NATIONAL HARBOR, Md. – Many information security industry observers believe the recent spate of major cyberattacks, including those against RSA and several defense contractors including Lockheed Martin, were likely the work of China or other foreign governments, but a former secretary of the Department of Homeland Security suggested those sorts of assumptions may be off-base.
We can have [criminal] networks that can cause serious threats if not existential damage without a nation-state involved.
Michael Chertoff, former DHS secretary
During keynote remarks at the 2011 Gartner Security & Risk Management Summit, Michael Chertoff, former DHS secretary, told attendees that in recent years, including his time as DHS head, he’s seen technology evolve to the point where government resources aren’t needed to launch large-scale information security attacks, like the 2007 denial-of-service attacks that knocked Estonia off the Internet for several weeks.
“We live in a world of globalization and technology, so even small groups now have the ability to project themselves around the world, in terms of presence, communications and travel,” Chertoff said, “… and build bigger and more destructive tools and weapons, and unleash them.”
So the types of information security attacks that were only possible via the resources of a sizable nation-state, Chertoff added, have been extended to groups like Anonymous, which had a hand in several notable cyberattacks, including the recent network intrusion that led to the takedown of Sony Corp.’s Playstation Network for more than a month.
“We can have [criminal] networks that can cause serious threats if not existential damage without a nation-state involved. With the confluence of globalization and technology, these groups now have the ability to cause the kind of damage that used to involve national effort,” Chertoff said. “We got a taste of this on 9/11.”
Beth Ruck, an attendee and vice president at Jersey City, N.J.-based security firm Vigilant LLC, said Chertoff’s comments are indicative of how difficult it can be to determine who is responsible for a cyberattack that takes place across international borders, especially now that so many quasi-political and religious groups, like Al Qaeda, are conducting these attacks with the support of governments and government factions.
In order to be ready when an information security crisis occurs, Chertoff emphasized the need for three key elements: planning, communication and decisiveness.
While he echoed the old adage that no plan survives first contact with the enemy, Chertoff said organizations that plan for security crises are able to better adapt to the situation at hand, noting how the government had no cross-agency disaster response plan ready when Hurricane Katrina devastated the U.S. Gulf Coast, but three years later having such a plan significantly aided the government’s response to Hurricanes Gustav and Ike, even though different events and different responses were needed.
Chertoff, who recently co-founded security and risk management consultancy The Chertoff Group, also emphasized the importance of crisis communication, both receiving and disseminating information, specifically “how you convey to the public what they need to know in a way that’s accurate, understandable, succinct and credible.”
He also stressed the need for decisiveness in a security crisis: “You’ll never get perfect information, there’s always something more you could learn, always uncertainty about what you could do, and time is not your friend,” Chertoff said. “You need to be able to act decisively, as inaction is also a decision, but a decision by default.”
Another key theme of Chertoff’s talk was the rising clash between those who advocate for an open, anonymous and inherently insecure Internet, and those who believe security and trust need to be built into the fabric of the Internet. The answer, he said, will likely be the creation of what he called multiple Internets, where the current, largely anonymous Internet exists alongside a more secure set of connections that allow individuals, enterprises and governments to do business securely.
Finally, he made a push for greater basic “Internet hygiene” in which anyone who uses the Internet is taught the importance of maintaining secure systems and how to avoid unnecessary risks, like traveling overseas and leaving a laptop in an insecure hotel room. He said education is an essential element of that, suggesting that even pre-schoolers aren’t too young to be taught about computer security.