What Clinton, Trump missed when debating information security
September 30, 2016 |
2 minute read
During Monday’s first presidential debate Hillary Clinton and Donald Trump shared their thoughts on how the U.S. should fight cyber attacks. Clinton opened with the somewhat expected refrain of calling cyber security “one of the biggest challenges facing the nation” and noted that the country faces two distinct adversaries: nation-state attackers and cyber criminals. She also hinted that the U.S. would engage in cyber warfare “to defend the citizens of this country.”
Trump, meanwhile, questioned if Russia is really behind the recent attack against the Democratic National Committee (the hack could have been carried out by a 400-pound person sitting in a bed, he said) and said the U.S. needs to do more to stop the terrorist group ISIS from using the Internet to radicalize people. When it comes to “the cyber,” the U.S. “should be better than anybody else, and perhaps we’re not,” he said.
And that was the extent of the conversation on information security. While the many challenges of information security are nearly impossible to sum up in the two-minute response time given to candidates (Information security could have been covered in its own debate), neither one of them touched upon the real issue in cyber security: protecting the nation’s infrastructure from advanced attacks.
Cause major damage without firing a missile
To inflict the most damage or mental trauma, ISIS, Russia or cyber criminals don’t have to steal log-in credentials to a person’s email account or credit card number. They don’t even have to fire a missile. They just have to press a key that launches an attack against the infrastructure that provides us with electricity, water and gas or allows us to get medical care and make withdrawals from an ATM. Critical infrastructure is the soft underbelly of any country. The U.S. is especially vulnerable since infrastructure is so heavily intertwined with how we live.
Think about the chaos the would ensue if government workers in Washington, D.C., couldn’t reach their offices because the traffic lights around the nation’s capital were offline. Or the pandemonium that would occur if a hospital’s network was taken down, resulting in the emergency room closing and patients being forced to go to other hospitals. Those facilities could be overwhelmed with patients, hampering the hospital’s ability to provide critical medical care. People can’t live without electricity and the industrial control systems at power plants are often overlooked from an information security perspective.
Critical infrastructure is much more than the service providers that supply us with water, electricity and natural gas. I’d classify banks, hospitals, transportation networks and even mobile and Internet service providers as critical infrastructure that deserve government protection. Whether you’re talking about your local electric company or hospital, neither of them can defend themselves from the tools nation-states have at their disposal.
Having the Cyber Mission Force protect infrastructure is a good start, but...
The U.S. government is attempting to beef up information security around standard infrastructure like water, gas and electricity providers. The National Security Agency is launching a military unit dedicated to information security. Called the Cyber Mission Force, 10 percent of the troops serving in this unit will handle protecting the nation’s utility providers from threats, but 50 percent of the unit’s troops will work on protecting the military’s networks from hackers. Not only is that view of infrastructure very limited, not enough resources are dedicated to protecting critical utilities. I’m glad the U.S. government realized the importance of defending infrastructure, but more needs to be done given the strength of the adversaries.
… Infrastructure needs a greater voice in information security discussions
Neither Clinton nor Trump discussed the need to protect infrastructure since this topic isn’t as sexy to voters as talking about defeating ISIS online or launching offensive attacks against countries that hack a U.S. government agency or major business. But attackers realize the vulnerabilities in our infrastructure. While the computer systems running the pumps that carry our drinking water or the software that controls our traffic lights may not seem that interesting to us, attackers view them as the perfect vector to exploit cause widespread panic. It’s time infrastructure is included when talking about improving information security in the U.S.
About the Author
Israel Barak, Chief Information Security Officer at Cybereason, is a cyber defense and warfare expert with a background developing cyber warfare infrastructure and proprietary technologies, including that of proprietary cryptographic solutions, research and analysis of security vulnerabilities. Israel has spent years training new personnel, providing in-depth expertise related to cyber warfare and security, threat actor’s tactics and procedures. As Cybereason’s CISO, Israel is at the forefront of the company’s security innovation, research and analysis of advanced threats.