The Comprehensive National Cybersecurity Initiative
The U.S. National Security Council has an interesting document up on the White House Website about the The Comprehensive National Cybersecurity Initiative (CNCI). It’s certainly an impressive plan for addressing many of the cybersecurity issues facing the U.S. government, but is it a plan that the government can successfully implement?
The government hasn’t won the war on drugs, addressed the nationwide education problem, or many of the other major issues facing the U.S. So how can the government possibly think it can solve the country’s computer security problems? While some say that something is better than nothing, is “better than nothing” really going to make a difference?
I find Initiative #9, Define and develop enduring “leap-ahead” technology, strategies, and programs, very interesting. It reads, “One goal of the CNCI is to develop technologies that provide increases in cybersecurity by orders of magnitude above current systems and which can be deployed within 5 to 10 years.” Five to ten years? Is that how long it’s going to take to make computing more secure? And who, exactly, is going to develop these “leap-ahead” technologies? My guess is that it will be the same companies that are developing the ineffective technologies we’re using today.
I have a hard time believing that those in government making decisions about cybersecurity really understand the hacking problem. When I read how officials are participating in simulated cyberattacks, I often wonder how many of these officials really understand what’s going on beyond what they’re being told. Do they understand things like covert channel, sleeper Trojans, and that more sophisticated hackers are able to avoid detection by Network Intrusion Detection Systems and anti-malware software? Do they understand logic bomb scenarios and the impact it could have on critical infrastructure? Do they realize that most organizations do not have a computer disaster recovery plan and even if they do, it has never been tested?
None of this is news to anyone who has been doing security for any significant period of time. We’ve known about these things for years. Although we’ve tried our best to inform and educate the powers that be about these things, nothing ever changes. “We dont’ have the money…”, “We can’t justify the expense…”, “We’ll cross that bridge when we get to it…”, and “We have other priorities right now…” are heard all too often.
Too many people are being led around by the nose about what needs to be done to address cybersecurity issues, because they do not understanding the underlying reason why hackers are able to break into “secured” networks and computers. It’s not just about the hackers. It’s not just about security vulnerabilities. The problem is much deeper than what people are being led to believe. I understand that everyone wants to maintain a positive attitude and believe that computers can be properly secured, but when that belief becomes analogous to believing in the Easter Bunny, you have to start questioning if people are grounded in reality.
The world has been losing the cyberwar for many years now – and the situation is getting worse. One would think that the computer industry, after more than 15 years of developing computer security products, would have figured out how to stop hackers in their tracks. Unfortunately, this is not the case. How many more “new” security products are people going to waste time and money on before they start acknowledging the fact that these new security products are not solving the hacking problem? How many more billions of dollars are people going to spend on anti-malware software that doesn’t work against malware without a known signature? Our approach to solving the hacking problem clearly needs to change.
The CNCI is long overdue. The government should have acknowledged the severity of the hacking problem years ago. Where were all these security experts back then? Did anyone on the NSC or in the White House know the slightest thing about computer security and hacking? Was anybody listening?
I woke up to the realities of computer security and hacking in 2001. An incident occurred that changed the course of my life forever. The scary thing is, that we are facing the exact same threats today as we were nine years ago. Nothing has changed. No one has solved the hacking problem – and I seriously doubt the U.S. government will solve the problem.
Is “better than nothing” going to make a difference? Of course it will, but it won’t be enough.
If you fully understand why hacking continues to be a problem, then you know that there is no way we’re going to win the cyberwar given today’s technology and security paradigms. If you think you could still learn a few more things about computer security and hacking, read my book. You will be glad you did.