Challenges
Nature of IT Resources
- While other CIKR sector assets are physical in nature, the IT sector is also comprised of virtual systems and networks which are harder to secure and control.
Lack of laws addressing cyber attacks
- Hathaway et al. (2012) reveal that the existing laws are deficient in addressing cyber-attacks.
- There is no well established channel for seeking redress against cyber attacks from foreign players
Rapid advances in IT technology
- Security tools and techniques are rendered inefficient as new technologies and threats emerge.
- The Government needs to keep upgrading or changing its security approach to match new threats and technologies.
- Homeland Security (2010) notes that the virtual systems and networks are very widely distributed and ensuring their security is hard.
- The tools and techniques used to secure the IT infrastructure need to be constantly upgraded and/or changed as new technology and threats emerge.
- The White House (2011) reveals that there is lack of a definition of what constitutes a cyber attack and the international community has not agreed on how to address this issue even when the attack is of a hostile nature.
Limitations Government
Ownership
- The Federal government does not have ownership of the nation’s cyber infrastructure
- Most of the internet falls under private domain where government influence is minimal
Control
- A significant share of online activity is managed by the nation’s businesses and these activities may be related to national security (Amitai, 2011).
- Resistance to government control of the private industry
- There is lack of incentives for corporationt to better secure their computer systems.
Privacy Limitations
- Concerns for privacy by citizens and some special interest groups mean that the government is not able to take all measures necessary to protect IT assets.
A significant share of online activity is managed by the nation’s businesses and these activities may be related to national security (Amitai, 2011). While the need to protect military systems is well recognized, protecting the private sector is not emphasized on and there is even some resistance against the government imposing security standards on the private sector.
Amitai (2011) argues that current incentives for corporations to better secure their computer systems are not put in such a way that they promote voluntary actions.
The government can come up with measures that are designed to motivate the industry to develop the needed security measures. Erbacher et al. (2006) assert that dealing with cyber attacks requires specialized forensic tools and techniques which may be deemed as too expensive by some corporations and hence not a priority.
Jones and Valli (2008) note that to help fight cyber attacks, law enforcement agencies need access to data that is of a personal nature. Many states have strict privacy laws that make it hard for the federal government to access this information.
SSP and Major Incidents
Hacking attack at Lockheed Martin
- The attack against the major defense contract demonstrates the link between national security and private corporations
- The attack demonstrated that there is little motivation for voluntary action to develop security measures by most corporations
- Attacks against the private sector might compromise national security.
Iranian Attack
- The attack halted Iran’s nuclear program and served as a major speed bump in the country’s nuclear ambition
- The sophisticated computer attack against Iran’s nuclear facilities demonstrated that cyber-attacks can be used to damage critical sectors of the country.
China’s Attack
- China launched attacks against major corporations in the US.
- Business entities are vulnerable and attacks against them might cripple our economy.
The attack against the major defense contract demonstrates the link between national security and private corporations. If the US does not protect its private sector, cyber attacks by criminals and agents of foreign governments will compromise national security. Chittester and Haimes (2004) warn that critical interdependent infrastructure can be compromised through cyber attacks by terrorists with dire repercussions for the nation.
A lesson that can be learnt from attack against Iran’s nuclear facility is that cyber attacks do not only target the IT sector but other major sectors of our economy such as Nuclear Reactors, transport systems, Banking and finance, and emergency services.
China’s Cyber Attacks Against US Corporations
- China launched attacks against major corporations in the US.
- Business entities are vulnerable and attacks against them might cripple our economy.
- The attack reveals that the threats faced by our IT sector are very broad and actors too numerous.
- The risks posed by such threats are too great for the government not to involve itself and provide the incentives for corporations to secure themselves.
DOS attack against Georgia in 2008
- Russian hackers orchestrated a DDOS attack against Georgia as Russian forces invaded South Ossetia
- From this incident, it is clear that cyber attacks can be used to reduce a country’s ability to communicate in times of war and therefore give the enemy an advantage.
The prominent cyber-security company, MacAfee released a report that exposed China’s cyber-attack program aimed against a number of U.S. corporations (Hathaway et al., 2012).
In 2008, Russian hackers carried out a Distributed Denial of Service attack against Georgia as the Russian army invaded the country. This attack reduced the capacity of the country to communicate with the outside world over the internet as the attack was being carried out.
Linkages IT SSP and Cybersecurity
Interconnectivity Between IT and other Sectors
- The IT sector affects all the other sectors
- The potential consequences of a cyber-attack can range from benign ones to catastrophic ones that lead to widespread economic and physical damage.
Better Coordination Required
- There should be more coordination of efforts among government agencies and the private sector
- Better coordination will accelerate the development and implementation of secure systems to manage the country’s critical infrastructure.
Adoption of Best Standards
- More collaboration among key entities in the sector are needed.
- The collaboration will result in establishment of industrial standards and best practices.
- Standards will make it harder for any entity to be compromised through cyber attacks.
The IT sector is critical for the survival and future prosperity of our nation. Ensuring the security of this sector is therefore of great importance.
The Current SSP for IT is not adequate to ensure the protection of all essential entities
There should be more coordination of efforts among government agencies and the private sector so as to accelerate the development and implementation of secure systems to manage the country’s critical infrastructure.
Collaboration among all entities engaged in securing the nation’s critical infrastructure will accelerate progress.
References
Amitai, E. (2011). Cybersecurity in the Private Sector. Issues in Science & Technology., 28 (1), 58-62.
Chittester, C. & Haimes, Y. (2004) Risk of terrorism to information technology and to critical interdependent infrastructures. Journal of Homeland Security and Emergency Management, 4(4), 1-20.
Erbacher, RF., Christiansen, K. & Sundberg, A. (2006). Visual Network Forensic Techniques and Processes. Utah: Utah State University.
Hathaway, O.A. et al. (2012). The law of cyber-attack. California Law Review, 100(4), 817-885.
Homeland Security (2010). Information Technology Sector-Specific Plan An Annex to the National Infrastructure Protection Plan. Washington DOH.
Jones, A. & Valli, C. (2008). Building a Digital Forensic Laboratory. Boston: Butterworth-Heinemann.
The White House. (2011). International strategy for cyberspace: Prosperity, security and openness in a networked world. Web.