Science

We’ve gone from the Cold War to the “Code War,” said the moderator of a panel on cyber security at the Aspen Security Forum on Friday—and right now we’re in about 1938.

Bloomberg’s Allan Holmes was making the point that cyber security is in its infancy—and that few corporations, governments or organizations have the tools to battle the next generation of cyber crime. 

Holmes was reflecting the view of his panelists—a former CIA director and two executives in the industry—who all agreed that cyber security is a major weakness in the U.S. (and the world over) that needs to be addressed with, as one panelist put it, “a total new narrative.”

The panelists pointed to various recent cyber attacks on large companies, such as Sony and Lockheed, and the Stuxnet worm that crippled an Iranian nuclear plant a year ago, as evidence that cyber attacks are on the rise and getting more and more capable of doing physical damage.

“It’s pretty bad and it’s going to get worse, because cyber attack is not only a technological issue but it relates to a culture, it’s connected to very deep cultural issues,” said Mati Kochavi, CEO of AGT International, a private group of technology security companies. “It’s also very easy to do it, because you can do it from a distance and it’s becoming almost impossible to find you.”

Kochavi said there are three types of cyber crimes: cyber threats that relate to warfare, cyber services from criminal organizations (who can use legitimate websites to offer services such as robbing a bank), and “social cyber,” in which people fight for deep ideological reasons. “And that’s a much more complicated part of the equation,” he said.

The sheer growth of the Internet is another reason for concern—there are two billion internet users now with an estimated five billion by 2020. When the Internet was being developed, one panelist pointed out, with the goal of delivering information quickly and easily, security was not a high priority.

But with the increasing capability of cyber criminals to attack not only individuals but also large companies, infrastructures, and even nations, what can be done? The view on Friday’s panel was somewhat grim.

“Everything we’ve known from the past is not going to work here,” said Kochavi. “All the collective brain we have here does not have the experience to deal with this new phenomenon, and the ability to secure our day-to-day infrastructure is nearly impossible.”

The problem in the private sector, said panelist Jon Ramsey, executive director of the counter threat unit at Dell, is that it doesn’t have the authority to go after the “bad guys.” Currently individuals and companies are responsible for protecting their own information.

“We now have a new domain in which we don’t have the paths trampled down in the forest in terms of what the government is expected to do,” said Michael Hayden, a former director of both the CIA and the National Security Agency. “And in the cyber domain you are expected to defend yourself more than in any other domain.”

Hayden said the private sector needs to be redefined to defend against cyber attacks, with incentives or disincentives from the government, since usually it is the private sector that steps in to fill such gaps.

The panel wrapped up by debating whether cloud computing would be better or worse for cyber security. Kochavi said it would be easier to regulate clouds. Hayden said cloud computing—which shares resources among users such as servers and switches—is problematic because it lacks the barriers of traditional computing. But on the other hand with its economies of scale it might be more easily protected, he said.

“I think it’s a matter of perspective,” Ramsey said. “If you’re not going to do anything to protect yourself, get on the cloud because they’re probably doing more. But the risk is aggregate. It’s like if you live next to a neighbor that runs a crackhouse.”