Skip to content
Search

Latest Stories

Cyber Initiatives Group Fall Summit
cipherbrief

Welcome! Log in to stay connected and make the most of your experience.

Input clean

Locked Doors, Open Windows: Failures in Guarding Private Sector Information

Not a day goes by that Americans don't wake to the news of a new cyber intrusion affecting private sector or government networks, whether major cyber hacks at Target or Equifax, sloppy data breaches like those Verizon experienced, or nation-state-sponsored efforts like the WannaCry virus. Companies and institutions are pouring more time, attention and resources into computer network security, because the networks are so critical. But why lock the front door when you leave the windows wide open? Bad actors can launch attacks and gain access to critical information through other routes too.

As seen with the widely reported interference in democratic elections, attacks can be launched cheaply and relatively easily by criminals, nation-states, terrorists, disgruntled employees, or even good people with sloppy habits who accidentally expose critical data. As a former Secretary of the Air Force, I can tell you that Air Force networks are attacked—and these attacks are repelled—thousands of times per week.


This is why, in addition to network security, the Air Force is focusing more resources on operational security. The private sector should follow suit.

Operational security means protecting assets that depend on lines of code in software to conduct missions, whatever those missions might be. This could involve anything from protecting advanced fighter aircraft to the HVAC systems on a base where critical operations take place. It could include the MRI machine in a hospital entrusted with sensitive patient data. Our critical infrastructure—the electrical grid and transportation systems, for example—can be equally vulnerable from an operational perspective, if network security is the sole focus.

The solution is to broaden the national cybersecurity approach to include "endpoint security" for vital operational systems. Stated another way, we need to wrap firewalls around certain vital machines to ensure that an intrusion in one area will not allow for a more extensive penetration to the broader network.

Consider a fictional scenario in which a U.S. nuclear facility is breached. A terrorist group launches a “cyber-physical attack” by unleashing a virus that penetrates sensors that monitor cooling. The malware is introduced when an infected flash drive is inserted into a network laptop during maintenance to adjust, for example, process sequences. The laptop is presumed to be safe because it's not connected to the internet—it is "air gapped." The virus targets specific endpoints that manage fail-safe functions such as temperature maximums. The virus tells temperature sensors to stop working. At the same time, it tells other mini computers to escalate heat-generating functions. The result could be catastrophic overheating and, ultimately, a meltdown.

Such an attack, and many others we haven't thought of yet, are preventable when control systems are more deeply protected. Each device and sensor comprising the network can and should be shielded from malware that gets through the figurative front door.

Here's the bottom line: we need a holistic approach to cybersecurity going forward, including network and endpoint security. Focusing on one but not the other could result in crippling losses in today's machine-to-machine marketplace.

The government and the private sector need to keep working to lock the front door, and start doing a better job of bolting the windows.

Threat Con 2025

Related Articles

America's Food Supply Has a Cyber Problem

OPINION — Fine-tuned sensors let farmers know which fields need more water and which crops need more fertilizer. But today, a hacker halfway around [...] More

Hackers are Taking Advantage of Gaps in U.S. Cybersecurity Policy

OPINION — When you press the power button on your computer, it turns on because a specialized code called firmware turns this stimulus into a signal [...] More

A New Year Means Further Transformative Shifts in Cyber

EXPERT PERSPECTIVE — 2023 saw the start of a transformative shift in cybersecurity, bringing both new opportunities and new challenges to the [...] More

We Have a New National Cybersecurity Strategy. Now What?

OPINION — The new National Cybersecurity Strategy is clear and concise, laying out the case for a more robust and engaged approach to defending our [...] More

How Public and Private Entities Can Fight Cybercrime

OPINION — For years, cybercrime was dismissed as an afterthought. Indeed, it wasn’t long ago that the FBI leadership famously dismissed it as [...] More

The US Needs A Cybersecurity Strategy Sooner, not Later

OPINION – The United States is under attack. U.S. organizations and businesses are being targeted with cyberattacks from nation states and criminal [...] More