Speaking at the Shangri-La Dialogue security summit, Defense Secretary Chuck Hagel again warned the Chinese to stop their cyber spying activities, suggesting they should renew the dialog to reduce “the risk of miscalculation and escalation in cyberspace.”
In response, the director of the Center for China-America Defense Relations, Maj. Gen. Yao Yunzhu, explained: “Human beings by nature would like to apply military operations in any newly found space where human activities become important,” and the damage that cyberwar could cause “might exceed our imagination.” This threat, he suggested, may “help us to build a consensus on the banning of war in cyberspace altogether, but personally, I’m not optimistic about it.” he concluded.
The indictment of five Chinese military hackers in early May, led to break-up of the dialog Hagel was referring to, but it will do nothing to stop Beijing from continuing to cause untold billions of dollars in damages to the U.S. economy.
Hagel’s and President Obama repeated statements that the U.S. is serious about holding foreign governments accountable for crimes committed in cyberspace do nothing to stop our adversaries from stealing our commercial and military secrets, or interfering in U.S. cyberspace.
Such attacks also include spoofing or jamming of our communication systems and devices that dependent upon the U.S. Global Positioning System (GPS). Yet, a large number of radio frequency jamming devices are advertised and sold in the here despite the 1934 Communications Act that strictly forbids the manufacturing, marketing and importation of jamming devices into the U.S. Clearly, the Federal Communications Commission’s enforcement efforts are not enough to curtail this problem.
Moreover, there is little, if any, public concern regarding possible interference with Coordinated Universal Time (UTC), which provides the essential synchronization critical to every large or small digital system and device that our critical infrastructures have become dependent upon.
The rapid pace at which cyber-related architectures and wireless technologies are evolving and integrating makes us more efficient and more vulnerable at the same time. Our military services, (including soldiers wearing special helmets reliant upon vulnerable terrestrial and space-based wireless technologies), are increasing the risk to the nation’s military logistics and actual war fighting abilities. (What will happen on the battlefield when the ear-piece is silent?)
Indeed, the criticality of the Electric Magnetic Spectrum and timing are often ignored when defining cyberspace, therefore the policies to secure it are flawed.
The National Institute of Science and Technology (NIST), at the Department of Commerce, is the federal agency in charge of communicating UTC to critical systems and all other networks. Earlier this month, NIST released the latest draft of its Guide to Industrial Control Systems (ICS) Security, seeking public comments.
Well-defined standards governing cyber-defense methodologies, whether mandated or voluntary, would greatly simplify today’s confusing muddle.
For example, while there is worry about the vulnerability of the electric grid and communication systems, we are slow to put in place dedicated, individual systems and backups. The DoD’s development of alternative timing systems may well ensure their communication channels, but the public and private sectors will remain vulnerable.
Purposeful interference does more than effecting our economic interests. It poses an existential risk to our ability to prepare and survive man-made or nature caused disasters.
Now comes a new GAO report entitled “Agencies Need to Improve Cyber Incident Response Practices.” The GAO conducted audits of 24 major agencies, 6 of them in depth, and determined that these “federal agencies have not consistently demonstrated that they are effectively responding to cyber incidents categorized as a security breach of a computerized system and information.”
Meanwhile, the number of cyber incidents reported by federal agencies increased from 34,840 in 2012 to 46,160 in 2013. How many were not reported?
The GAO report’s punch line is that, in 65 percent of cases, the agencies surveyed did not completely document actions taken in response to detected incidents. “For example,” GAO reported, “agencies identified the scope of an incident in the majority of cases, but frequently did not demonstrate that they had determined the impact of an incident. In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether preventive actions to prevent the re-occurrence of an incident were taken.”
In the 6 agencies reviewed in depth, “all had developed parts of policies, plans and procedures to guide their incident response activities,” but”their efforts were not comprehensive or fully consistent with federal requirements.”
The GAO also reported that while the Office of Management and Budget (OMB) and DHS had conducted “CyberStat” reviews, those reviews “have not addressed Agencies’ cyber incident response practices.” Further, DHS and US-CERT haven’t developed performance measures for evaluating the effectiveness of the assistance they provide to agencies.
Though we hear more about the need for cybersecurity, we hear very little about the vulnerability and proposed alternatives to our satellite-dependent timing system, the GPS. Our unmitigated vulnerabilities are taken advantage of by our adversaries, whose hacking, jamming, spoofing, and spying are responded to with nothing more than meaningless indictments and empty threat.