Reports are that the latest round of cyber-attacks have been aimed at large media outlets like the New York Times, Wall Street Journal and Washington Post. Before media, large banks and other financial institutions were being targeted. Before the financial industry, it was something else. All the while, the U.S. government is under constant bombardment from potential cyber threats probing for weaknesses.
Whether you believe that this most recent round of attacks or any of the proceeding waves are from China, or whether you believe that, if they are from China, the Chinese government was behind them, one thing should be clear: these attacks are not going away. Last year, we saw the rise of hacktivism. Now, if current theories are correct, we are seeing cyberattacks as revenge and retribution. Media outlets that were critical of Chinese government activities are being targeted.
Cyberattacks for political and nation-state strategic gain are becoming the norm. It is time that we as a country recognize this and do something about it. Having been in information security for over 10 years, I have come to a realization. Perhaps you can call it Shimel's Security Catch-22 Theorem. No matter what, a government or other governing body enacting cybersecurity rules or laws will be flawed; cybersecurity is best left to cybersecurity professionals. On the other hand, though, without some rules or laws the cybersecurity professionals will never get the chance to do so. This dichotomy means that we need some sort of cybersecurity rule or law to be enforced, even if it is flawed¸ to give the security industry a seat at the table and do what needs to be done.
Previous attempts by our government to enact cyber security legislation have been foiled by lobbyists and special interest groups. The fact is many in the security industry have opposed cybersecurity legislation because we know it will be far from perfect and could harm as much as help. But without it, we are never going to have the opportunity to do something to protect our country until after it is too late.
There are those predicting a cyber Pearl Harbor. They know that it is only a matter of time until something beyond annoyance or moderate financial loss takes place that will finally awaken the country to the fact that we need to get serious about security. I am sure that when that happens there will be some who, like the people who say FDR knew about the Japanese attack beforehand, will claim we let this happen because we wanted it to force our hand.
But why do we have to wait until after the attack? The writing on the wall is plain enough for us to see now. I suppose with the dysfunctional government we seem to currently have, the difficulty of getting a cybersecurity policy or law in place should not surprise us. But there comes a time when you really do have to act for the good of the country.
Sign up for CIO Asia eNewsletters.