Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2013.
See Also: Secure Access in a Hybrid IT World
Imagine turning on your office computer in the morning to find nothing there. Nothing. And then listening in the hallways as your co-workers each discover their data are gone, too. The essential information to perform the company's business - its financial and proprietary information, records of all prior communications - all of it, vanished.
What will happen when terrorist groups get possession of these cyber-attack tools? It is only a matter of time.
When this actually happened to employees of Saudi Aramco in August - all data were replaced with a picture of a burning American flag - the news reverberated globally, but particularly in the cybersecurity community because those of us in the business know what that meant, and what it portends.
Smaller nation-states have been upping the ante of cyber-attacks for years, and now one - publicly identified as Iran - has shown us exactly the kind of cyberdestruction that extremist elements are increasingly willing and able to conduct. These nation-states, frustrated at their inability to create weapons of mass destruction, are turning to weapons of mass "disruption." An additional worry is what will happen when terrorist groups get possession of these cyber-attack tools. It is only a matter of time.
The prior continuum of cyberthreats has been clear, beginning with creating data outages, which are mostly annoying; then moving up to the theft of data, which is potentially costly when proprietary information is lost; and then to data disruption, which is reflected in the distributed-denial-of-service attacks that plagued banks in recent weeks. Each of these types of attacks represents trouble.
But the pinnacle of this continuum, the actual destruction of data, is something else entirely. The financial industry, utility grids and transportation networks are part of the nation's critical infrastructure, and the cyberdestruction of any of these could be unimaginably crippling. And to be clear: This worst-case threat is not coming from countries known for sophisticated cyber-espionage, like China or Russia; these cyber-attacks for data destruction are now coming from smaller nation-states with extremist factions that have technological skills.
How to Respond
So, what do we do to stop it? Legislation and a potential presidential executive order are being debated to deal with the big issue of finding appropriate ways for the government and private industry to share information safely to identify, prevent and counter threats. But individual companies and government agencies still have work to do on their own.
The first task is for commercial firms and agencies to fully assess and understand their levels of cyberprotection today, measuring themselves against benchmarks for quality that are being increasingly better defined in various industries. You won't know where to spend until you know your vulnerabilities, so an internal assessment is essential.
Externally, one of the biggest challenges for companies and agencies is to fully understand the potential sophistication and lethality of these nation-state attacks, and how a company's vulnerability may be unique and ever-changing. Banking, for instance, is a transactional industry, and its largest "attack surface" is in the exchange of financial data. A manufacturer has more vulnerability in the supply chain of parts. The "attack surface" of a consulting firm may be in its people and where they travel and access company data from laptops and mobile devices. In any company or agency, the "attack surfaces" will vary over time, and any effective defense must fully account for changing circumstances.
Bigger Firewall Not Enough
One of the great misconceptions in creating a cyberdefense is that reliance on a single technological solution - just building a bigger firewall - will be effective. There is not enough money to build a firewall that will stop these extremist groups with their dynamic, always-morphing tactics. What is needed is a dynamic defense that includes the capability to monitor threats and anticipate which threats are potentially lethal to a given entity, allowing the company to identify and protect against those most likely attacks. Creating this early warning "sentry" capability is much more effective, efficient and affordable than trying to protect everything all the time.
Chief information security officers are key to the success of a fully integrated cyberdefense. They can raise awareness of the risk of nation-state attacks at the board level, and they can push for improved information exchange and trust building across industries and with the government. Improved trust and communication is essential to close off the routes that nation-states will uncover to attack.
And CISOs also can be drivers of change in their organizations. Cyberdefense is much more than technology - it requires policy, governance and cultural changes for security awareness, new types of training and new security procedures. And all of these elements require an effective high-level champion.
As lethal as larger nation-state cyberespionage and potential for cyber-attacks may be, we now have to face small nation-states and the risk of terrorist elements obtaining similar capabilities. As a nation, we have shown in the past that government and private industry can come together and defeat whatever our enemies attempt. We know what we need to do. Now we just have to make it happen.
Mike McConnell is vice chairman of Booz Allen Hamilton and formerly served as the U.S. Director of National Intelligence for two years.