State of the Union: Cyberthreat

President Obama signed a cybersecurity executive order yesterday. Our own David Gewirtz, one of America's leading cybersecurity experts, explains why Mr. Obama didn't go far enough.
Written by David Gewirtz, Senior Contributing Editor

Normally, shortly after the President delivers his Constitutionally-mandated State of the Union report (it’s the report that’s required, not the speech), I deconstruct the speech and provide you with the points I think are important to consider.

Today is not a normal day. While the union is undergoing its usual economic and political stresses, with the sad addition of increased gun violence, what I consider the most important story got only a two-paragraph mention in President Obama’s speech last night.

America is being attacked. Constantly. Unrelentingly. We are being attacked by enemy nation states (like North Korea), frenemy nation states (like China and Russia), friendly nation states (like France and Israel), hacker groups (like Anonymous), just plain ol’ organized crime organizations out to make a buck, and individual hackers out to make a name for themselves.

Although the President only gave the cyberthreat two paragraphs of attention in his speech, he did something else very important yesterday: he issued an Executive Order, “Improving Critical Infrastructure Cybersecurity” (full text, ZDNet analysis).

It is at this point that I must share with you an important disclosure about myself. I am a member of the FBI’s InfraGard program, the infrastructure security partnership between the FBI and industry. I am also a member of the U.S. Naval Institute and the National Defense Industrial Association, the leading defense industry association promoting national security. I'm also the Cyberwarfare Advisor to the International Association of Counterterrorism and Security Professionals.

I’m telling you this because you need to know that I look at these issues from a similar perspective as those in Homeland Security and the other three-letter agencies. We have a challenge here: we are being attacked. We have a second challenge: we Americans cherish our privacy and any defense has to also protect that privacy.

Let me be blunt: I don’t think President Obama went far enough.

Mr. Obama's Executive Order is a step in the right directly, but it’s not strong enough and may even open the door to new exploits.

I also think President Obama missed a golden opportunity to involve the American people. In fact, I think he squandered a necessary, critical, golden opportunity – using  the bully pulpit of the State of the Union and its worldwide media coverage to involve American citizens in their own cyberdefense.

On the other hand, the Executive Order generally gets the privacy protection side of things pretty much right. Previous attempts at cybersecurity legislation have forgotten the the importance of privacy. When CISPA and SOPA were spun up, so were the forces of We The Internet, and rightly so. Those were both bad law-making and they were rightfully squashed.

President Obama’s new Executive Order takes those concerns into account. “Privacy” is mentioned 14 times in the order. Section 5 of the document is entitled, “Privacy and Civil Liberties Protections,” and provides substantial and reasonably guidelines for the ongoing maintenance of our sacred freedoms.

This is supported by a statement from the ACLU (quoting from an article in The Hill):

"The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties," Michelle Richardson, a legislative counsel for the ACLU, in a statement. "For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information."

Unfortunately, in its first run through Congress, CISPA seemed to miss the point about America freedom and privacy. I am not convinced that additional legislation, especially the way CISPA was written, is necessary to protect America, since our existing laws about crime, espionage, and warfare pretty much cover the defensive aspects of the cyberthreat.

I am also deeply concerned about reports that CISPA is back on the table, essentially unchanged. Sadly, in 5 reasons why SOPA, PROTECT-IP and other legislative idiocy will never die, I predicted this sort of thing would keep on happening.

On the other hand, the new Executive Order seeks to set mandatory cybersecurity standards for government agencies and voluntary standards for U.S. companies and organizations.

However, as malware guru Phil Owens mentioned to me in yesterday’s cybersecurity webcast, once you set standards, you also set a minimum bar for acceptability. Essentially, you’re telling agencies and businesses that “this is good enough,” and you’re telling attackers, “This is what we’re watching for,” leaving the door open for attack vectors not covered in regulations.

My ZDNet colleague and friend Zack Whittaker points out that the terms “cyberthreat” and “cyberintrusions,” remain relatively undefined. His contention is that those “hacktivist” organizations that choose to use Distributed Denial of Service (DDoS) attacks as a form of protest speech might then be targeted by the US government.

My take on DDoS as protest speech is quite simple: DDoS is an attack that must be defended, and the attackers must be brought to justice. In fact, a DDoS attack is an asymmetrical attack, which means that the attackers often have a vast logistical advantage over the defenders.

There is a difference between a flash mob (or even a Million-Man March) and a DDoS attack. A DDoS attack uses computers infiltrated against the will of their users, and turns ordinary computer users into cannon fodder. It would be as if – when a group decided they wanted to conduct a flash mob in protest – they broke into millions of homes, kidnapped the residents, and dragged them along, just to raise their numbers for the TV cameras.

As someone who’s had to defend against an attack from millions of computers a day aimed at a few private servers, I have not a shred of patience for anyone conducting a DDoS. There is no excuse for a DDoS and it is not and never will be a legitimate form of protest.

Moving on, I mentioned earlier that President Obama squandered a golden opportunity.

When the President discussed cybersecurity in his speech, he made it sound like something that’s the concern of government and industry. Although he mentioned identity theft, he didn’t involve the American people – moms, dads, grandparents, kids, teachers, students, office workers, Facebookers – in the discussion.

He didn’t make the threat real to real Americans.

In World War II, when the Nazis were bombing London, the British government communicated the threat to their people. It was obvious, as bombs were dropping. But the government made it clear that everyone had some responsibility in the national defense.

They instituted blackout rules, requiring lights to be doused at night, or black curtains to be hung over windows. The reasoning was very practical. If a Luftwaffe bomber could see a lit building, it could hit the building.

Now, say there was an apartment building with 100 apartments. If even one resident ignored the blackout rules, the building might be hit, and hundreds of tenants might be killed – just because one person disregarded the defensive rules.

This is quite analogous to our cybersecurity problems today. We are not just getting attacked at the entry point to banking networks or federal agencies. No. In fact, most of the attacks are being conducted against regular American citizens, you, me, your mom, my dad, and so on.

If any one of us has poor defenses, malware (like the kind that tunneled into the New York Times last week) could make it into our home networks, and then spread from family member to family member, from home computer to work computer, from work computer to work network, and so on.

Where President Obama missed his opportunity was making this point. We, as Americans, will never ever have a comprehensive cybersecurity defense until every computer-using American is safe from attack. And every computer-using American won’t be safe from attack until each of us fully understands both the risks and the methods of protection.

We need this to be a national priority, a message of Presidential import, and Mr. Obama missed it.

Until every American is on board, until every American is aware of the threat, until every American is actively involved in his or her own defensive behavior, cyberattackers have an easy, wide-open invitation to enter, pillage, and plunder our networks.

This is war. It’s a war where, whether we like it or not, we’re all combatants. I just wish President Obama had explained that to his fellow Americans.

Editorial standards