We are in a renewed period of great power competition. During the Cold War, the areas of competition were well-defined but devastating. Cyberspace has expanded the areas of confrontation and the stakes are not as dire as nuclear war. Yet we have yet to figure out all the norms and how to effectively compete. The theft of intellectual property and interference in elections have become commonplace. The threat to our critical infrastructure has increased as we have discovered evidence of our adversaries compromising networks of our critical infrastructure to better prepare for attacks against us.
The preamble of the U.S. Constitution calls for the federal government to, “provide for the common defense.” The rest of the Constitution puts restraints on the government to protect the liberty of the people. During the first few centuries of the Constitution’s history, this division of duties has served us well. In this new era of competition, we must protect our liberties while defending our society in cyberspace. Businesses, universities, and possibly homes have been subject to cyber-attacks by foreign actors and the federal government has not been able to stop them.
The federal government is trying to limit our exposure to nation-state attacks through cyberspace. A combination of “persistence forward” in cyberspace and bringing all components of national power (diplomatic, information, military and economic) to bear so as to raise the cost of cyber attacks is a new policy, and probably long overdue. The effectiveness remains to be seen and it is unlikely that this will be enough.
The concept of our critical infrastructure as an area that we must defend from cyber-attacks are universally accepted from an abstract point of view. I don’t think that many people who operate IT systems in our critical infrastructure think of themselves as being part of our national defense, but they are. The Department of Homeland Security has designated 16 sectors as critical infrastructure, 85% of which is owned and operated by private industry. Should these sectors hit by a cyber attack there would no doubt be an immediate impact on our society. These sectors are broadly defined and within them, there are many businesses that probably don’t consider themselves a part of our nation’s critical infrastructure. I’m not sure retail gas stations, ATMs, and trucking companies think of themselves as part of our critical infrastructure, but coordinated cyber-attacks on them could have a big impact on us. There are also companies not designated as critical infrastructure whose failure could multiply our woes. For example, the media is not part of our critical infrastructure, but information operations and cyber-attacks on media can increase the impact of attacks on our critical infrastructure. The attack on the Qatar News Agency website that planted a false story almost escalated into a kinetic war. An information operation conducted by the Russian Internet Research Agency during the last presidential election has caused distress among many in the U.S. We know information operations can be effective. A cyber-attack that is accompanied by an information campaign to sow mistrust could result in significant damage to our society.
Our adversaries have felt free to conduct information operations and have shown that they are prepared to use cyberattacks against us. The federal government can’t completely protect us. All of us in IT have an obligation to protect our systems not just for the good of our companies, but for the good of society.
The CEO of the Girl Scouts, Sylvia Acevedo, has said that we have to write software “patriotically and with civic values.” Her point is that we can’t accept software that doesn’t comply with our ethics and values and that we can’t create software that our adversaries can use against us. (Full disclosure: Ms. Acevedo is an engineer with a distinguished track record in the tech industry) Creating insecure software does not just impact the company or even its customers, it can impact our national security. I would expand her statement to say that we must “operate our IT systems patriotically and with civic values.” Canadian trained engineers wear an iron ring to remind them of their obligations to society. They work for their firms, of course, but they also have an obligation to the society whose safety depends on their work. I think IT professionals have a similar obligation.
We must write better software. We write life-safety software with very few flaws, but it is expensive. A consumer products company wouldn’t last long investing in software written to life-safety standards, but we must do better than we do now. Regulation might be the answer, but it would be nice to take action before our lawmakers react to a disaster. Much of our tech supply chain is in countries that can compel companies to cooperate without the oversight of an independent judiciary. We must build secure systems, regardless. Somehow, we must create and run the software with fewer bugs that are easier to defend.
We must maintain our systems. Look at the news of the latest cyber attack. The city, company, or hospital was running out-of-support software with unpatched vulnerabilities. Public opinion, the press, our elected leaders respond by accusing the company of being irresponsible. We in IT know how hard it is to keep up with patching and configure systems securely. Today, businesses are reluctant to invest in replacing systems that work fine but are full of vulnerabilities. CIOs have difficulty spending time on projects shoring up security vs. Those that deliver capability. These are some of the challenges that we must overcome to create a more secure technology ecosystem.
It will take effort from across our society. Emphasizing security will take resources away from innovation. The regulation will be a drag on the economy. We invested billions in nuclear weapons that were never used to survive the last period of great power competition, it will probably take billions to survive this one.
Right now, the burden of securing our IT ecosystem falls on the IT workforce. We are, essentially, the Frontline in this conflict. You may not have thought you were signing up to protect our society when you went into the IT field, but you did. You probably won’t get thanked. In fact, it is more likely you’ll get grief for not delivering as fast as your users want. Like most heroes, you’ll have to be content knowing you have done the right thing and it was important.