Blog

War

Strategy, Not Knee-Jerk

Today a lawmaker who was briefed on the Federal Office of Personnel Management breach of employee data leaked that the incident is far worse than originally reported. Not 4 but maybe as many as 14 million records of federal employees, past and present, are in the hands of the bad people. Very disturbing. http://bloom.bg/1Fc8EMx

T
OPM Seal Small
hese record sets are what is known as “fulls” or “fullz” in the hacker lingo. They are full sets of information. Names, addresses, phones, social security numbers, pay, health records, military service records, and – most damaging – security clearances. Think of the opportunities. Think of the damage. Think of the outrage from the victims that their very safety and personal property has been exposed.

Plus it may have come from China.

But what bothers me most is the knee-jerk reaction from the Congressional hawks. They want a response. They want to declare war. They want to go to the alleged perps servers and destroy data. John McCain is almost shouting for a “preemptive strike.”

It’s another example of governmental leaders making quick decisions without thinking through the implications or consequences. Cyberwar is nothing trivial. Not only could it unleash a storm of “weaponized code” – as my clients in the information security world call it – but it may not come only from from a few sources like China or North Korea. The entire hacking community could get involved. That’s a lot of enemies. The implications are chilling.

McCain spoke about the ability to shut down the US power grid from abroad. If the US declares cyberwar we can probably expect exactly that type of action. The hawks will have guaranteed it. Often the government takes action without thinking through the unintended consequences.

Stuxnet, the malware developed to attack Iran’s centrifuges concentrating nuclear material, turned out to be reverse engineered and various versions were dropped back into US systems and weapons systems.

USCYBERCOM_Logo
Let’s not forget that the Snowden incident was a game-changer. One person was able to create an entirely different perception about government collection of data on upstanding citizens. He revealed the capabilities of the NSA and the US Cyber Command. Cybersecurity is an area where one person can create significant damage.

It is never good strategy to reveal your thinking to your enemy. “What’s wrong with you Santino? Never let someone outside of the Family know what you’re thinking.” Is it really a good idea to rattle sabers if you don’t have a prepared strategy to back it up. We can almost guarantee that one does not exist.

The smart way to approach this problem is with a two-pronged effort. One is the ratification of US and worldwide law that provides severe penalties for these actions. That’s what McCain should be backing and initiating with his history of taking brave political initiative. But the other prong should be a robust but clandestine plan to penetrate, invade, creatively disable enemies and deal with as many resulting contingencies as possible.