dgabbard's blog

Cyber situational awareness requires an all-encompassing approach to threat understanding, analysis, and risk assessment. Internet intelligence, enterprise intelligence, and threat intelligence all play a significant role.

If the H1N1 outbreaks and the recently foiled airport bombing plans tell us anything, it's that information and information sharing are at the center of response for any significant security event. A significant cyber security event is certainly not going to be any different. Naturally, this type of data sharing should be bi-directional.

Remember the fourth assumption - Data about the event(s) needs to be able to flow both up to decision makers and down to responding organizations.

 In the aftermath of a significant national cyber security incident, the ensuing coordination effort is likely to be a significant challenge. It's likely to be a challenge for a number of reasons - not the least of which was one of the assumptions outlined earlier:

Let's consider a hospital triage unit. Their job is to prioritize patients based on the severity of their condition, and to ensure that those in need of immediate attention get it quickly, while delaying attention and treatment to those less-critically injured.  To make a long story short, a patient with a broken arm arriving to a triage location at the same time as a patient in cardiac arrest will likely not receive attention until after the more severely injured patient receives care. It's a relatively well defined, easy to follow system.

To continue the discussion about cyber response to national emergencies (or even local or regional emergencies - although the concept of a cyber event being contained to a local or regional emergency seems to fly in the face of the whole 'borderless' nature of cyberspace).

Here's the first of the previous assumptions:

- Assumption #1 - Not all components of the national infrastructure (or world's infrastructure) should receive equal priority in a response effort.

There are no shortage of predictions that the U.S. (and the rest of the world) is vulnerable to and a likely target of a cyber 9/11 or Katrina in the somewhat immediate future. If you believe those predictions, it's not a matter of 'if' - it's a matter of 'when' and 'how.'

With that in mind, and there are some reasonable assumptions which can be made about the nature of a cyber event of those proportions, and about some of the practical preparations which can/should be made in advance of them.

At the BlackHat briefings in DC this month, Paul Kurtz (an advisor to both the old administration and the current one) made some very salient points about the future of national cyberspace policy – likening the trend to a so-called ‘militarization.’ That’s an interesting thought based on the following logic:

It’s the first week of a new administration in Washington, and while the dust settles on the historic inauguration event, the magnitude of the challenges in front of the new administration continues to grow.  The economy is in a state most agree is as bad as any since 1940. Energy policy needs serious attention in short order. Our military troops are deployed throughout the world, stretching the force thin and creating retention and recruiting problems. Trade deficits are at record levels. The credit markets and the auto industry are in peril. The list goes on and on.

Every January, security analysts and researchers think long and hard about the state of computer, network, and Internet security, reflect on the events from the past year, and look into their crystal ball to make predictions for the coming year.