LAS VEGAS – Both white hat and black hat security researchers alike today received a sobering warning from the Central Intelligence Agency’s former director of operations: The opportunity has never been greater to foster government cybersecurity awareness, now that the threat paradigm at a national defense level has evolved to include cybersecurity.
Cyber is going to be a key component of future conflict against nations or terror groups.
Cofer Black, former director of operations, Central Intelligence Agency
During a keynote address at the Black Hat 2011 conference, Cofer Black urged the security community to influence and educate government decision makers, many of whom are ignorant of the threats posed by cybercriminals and nations carrying out online attacks that target major corporations, government agencies and the defense industry.
“The issues that you’re involved in are today are of great value to decision makers,” Black stressed. “That is huge.”
Black said cybersecurity is prominent among the different categories, alongside kinetic and bacteriological attacks, featured the government's ongoing threat assessments. As a comparison, he said during the Cold War, intelligence agencies progressed from highlighting potential chemical attacks, to later emphasizing bacteriological, radiological and nuclear attacks.
Black spent 28 years working for the CIA and was appointed director of the agency’s Counterterrorist Center in 1999 and coordinator for counterterrorism for the Department of State. He’s seen the threat of the Cold War, the rise of terrorism and now threats to industry and national security from online attacks. He cautioned that the signs are present and discussions are being held that allow for the contingency that physical, kinetic attacks could accompany serious hacks.
“I am here to tell you the Stuxnet attack is the rubicon of our future,” Black said. “I can’t say I understand how it was executed, but the important point is this is expensive to pull off, which means a nation-state was involved. Another important point is, things happening in your world may lead to physical destruction of national resources. This is huge.”
Responses to cyberattacks, however, are tricky because of the difficulty in tracing the origin of attacks and the lack of international coordination in such cases.
“Cyber is going to be a key component of future conflict against nations or terror groups,” Black said. “The problem is decision makers don’t understand the threats completely because they have not personally experienced them. They may hear it, but they don’t believe it.”
Black’s keynote comes a little more than a month before the tenth anniversary of the September 11 attacks on New York and Washington. Black drew parallels between the intelligence gathered pre-9/11 and what is happening with cybersecurity today.
In the years and months leading up to September 11, Black recalls the dismissive attitude decision makers had about Al Qaeda and Osama Bin Laden, viewing the terror group and its leader as more a of financier of terror, and not an initiator. The threat from Al Qaeda was labeled overblown inside some government circles and by the press as well. This remained the case, even as attacks escalated against Americans overseas, including the 1998 U.S. embassy bombings in Tanzania and Kenya, and in October 2000 against the U.S.S. Cole.
Black recalls advising the Bush administration as the transference of power from the Clinton administration began, that terrorism would be its greatest threat. However, Black said, there was no personal experience, no validation of the threat, and it was downplayed. In the summer of 2001, as the volume of intelligence grew about a major impending attack on the U.S., decision makers were briefed and advised to go to a “war footing”, yet, Black said, there were delays in taking action because the threat had yet to be validated.
“Men’s minds have difficulty adapting to things they have not personally experienced,” Black said.
Black’s point is the lead-up to 9/11 may be analogous to what’s happening with targeted persistent attacks carried out against the defense industry and other high-profile targets.
“The validation of that threat will come into your world,” Black said. “There is an analogy to the tech world in all of this and the situation in your world is far more challenging than you may appreciate.”