More than 30 years ago, I warned a number of executives that “the criminals will destroy the Internet.”
“We have to work against this now,” I warned.
A few people heard my message and asked me to assist them with waking their executive ranks. While attempting to do this, I observed that I had to repeat my message about “cyber terror” five to seven times before anyone heard me once. Colleagues asked me if I ever worried about repeating myself so many times. “Won’t they become upset?” they would ask. I simply replied, “You heard me the first time, but they haven’t heard me yet. Repetitio est mater studiorum.” Newkirk’s law 92 was at play: The scarier the message, the greater the effort to be heard. Eventually, colleagues began to tell me, “Amazing, they really aren’t listening.”
Hans Holmer wrote a potent article recently discussing some of the differences between the cyber and “kinetic eras.” Holmer sums up the historical situation quite well. I can personally relate to his statements. I built my first computer in 1962 using vacuum tubes and oxide core memory. I wrote programs in machine language, employed actual addressing to directly control system processes, transformations, and data flows. I even enlisted instrumentation to test the code using several well-designed techniques.
We valued “code coverage” as a metric. It was great fun and made you one smart technical specialist. I must confess that it is a bit strange today to see so much code in production that has undergone minimal qualification. How can anyone adequately test a single system with 20 million lines of code? No team I know. Agile and lean programming does not make anyone more secure. These are simply current terms used to explain old practices. Historically, many programming departments practiced “lean methods.” Their lean budgets informed their development practices. The current focus of agile and lean development approaches on cost reduction and under-conceptualized simplicity undervalues the role of cybersecurity in delivering resilience.
The Dawn of Cyber Security and the Transformation of Kinetic Threats
When I moved from the hobby room to the computer department at General Motors, I had to be a really smart technical specialist (because very few people were). Even back then, we concerned ourselves with glitches and bugs. Thankfully, Admiral Grace Hopper woke up many people about the threat of accidental carelessness and, indirectly, the potential damage that can occur through human agency, accidental or otherwise. It was a natural step for many of us to become concerned about data theft, software theft, and programming fraud as our principal cybersecurity threats, although management did not specifically view the problem as a cybersecurity challenge. Generally, management viewed these situations as mere instances of individual craziness. An executive once remarked in reply to my concern: “Why would anyone steal our customer and employee data? It is useless to them.” That was back then. History has answered his question.
In that early cyber era, we worked in a world marked by insider threats. Everything else was still a “kinetic” concern. We did not worry about “external actors” or their maliciously delivered bugs, or even real bugs. It all seemed so farfetched to the bill-payers. Automated Processing Department budgets (that’s what we used to call it) had to be practical as far as possible because computers and everything associated with them cost an unbelievable amount by today’s standards. Look at the cost of PCs back in the 1980s. My first slow and weak PC cost more than $15,000.
So here we are today, living in a cyber world challenged by malicious and accidental insider and external threats. Each threat class becomes increasingly more dangerous each day simply due to progress in the capacity and speed of hardware, refinement of methodologies, and skills of industrious software engineers. We hear about it daily. Somewhere, sometime, someone wreaks havoc on our digital world and people suffer in many ways. They are casualties in the new global theatre of cyber warfare.
Expanding Awareness at Mud-Puddle Depth
Not everything has changed. Executives, managers, and employees prefer to ignore the very real threat of cyber terror. As to be expected (based on historical performance), more than half of all CEOs in this country cannot say whether their in-house cybersecurity programs deliver sufficient security. The more things change, the more they stay the same.
That is a bit of an exaggeration. Not everything stays the same. Cybersecurity has generated a lot of interest, mainly in the cybersecurity community. Look at the present state of cyber security. We have a lot of ideas about what we should do. Our challenge is to generate this kind of interest within many other communities. Several challenges require immediate attention. We know many of the scenarios. The following list identifies 15 noteworthy scenarios that will impact short- and long-term efforts to deliver robust cybersecurity effectiveness. A couple of these may be surprising.
- A percentage of unknown students enrolled in a cybersecurity education programs will use their education and training to engage in malicious cyber-attacks against their targets because they enjoy firsthand knowledge of the counter-measures and strategies to be used against them.
- One person can destroy a company, quickly (in less than 10 minutes). This is something new, aside from a bomb going off in the critical place.
- A large percentage of malicious insider attacks create unrecoverable damages, leaving target companies lost forever.
- Many of the solutions we think work, mostly do not work. Organizations habitually use software products that are known to fail.
- Around 10 percent of the employee population of a company enjoys access to every digital file in an organization, even when unnecessary. Management trusts them to do the right thing because HR tells us that trust is a must. Even God wouldn’t say that.
- Organizations continue to use and pay for an unreliable cybersecurity tool or technique even when management knows it is not effective.
- A single thumb drive can severely damage the value of an organization, quickly.
- Experimenters exist that occasionally interfere with the communications of a range of global targets. In-depth cybersecurity has to ensure that these intrusions can be mitigated and that private and commercial flight operations be shielded. Cars, drones, and planes have been hacked by students.
- Technologies will increasingly become artifacts of cyber warfare against national populations as malicious cyber actors target individual citizens in roving attacks at random times.
- Technologies that people do not understand are expanding into every aspect of human life without moral consideration so that technologists will become the core influencer of society.
- Cyber terrorists will use advanced methods of psychological warfare to turn citizen groups against each other.
- The continuous conflict and turmoil of the government as it continuously feeds on itself by fragmenting and weakening its own internal political alliances will increasingly distract the attention of agencies from the fundamental responsibility of cybersecurity.
- Executives will continue to launch experimental business models based on trust and openness that reduce the effectiveness of cybersecurity.
- Organizations will continue to focus on remedial workplace strategies that reduce the effectiveness of cybersecurity programs designed to ensure business process resilience and organization effectiveness.
- Human resources teams will implement processes and programs that focus on inadequate criteria of performance that conflict with the cybersecurity imperative.
A Systemist Response
An interesting observation about these 15 scenarios is that if one cares to take the time, (s)he could identify the traditional archetypes associated with each scenario. We would see that serious cybersecurity programs require unified political, educational, sociological, behavioral, technical, legal, methodological, economic, and management solutions. Cybersecurity is really a complex transdisciplinary concern. Little to nothing in human historical experience compares to this threat. For example, cyber terrorists from protected locations in several dozen countries can simultaneously execute a cyber-attack on a single U.S. citizen just as a training exercise. The person would not know what had just occurred. Moreover, our country continually has threats emerging from violations against trust here on the home front and yet executives continue to implement organization models that highlight trust and openness between employees and management as the framework for successful performance. Think Continuous Performance Management, or CPM. Organization models such as these are incompatible with stringent Insider Threat Prevention frameworks that advocate “zero trust” security and control to safeguard business operations.
Unless a radically new technology comes online that negates every cyber-attack strategy known to science, we will have to make a choice. Either we throw our arms up in despair and say “enough is enough” and abandon digital networks, or we redesign our relationship with technology. This, of course, means that our workplace experience as well as the home front will change. In the workplace, we will be watched, monitored, and cleared like never before. No purse, thumb drive, laptops, and other miniature devices will freely float around the workplace. Every environment will become extremely secure because so much is at stake. The workplace could become a place nobody wants to visit.
It will take a lot of money, intelligence, commitment, and support to win this emerging cyber war, which is currently waging along several fronts. How we eventually resolve all of this is open to conjecture. One thing we doubtlessly know already: The drive for cybersecurity effectiveness will change life in unimaginable ways. A new paradigm for work and play is being thrust upon us whether we choose to participate or not. If we continue as we are, we will become a self-fulfilling prophecy: We have met the enemy, and the enemy is us.
Think about it.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@gtscoalition.com. Our editorial guidelines can be found here.