Cressey: Cybercrime, Cyberespionage, Cyberwarfare

COLORADO SPRINGS, Colo. (Apr. 11, 2011) — Roger Cressey, senior vice president, Booz Allen Hamilton, speaking today at the Space Foundation’s Cyber 1.1 event in Colorado Springs, said that, formerly, threat analysis focused more on capabilities than intent. In the post-9/11 environment, however, he said that the roles are reversed. “We know a great deal about Al Qaeda’s intent,” he said. “The question is what their real level of capability.”

Cressey said that cyber threats are now being exploited at an “unprecedented scale” in all sectors, including commercial and military, by actors from all around the globe. “In the past year,” he said. “We have seen the ‘Four Horsemen’ of the cyber-apocalypse: Wikileaks, Stuxnet, Google penetrations and the penetration of NASDAQ.”

Cressey said that term “cyberterrorism” has taken away from discussion of real issues. “Thus far, the Internet has not been used as an attack vector by terrorist actors,” he said. “But, it has been a means for using social networking to improve coordination, recruiting and general information warfare.”

Cressey said that there are three main focuses for the interagency approach to cybersecurity:

• Cybercrime
• Cyberespionage
• Cyberwarfare

“Cybercrime is an important element since it provides the most ready store of lessons learned and details about emerging threats before they are picked up on by other actors,” he said.

The second area Cressey discussed, cyberespionage, addresses theft of secure information from the government and military, as well as intellectual property from the private sector. Cressey said that there are more than 100 intelligence agencies looking to penetrate DoD networks. “Clearly we have risks from more than just traditional opponents alone.”

He said that the DoD has stated that terabytes of data have been stolen, including numerous high-profile systems such as the F-35 Joint Strike Fighter and Blue Force Tracker. “Not only do these threats represent a security threat, they also pose a grave danger to our Defense Industrial Base,” he said. “Since they erode our economic effectiveness.”

The third area Cressey discussed is the specter of cyberwarfare. While he said there is a low likelihood occurrence, he also said that cyberwarfare has very severe consequences. Although, much of the threat from state actors has been effectively deterred, according to Cressey, there is an open question, however, on how we deal with state-supported, state-facilitated or state-tolerated actors, and how we craft a broader deterrent response involving the full spectrum of cyber, kinetic and other capabilities. “Further, he said, “there is a significant question about how responses to lower-tier threats, such as Stuxnet, which could rapidly escalate to much more dramatic and dangerous activities.

“Generally speaking,” Cressey said, “the threat of data manipulation is more significant than the threat of data deletion or theft. So much of modern decision making and analysis is predicated on the assumption of ‘accurate, consistent and accepted.’ If these assumptions are no longer valid, it will inhibit decision-making and command at all levels, including at the national command level.”

Looking forward, Cressey said that progress on the Comprehensive National Cybersecurity Initiative is insufficient. “First, we need to improve our doctrine. Are concepts like deterrence, retaliation and so on from the Cold War coming back in the cyber context? How to apply these concepts to new non-state actors? From the government side, clearly DHS needs to be the public face of the interagency cyber effort, but the muscle will have to come from the NSA.

“The second area we need to focus on is more effective prioritization of weaknesses, he said. “A recent report indicated highlighted 18 top-level priorities for cybersecurity, which clearly doesn’t present a useful means to think about prioritizing risks.”

Within the realm of critical infrastructure, Cressey said that work needs to be done on supply-chain security. “Given the number of systems with embedded code at all levels, there is a threat at the system, sub-system and component levels in both hardware and software that has yet to be addressed. To tackle this and the broader question of cybersecurity, we need to move from a ‘Coalition of the Willing’ model to a ‘Coalition of the Required’ approach that synthesizes the worlds of both the ‘dot com’ and ‘dot gov’ to create a new hybrid approach.”

Finally, Cressey said that the third element to addressing cybersecurity involves better workforce cultivation and management. “We need to get more people who understand that cybersecurity is important. This raises the question about whether we need an e-Sputnik type of top-level, strategic investment in human capital. This too, should effectively involve both the public and private sectors.”