MICHAEL BALBONI
As we observe the 20th anniversary of 9/11, we need to accept that the next terror assault need not depend on explosives, hijacking or suicide bombers. In fact, Afghan-based terrorists may never have to leave their village. A good Wi-Fi signal may be sufficient.
The result, in Afghanistan and throughout the world, are breeding grounds for a new generation of terrorists far more sophisticated in waging war on the West. They understand that attacking democracies can be done with devastating effect by crippling our cyber systems.
That vulnerability has not gone unnoticed. At a recent cyber security summit with executives from Big Tech, the financial industry and infrastructure sector, President Biden urged attendees to “raise the bar on cybersecurity.” As a result, both Microsoft and Google committed billions to beefing up their cyber security over the next few years. While these commitments are a step in the right direction, more urgency is needed.
The recent attacks on the Colonial Pipeline, JBS, the MTA and New York City’s Law Department reveal that bad actors are becoming more skilled and sophisticated by the minute, making it clear they can infiltrate a computer system in either public or private hands with a measure of impunity. As America ruefully recognized after Pearl Harbor, we need to build our defenses yesterday.
To begin, Washington should develop a standardized cybersecurity framework for companies to follow, which includes mitigation strategies for cybersecurity. It is also critical that we have a collective defense system in place that shares best practices, lessons learned and the shifting tactics of the hackers.
Following World War II, the Department of Defense was established to strengthen our defenses both at home and abroad, and the formation of the Department of Homeland Security improved our ability to prevent additional terror attacks after 9/11. A similar approach should be taken to create a new cyber agency empowered to create a streamlined approach to sharing relevant cybersecurity information across public and private sectors. From past intelligence failures we know that silos harm our national security, thus making cyber security a shared responsibility. The TRIA (Terrorism Risk Insurance Act of 2002), which led to the development of anti-terrorism technology that protected us against the most dangerous threats, is a perfect example of effective information sharing. We need to implement a similar framework for cybersecurity.
Officials who oversee sensitive networks must also consider a zero-trust framework. This security infrastructure can be described as two-factor authentication on steroids, and treats any actor or system operating within a security perimeter as a threat, no longer assuming the benefit of the doubt, leading to step-by-step verifications before granting access to any system.
That’s only the beginning. Officials should explore creating a Cyber Corps dedicated to assisting companies and organizations prepare for, protect against, respond to, and quickly recover from cyberattacks.
This can include an educational component, in which the private sector receive trainings on best practices for cybersecurity. Adopting a “train the trainer” model, businesses in turn can then educate their own employees on the best practices for increasing their cyber safety.
Under this framework, officials could mirror the Federal Emergency Management Agency’s (FEMA) financial assistance model, which provides monetary help to those dealing with natural disasters. Officials should carve out funding to assist in a business’ response to attacks, relieving companies of out-of-pocket expenses. A Cyber Corps would provide companies with the tools necessary to mitigate risks and recover from cyberattacks.
And while Washington and the private sector consider bold next steps in improving our cyber security, there are immediate measures that can be taken. Through a process called “red teaming,” companies can retain an adversary to audit their network, find vulnerabilities and score vulnerability levels. They could pursue internal phishing exercises and provide mandatory training for all employees and conduct vulnerability assessments that analyze the architecture of a company’s defense, firewalls and access control and identity management. Having a confidential report detailing the vulnerabilities allows the company to develop a strategy to identify and mitigate their vulnerabilities. It is safe to assume that is a new generation of ISIS and Taliban terrorists interested in carrying out attacks using the internet will find a way to partner with far better equipped bad actors in places as far away as North Korea and Russia. They will be shown the strategies and the techniques to take down a democratic digitized society while sitting in dark and distant villages.
It is safe to assume that is a new generation of ISIS and Taliban terrorists interested in carrying out attacks using the internet will find a way to partner with far better equipped bad actors in places as far away as North Korea and Russia. They will be shown the strategies and the techniques to take down a democratic digitized society while sitting in dark and distant villages.
We still have time to prepare effective cyber defenses — but just.
No comments:
Post a Comment