year, I moderated a panel at the AFCEA homeland security conference. On that panel was Marcus Sachs, Verizon’s executive director for national security and cyber policy. He formerly worked at the Army was with the Joint Task Force for Computer Network Defense and for the National Security Council’s Director for Communication Infrastructure Protection. And he suggested that there needs to be more of a conversation around cyber-security. Hear highlights here. I have been quite concerned that the Web 2.0 advocates have been almost loggerheads with cyber-security advocates, when I still think there is an opportunity to collaborate around cyber-security problems.
After all the debating was done, the audience was again asked to vote on the question: The cyber war threat has been grossly exaggerated:
* Yes: 23 percent
* No: 71 percent
* Undecided: 6 percent
What do you think?
Also read Fierce Government IT’s coverage.