Government // Cybersecurity
Commentary
5/20/2013
12:33 PM
Connect Directly
RSS
E-Mail
50%
50%

Should CIOs Hire Cyber Pinkertons?

If a full-on cyber war breaks out, what will your company do? Avoid the Internet or hire a cyber Pinkerton?

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
If a cyber war breaks out, what's a CIO to do?

Prepare for cyber bombings? Get off the Internet and avoid the virtual front? Let the government step in and take over cyber defense for private networks? Hire Pinkerton-style paramilitaries to go out and crack cyber skulls?

These are some of the questions raised in a recent talk about cyber war and civil liberties given at Harvard's Berkman Center for Internet & Society by Timothy H. Edgar, the first White House director of privacy and civil liberties.

[ How can you avoid punching some granny in Akron whose PC is a zombie? Read 4 Steps For Proactive Cybersecurity. ]

Edgar told a crowded room that we are not in a cyber war, at least not now. But some would consider Stuxnet an act of war -- although the U.S. does not. And what company wouldn't want a little help staving off Anonymous?

Timothy Edgar
Timothy Edgar

"In some ways … we are in a September 10th moment," said Edgar. "The intelligence community is screaming that we have problems and we need to do something about it."

Edgar argued that as attacks from all sorts of sources have increased, the U.S. government is increasingly concerned with protecting computer networks, particularly those at companies involved with critical infrastructure. But security concerns must be balanced with expectations of privacy that are a basis of our democracy, and also with the need to maintain a competitive economy.

"How are we going to maintain a free Internet with personal privacy?" Edgar asked. "Will we destroy the Internet to try to save it?"

Rearchitecting the Internet to make it more secure would likely disrupt some of the things that have made the Internet popular and commercially useful.

He pointed out that although President Obama has said the government won't dictate security standards to private companies, and won't monitor private sector networks and Internet traffic, it is already doing so. "What I take this promise to mean is we will not have a comprehensive Internet monitoring program to use cyber security to do programmatic monitoring of all kinds," Edgar said.

CIOs can help themselves by adopting technologies such as private information retrieval, a cryptography technique that will let a company give limited access to records in its databases.

Edgar also says CIOs in firms considered part of the U.S.'s critical infrastructure need to expect that they will be asked, or possibly told, to adopt the Einstein intrusion detection system

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

"The pros would be a central command and control structure, access to the latest technology (ideally), and it's funded by the taxpayers rather than each company," said a cyber security special agent at the Department of Defense, who asked that his name not be used. CIOs would likely gain access to classified intelligence on geopolitical threats that could enrich understanding about certain markets. They would be less likely to run into international incidents, and if they chose to respond to an attack, they would have federal blessing.

The drawbacks, he said, could include 24/7 government attention, limited threat data sharing -- because the government doesn't need to share if it's doing the protecting -- more intimate knowledge of your specific corporate network, and the potential that the government might make mistakes that damage corporate bottom lines.

CIOs also should be aware of the NIST Cybersecurity Framework, and be prepared to adopt its best practices recommendations, he said.

A CIO could argue that the government can't protect itself, so how will it protect the rest of us?

But does that mean CIOs should prepare to go on the offensive? In the physical world, it would be unthinkable. But Edgar says cyber law is a greyer area. The U.S. itself has declined to sign treaties that ban cyber weapons. And what would they ban? Social networks are seen by some governments as destabilizing forces.

Edgar thinks some companies could decide to go on the offensive in their own right, particularly multinationals, whose personnel outside the U.S. might be exempt from U.S. anti-hacking laws.

"A lot of companies aren't going to go there," he said. But he told InformationWeek that companies could certainly hire their own cyber-Pinkertons, who could have the freedom to try to take down cyber attackers.

Of course, doing so could land CIOs in the middle of an international incident, if they go after a cyber attacker that turns out to be part of a foreign government. The same holds true for CIOs overseas, who could find themselves engaged with U.S. cyber forces.

It's a complicated issue. CIOs need to know the terms of engagement.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michael Fitzgerald
50%
50%
Michael Fitzgerald,
User Rank: Moderator
6/1/2013 | 9:50:32 PM
re: Should CIOs Hire Cyber Pinkertons?
The first thing companies should do is take care of all the little things they don't do. Even social engineering can be blunted, with reasonable training. As this piece in the Washington Post argues, companies would help themselves a lot by not being so inept. http://articles.washingtonpost...

Michael Fitzgerald
IW contributor
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
5/25/2013 | 10:44:29 PM
re: Should CIOs Hire Cyber Pinkertons?
The strategy of "The best defense is a good offense" doesn't seem to apply in cyberspace.

If someone DDoSes your organization, do you DDoS them back? Is that an effective use of resources? Find me an accounting organization that would sign off on that sort of thing, doubt one exists.

The biggest problem with cyberdefense is that the greatest defense in the world can be defeated with something as simple as social engineering - how does one defend against social engineering attacks in an ironclad way? Remove the man from the control loop? Ever seen War Games?

You also run into the differences in national laws as a stumbling block to being able to fight back. Laws in the US are different from those in, say, France, Botswana or Tajikistan - but each one is connected and has systems that either can or have been compromised and can be used in a cyber attack.

The ability to route attacks through different countries is a hinderance as well - what laws apply when you're a company in the US and you are being attacked by packets that are getting routed through France, Botswana and Tajikistan? Where's the jurisdiction of record? What's considered an act of war may not be an act of war in another jurisdiction.

It's going to get messy and muddy - clarity will come when dissecting the first major multi-national cyber conflict. We can only hope that those writing the history know what the truth really is.

Andrew Hornback
InformationWeek Contributor
lgarey@techweb.com
50%
50%
lgarey@techweb.com,
User Rank: Apprentice
5/21/2013 | 8:29:26 PM
re: Should CIOs Hire Cyber Pinkertons?
Seems like a prerequisite to deciding to retaliate is ironclad attribution -- which is pretty unlikely even for the government. Do you really think a private company can have a sufficient level of certainty? Lorna Garey, IW Reports
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - September 2, 2014
Avoiding audits and vendor fines isn't enough. Take control of licensing to exact deeper software discounts and match purchasing to actual employee needs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
In in-depth look at InformationWeek's top stories for the preceding week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.