Avoiding Cyber Threat Amnesia

My involvement in the non-profit educational and research organization Cyber Conflict Studies Association over the last several years has led me to an observation about federal policy makers and cyber security. This observation probably applies to many commercial organizations and to academia (and possibly even to you) so we may be talking about human nature here. But the phenomenon was definitely clear by my review of historical documents and actions of the federal government.

My involvement in the non-profit educational and research organization Cyber Conflict Studies Association over the last several years has led me to an observation about federal policy makers and cyber security. This observation probably applies to many commercial organizations and to academia (and possibly even to you) so we may be talking about human nature here. But the phenomenon was definitely clear by my review of historical documents and actions of the federal government. My hope is this review will help us address this in US policy.

What is amnesia? It is a condition where memory is lost. When it comes to the cyber threat to federal organizations we have a long list of evidence that this is occurring. The following is my list of evidence. I’m publishing it in the hopes that you can fill in the blanks on any other major events where our great institutions have learned and forgotten. We should study this phenomenon so we can prevent it in the future.

So, with that, below is the list of what I consider to be the federal government’s top “Wake-Up Calls” that the cyber threat is real:

• 1970 and 1971 – The Defense Science Board publishes what will be known as the “Ware Report” highlighting the potential dangers to department information in the coming age of connected computing. This report was widely seen as a “wake up call” for computer security and caused changes at institutions like the National Security Agency to enhance the departments security posture.
• Nov 1988 – The Morris Worm was released and propagated throughout internetworked systems including those of the federal government. This “wake up call” resulted in establishment of computer response organizations throughout DoD and also resulted in increased funding for computer security research being provided to academic organizations and institutions. The CERT/CC at Carnegie Mellon University was funded.
• 1995 – The President’s Commission on Critical Infrastructure Protection (PCCIP) was widely regarded as a “wake up call” for the entire federal government and since it was extensively coordinated with industry and academia was also seen as a way forward in cybersecurity for the entire nation.
• 1997 – Deputy Secretary of Defense John Hamre was quoted as saying “Solar Sunrise was a wake up call for DoD.” This activity resulted in increased funding to cyber defense organizations and the creation of a new joint activity called DoD’s “Joint Task Force Computer Network Defense” or JTF-CND (Gourley was first Director of Intelligence (J2) there).
• 1998 Assistant Secretary of Defense Art Money was quoted as saying “Moonlight Maze was a wake up call for DoD.”  This activity resulted in enhanced counterintelligence resources and more information sharing across the DoD law enforcement and counterintelligence.
• 2009 Director of National Intelligence Admiral Blair testified that “Buckshot Yankee was a wake up call” for the government. This activity resulted in more awareness and more funding for cyber security throughout the federal government.
• 2010 Deputy Secretary of Defense Lynn writes that “Google’s Aurora attacks were a wake up call for us all.”  This wake up call resulted in stronger, deeper coordination across the federal space and underscored need for a DoD strategy.
• 2011 Deputy Assistant Secretary of Defense Bob Butler says “Wikileaks was a wake up call for DoD.”   This wake up call resulted in significant activities and planning across the federal space aimed at enhancing security of information from disclosure.

That is the list as I see it. Those are the wake-up calls that I know of. Can you add more?  Or perhaps a bigger question is, can you help find ways to prevent this continued pattern of waking up then going back to sleep?

One way to prevent this pattern is to be more proactive. Perhaps my next post will be on the list of significant proactive things the nation has done in cyber security. So far I only have two item on that list. 1) The all of government coordination activities of the Cyber Initiative. The bad news is that was long ago, and 2) The establishment of US Cyber Command.  Do you know of others so significant that would make that cut? What else should be done to mitigate Cyber Threat Amnesia?