While our White House director of privacy and civil liberties, Timothy H. Edgar, said that we’re not in a cyber war, it’s something that a CIO needs to think about. The U.S. government might not have thought of Stuxnet as an act of war but that doesn’t mean that others haven’t looked at it that way. And with groups like Anonymous, it’s easy for a company to fall prey to cyber attacks–whether or not it’s a full-blown war.
Edgar admitted that the intelligence community is telling us that we have problems and need to be prepared. The U.S. government is worried about protecting networks, especially networks at companies that have critical infrastructure. However, there is an issue standing in its way: privacy is a basis of our democracy.
One of the major concerns about restructuring the internet around security concerns is that it could severely disrupt many of the things that make it useful, both commercially and personally. Although President Obama has made it clear that there will not be a full-scale government internet monitoring program, there is technology that CIOs can use to help themselves.
Private information retrieval, which is a cryptography technique, will allow companies to give limited access to any of the files in its database. And Edgar told CIOs at firms who handle critical infrastructure that they should know that they could be told to use the Einstein intrusion detection system. The drawbacks of this, though, could include things like limited threat data sharing, 24/7 government attention, government interference that could damage profits, and detailed information about a CIO’s corporate network.
This leads a lot of CIOs to think that they need to be on the offensive, something that’s really only possible in the cyber world. It’s unclear as to what a cyber weapon even really is these days, considering the impact social networking has had in some countries. Multi-national companies are especially in a grey area, considering some of their personnel could be exempt from American anti-hacking laws.
But this could easily end in an international incident–such as if a CIO went after an attacker that ended up being part of an overseas government. But it’s not just because of this that many companies aren’t hiring hackers to take down cyber attackers. It’s a complicated issue and, right now, no one knows the stakes.