According to press reports today (e.g. the WSJ) the US President has signed a new Executive Order on cyber changing the rules expressed in Presidential Policy Directive 20. What the Journal article says is the President is seeking to deter election interference and theft of intellectual property through more "forceful responses". This will make a lot of people in the Defense Department and a few Congressmen happy, but the proof will be in the administration of the programs that come from it and not the statement of a policy the allows for cyber responses.
The Obama Administration believed a response to a cyber attack did not have to be a cyber attack by the U.S. Sanctions, and similar actions would be just as good in deterring attacks by our adversaries. How did that work out? Not so good.
The North Koreans attacked Sony; the Russians tried to undermine the national elections in 2016; the Iranians attacked US banks, and a bunch of hackers continue to make a living at criminal enterprises based in places they cannot seem to be extradited. A more forceful response is a good idea but the least of our concerns.
In my last testimony on the Hill I was asked a question about the wisdom of a more aggressive response to some of the incidents we have had. I said we are not ready to do any such thing. There are quite a few hotshots in the government who think we can strike in ways that will deter others from doing further attacks, but I think it will encourage better attacks, not an end to them. This is not a government-only war. Our businesses are not ready to respond to attacks, as their track record with protecting proprietary information would show. They will get pummeled, and our government cyber forces are no better.
All anyone has to do is read the string of Inspector General reports over the last few years and know that government security is not doing the job. There are exceptions. Some companies are very good, and a couple of government agencies are great. The counter attacks will not be directed at them. We better be careful about what the folks at Cyber Command think they can do, because they consistently overestimated their capability and underestimated the infrastructure's ability to resist attacks.
No comments:
Post a Comment