It is not the norm for corporations to be the focal point of a war fought between nation states, but the threats of today place us in exactly that situation. The reason these threats jointly implicate the public and private sector is that the "cyber domain" is under attack by an organized public/private sector threat, and until we recognize that fact and address it, we will continue to fail to protect it. The truth is that unless corporate America — the private sector — works with the public sector, we may not stop a cyber event that could be as destructive as Pearl Harbor or Sept. 11.
The Internet as we know it started as a public sector project that quickly morphed into what it is today — a large, interconnected network connecting an unimaginable number of different devices that are both public and private sector, which never turns off. While in the past people imagined "cyberspace" as simply just a series of websites, those days are long gone.
Today, with the number of devices that are constantly connected to the world-wide network that is the Internet, the "cyber domain" includes a number of different computers, including those that control our financial system, critical infrastructure, as well as a variety of other devices in any number of different industries. These devices are central to our everyday existence, particularly when one includes mobile devices, as well as the ever-increasing number of control devices that are networked.
Since this "always on" world of connectivity places the resources of the United States, both public and private sector, on the same global network as those of nations and others who seek to do us harm, you cannot "raise the drawbridge" in today's world of cyber attack — if you are part of the cyber domain, you are constantly open to potential attack.
And the threat we face is that organized groups are working to find and exploit an information imbalance and create an asymmetric threat. An information imbalance is a situation where one side of a conflict has superior information regarding the weaknesses of the other. If that superior information relates to the weakness of another party, it can then be used to create an asymmetric threat, which is a threat that is targeted to, and exploits, another's weaknesses.
The best example of this is Sept. 11, contrasted with Pearl Harbor. Pearl Harbor involved an organized, but symmetric threat. For Sept. 11, al-Qaida did not need their own army or air force. In fact, they didn't need organized military. They simply needed utility knives (perhaps even box cutters), training, and more importantly, information about how our system of air travel worked. By creating this information imbalance, they were able to perpetrate a devastating asymmetric attack on the United States.
The lesson of Sept. 11 was not lost on the public sector — it realized the nature of the threat and has taken steps to address it, and one need only examine a recent speech by Defense Secretary Leon Panetta to see this. In a recent presentation, Secretary Panetta illustrated the true nature of the threat — state sponsored activity that is increasing in intensity and, with the potential to disrupt to our way of life. In discussing the nature of state-sponsored activity, he was clear: "A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack on 9/11." Panetta also believed that "Such a destructive cyber terrorist attack could virtually paralyze the nation." Panetta continued, "We know of specific instances where intruders have successfully gained access to these control systems." He also stated that "We also know they are seeking to create advanced tools to attack those systems and cause panic, destruction and even loss of life."
The critical point is that the examples Secretary Panetta uses are not attacks on the Department of Defense, or other public sector resources — they are attacks on the financial institutions and energy sector — by the government resources of another nation state. This threat is not limited to the financial or energy industry. If you are a group seeking to do us harm, why attempt to detonate a WMD, when you instead can attempt to hack a Supervisory Control and Data Acquisition (SCADA) device that controls a water supply? Or why not attempt to disrupt the medical services in a large area by attacking the systems of a large hospital chain, or even a major health insurer. This can be done by a direct attack on the company, or by an attack on a company that is part of the chain of delivery of the necessary product or service. As a result, the threats are nearly endless and span a multitude of businesses that are not just in the energy or financial sectors.
In sum, as the physical war in the Middle East winds down, we now face a new, more diffused threat — organized well-funded, attacks by entities that are state sponsored or part of organized crime networks. These actors seek to create information advantages that can be turned into asymmetric threats, and these threats are a clear and present danger to our society. The only chance the private sector has to combat these threats is to organize itself and utilize certain tools to help address these concerns. This includes through the doctrine of Information Superiority and increased information sharing.
Written by Andrew Serwin, chair of the Privacy Security and Information Management Practice at Foley & Lardner LLP.