At the end of last week, US Defense Secretary Leon Panetta gave his first major speech on cybersecurity. The speech was given during the Business Executives for National Security meeting in New York. It gained some attention in the news. This concept wasn’t entirely new, as Jon Oltsik pointed out in a post – back in 1998 Deputy Defense Secretary John Hamre cautioned the U.S. Congress about the same topics, using the term “cyber Pearl Harbor” back then as well. On the other hand, in March 2012 the US Cyber Chief talked about a tide of cyber criminality. And even while I stated that tide appears to be the wrong term despite the lack of an ebb tide that also showed that this issue is increasingly well understood.
On the other hand, John Oltsik claims that “almost nothing” had been done since 1998 to actually improve cybersecurity readiness in the critical infrastructure. I disagree with his point. A lot has been done. But we didn’t manage to close the gap between the threats and the cybersecurity readiness. This gap might even have become bigger. When I look at what various governments like the U.S. government or the German government and multi-national institutions like the EU are doing, I see that they have started investing. They also, like other organizations, have understood that this is an immense risk. But things are moving slowly, which is no surprise when governments are involved.
The biggest issue, however, isn’t the governments but all the providers within the critical infrastructure, from utility companies to finance institutions and their technology providers. Back in 2010 I wrote a post titled “Is an insecure smart planet really smart?”. That’s where the big problem is: there are far too many initiatives around making the world “smarter”, which either totally ignore security or underestimate the role security plays in being smart. This is not only true for the big initiatives, but also for industry automation and, maybe even more, for automation within households.
It is important to understand that addressing the threat Panetta described is not only a task for governments. It is a task for every single organization. When looking at Stuxnet and Duqu, some organizations far away from the real targets became an attack target as an intermediary step. We need to rethink our security and to become much better at that.