Threats Imperil the Entire U.S. Infostructure

Cybercrime is leading the way among threats to networks, but cyberespionage is increasing in both number and effect. And, cyberattacks have picked up to the point where entire nations have seen their infosphere crippled by online marauders.

Lt. Gen. Harry D. Raduege Jr., USAF (Ret.), chairman of the Deloitte Center for Network Innovation, describes cybersecurity as a major national security issue for the United States. It is pervasive across traditional security, health care, energy, education, and personal and international finance. He says cybersecurity is a key operational area of each of those major areas of emphasis.

Change must take place if the United States is to meet cybersecurity needs. “Overall, the greatest threat to information security today is for us to be continuing down the same path we’ve been on and somehow expect dramatically different results in the future,” says Gen. Raduege, who also served as the co-chair of the Center for Strategic and International Studies (CSIS) Commission on Cyber Security for the 44th Presidency. He declares that the United States today is “in a catch-up mode” as the threats and their corresponding risk are considerably greater than five years ago.

Gen. Raduege defines three specific operational areas: cybercrime; cyberthreats and espionage; and cyberattack. Cybercrime actually has become more profitable to international criminals than drug trafficking, he allows. The risk is lower, and the potential payout is greater. It is becoming a syndicated global criminal operation, and it is intensifying with the economic downturn and “the lucrative target-rich environment” that the criminals find attractive, he adds.

In 2008, more than $1 trillion worth of data was lost to cyberespionage, an amount Gen. Raduege describes as “staggering.” It includes what used to be described as industrial espionage, but in this case it also encompasses intellectual property as well as trade secrets.

That espionage can have traditional national security implications. Marcus H. Sachs, director of the SANS Internet Storm Center, observes that because the Internet provides such a fast pipe, countries find it easier and less costly to leverage that pipe to obtain valuable information. “It is cheaper to connect to someone’s machine from thousands of miles away than to send an agent to try to turn a friendly to give over information,” he says.

Sachs goes on to note that the economic sides of cybercrime and cyberespionage are one and the same. In some cases, the groups that commit network intrusions might be paid by a criminal group or by an espionage organization—the skill set and tasking are the same. Immediately after the September 11, 2001 attacks, most security experts were focusing on the terrorism threat to networks. Accordingly, they missed the development of large-scale cybercrime.

The nature of cyberattacks has become more sophisticated, the general adds. Traditionally cyberattackers would announce their intrusions as a way of leaving a calling card. But now, intruders prefer stealth. They have much more to gain by not revealing their operations within a network.

Simply throwing more money at the problem will not solve the complex challenges faced, Gen. Raduege declares. The country needs a comprehensive approach that examines an organization’s total enterprise. This will require a holistic approach to strategy, processes, people and technology.

Gen. Raduege believes that someone must be placed in charge of orchestrating a comprehensive national strategy for cybersecurity. And, the nation’s critical cyber infrastructure, or CCI, must be identified. He relates that the CSIS cybersecurity commission identified four specific areas: telecommunications, energy, finance and government services. The country must assess the extent to which these critical areas are vulnerable to, or secure from, attack.

Overcoming these cybersecurity challenges is more of an organizational problem than a technical one, Sachs says. Another challenge is user awareness and education. People may be aware of cybersecurity problems, but they often think that “somebody else is fixing it,” and they need not take specific measures beyond common sense. “That type of naïveté is what gets a lot of people into trouble because there is so much that individuals have to do.”

But the private sector must understand the gravity of today’s threat environment and “not assume someone else—especially federal or state governments—are protecting their systems, their data and their information,” Gen. Raduege offers. But, strong cybersecurity measures cannot always be measured by traditional return-on-investment criteria.

The private sector can help with its own areas of strength. “We need to encourage, listen to and cultivate the rich entrepreneurial ideas that are found in private industry,” Gen. Raduege states, pointing out that this is the role that the private sector plays in providing solutions. He suggests that the private sector also can help by providing a cyber work force. This would comprise well-paid scientific and technological jobs that would stimulate the economy.

Sachs calls for senior managers to understand resource constraints in this economic downturn. Security measures often are the first items to be cut out of the budget when revenues decline, and this will make cyberspace less safe. Much as cybermarauders threaten the global economy, so does the economic downturn improve their chances of success.

Read the expanded version of this article in the July issue of SIGNAL Magazine, in the mail to AFCEA members and subscribers July 1, 2009. For more information about purchasing this issue, joining AFCEA or subscribing to SIGNAL, contact AFCEA Members Services.