Should CIOs Hire Cyber Pinkertons?

If a full-on cyber war breaks out, what will your company do? Avoid the Internet or hire a cyber Pinkerton?
The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
If a cyber war breaks out, what's a CIO to do?

Prepare for cyber bombings? Get off the Internet and avoid the virtual front? Let the government step in and take over cyber defense for private networks? Hire Pinkerton-style paramilitaries to go out and crack cyber skulls?

These are some of the questions raised in a recent talk about cyber war and civil liberties given at Harvard's Berkman Center for Internet & Society by Timothy H. Edgar, the first White House director of privacy and civil liberties.

[ How can you avoid punching some granny in Akron whose PC is a zombie? Read 4 Steps For Proactive Cybersecurity. ]

Edgar told a crowded room that we are not in a cyber war, at least not now. But some would consider Stuxnet an act of war -- although the U.S. does not. And what company wouldn't want a little help staving off Anonymous?

Timothy Edgar
Timothy Edgar

"In some ways … we are in a September 10th moment," said Edgar. "The intelligence community is screaming that we have problems and we need to do something about it."

Edgar argued that as attacks from all sorts of sources have increased, the U.S. government is increasingly concerned with protecting computer networks, particularly those at companies involved with critical infrastructure. But security concerns must be balanced with expectations of privacy that are a basis of our democracy, and also with the need to maintain a competitive economy.

"How are we going to maintain a free Internet with personal privacy?" Edgar asked. "Will we destroy the Internet to try to save it?"

Rearchitecting the Internet to make it more secure would likely disrupt some of the things that have made the Internet popular and commercially useful.

He pointed out that although President Obama has said the government won't dictate security standards to private companies, and won't monitor private sector networks and Internet traffic, it is already doing so. "What I take this promise to mean is we will not have a comprehensive Internet monitoring program to use cyber security to do programmatic monitoring of all kinds," Edgar said.

CIOs can help themselves by adopting technologies such as private information retrieval, a cryptography technique that will let a company give limited access to records in its databases.

Edgar also says CIOs in firms considered part of the U.S.'s critical infrastructure need to expect that they will be asked, or possibly told, to adopt the Einstein intrusion detection system

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

"The pros would be a central command and control structure, access to the latest technology (ideally), and it's funded by the taxpayers rather than each company," said a cyber security special agent at the Department of Defense, who asked that his name not be used. CIOs would likely gain access to classified intelligence on geopolitical threats that could enrich understanding about certain markets. They would be less likely to run into international incidents, and if they chose to respond to an attack, they would have federal blessing.

The drawbacks, he said, could include 24/7 government attention, limited threat data sharing -- because the government doesn't need to share if it's doing the protecting -- more intimate knowledge of your specific corporate network, and the potential that the government might make mistakes that damage corporate bottom lines.

CIOs also should be aware of the NIST Cybersecurity Framework, and be prepared to adopt its best practices recommendations, he said.

A CIO could argue that the government can't protect itself, so how will it protect the rest of us?

But does that mean CIOs should prepare to go on the offensive? In the physical world, it would be unthinkable. But Edgar says cyber law is a greyer area. The U.S. itself has declined to sign treaties that ban cyber weapons. And what would they ban? Social networks are seen by some governments as destabilizing forces.

Edgar thinks some companies could decide to go on the offensive in their own right, particularly multinationals, whose personnel outside the U.S. might be exempt from U.S. anti-hacking laws.

"A lot of companies aren't going to go there," he said. But he told InformationWeek that companies could certainly hire their own cyber-Pinkertons, who could have the freedom to try to take down cyber attackers.

Of course, doing so could land CIOs in the middle of an international incident, if they go after a cyber attacker that turns out to be part of a foreign government. The same holds true for CIOs overseas, who could find themselves engaged with U.S. cyber forces.

It's a complicated issue. CIOs need to know the terms of engagement.