If you’re like most Americans, the idea that our country doesn’t have a unified cyber defense agency is about as unthinkable as a presidential contest between Donald Trump and Hillary Clinton.
Welcome to the desert of the real.
Our cyber defenses are scattered across three agencies that don’t always communicate well (a generous appraisal) or in a timely fashion, and we’ve never been more vulnerable. As Ronald Reagan (quoting John Adams) famously said during his address to the 1988 Republican National Convention, “Facts are stubborn things.”
On October 21, there was a cyber attack in the United States. At least two “cause hacking” organizations have taken credit for it. If it had been conducted by state-sponsored hackers, it would have been an act of war. How many of your friends and family know about it? A lot, if they only knew how it affected them.
A distributed denial of service attack (DDoS) at around 7 a.m. EDT targeted servers belonging to a company called Dyn, causing severe disruption of Internet traffic to major sites, including Amazon, PayPal, Reddit, Twitter, Tumblr, Verizon, Pinterest, Etsy, Spotify, Comcast, HBO, and even Playstation; the first attack was followed by at least two more attacks.
A Dyn statement said: “this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses.” The way this attack was perpetrated matters. Targeted here were Internet of Things (IoT) devices wrangled together in a botnet that took advantage of weak default passwords set by their manufacturers. These connected and interconnected items (think home routers, smart televisions and security cameras to name a few) were infected with malware and then triggered to send a staggering amount of traffic to select servers in order to overwhelm them and ultimately shut them down.
This is way beyond inconvenience. In 2012, a DDoS attack took out the websites of JPMorgan Chase, Bank of America, Wells Fargo, Citigroup, and other financial companies.
Imagine for a moment that the October 21 DDoS attack had been a test conducted by state-sponsored hackers — and consider, if you will, the possibility that those hackers were gaming a bigger plan — one targeting critical infrastructure such as our power grid, the banking system, our weapons systems, or one designed to disrupt our elections.
Why It Matters
The 2015 attack on the Office of Personnel Management, the human resources department for the United States, where 21.5 million files, containing the personally identifying information of, and deep background investigative reports on, top current and retired national security players and their families, were grabbed should be reason enough to focus serious resources at the problem of our national cyber security.
A more recent attack, equally troubling no matter your political outlook, is the hack of Democratic National Committee emails. We are living in a world where hackers have the capability to disrupt our elections, put key military assets in danger, and shut down our financial institutions.
As things stand currently, the NSA is responsible for protecting national security systems and the DHS takes care of all other security systems. The FBI’s job is to investigate cyber crimes.
Because each agency has to enlist one or both of the others to help, the process can be slowed down, which means precious leads can go cold and clear and present dangers can unfold without an optimal defense.
Three Agencies Need to Be One
On October 18, NSA Deputy National Manager for National Security Systems, Curtis Dukes, gave a speech at the American Enterprise Institute detailing two years worth of cyber attacks. During the Q&A, he stated that it was time for a more unified approach to our cyber defenses.
“I am now firmly convinced that we need to rethink how we do cyber defense as a nation,” Dukes stated, saying that parts of the response teams at the FBI, NSA, and DHS might be combined under one authority to both improve reaction time during a cyber attack and oversee our nation’s defenses against future attacks. He pointed to the UK’s National Cyber Security Centre, which currently approaches cyber in this way.
In a different setting, a call for a three-in-one approach would start a heated discussion about the need for the separation of Church and State, but the three-in-one proposed here requires no mystery and no Holy Ghost. In fact, the only mystery is why we still don’t have an agency dedicated to cyber defense.