This blog post at Computer World has an inflammatory headline, which should hopefully get some attention from CISOs (Chief Information Security Officers).
I generally appreciate Richard Clarke’s work, but it should be taken with a grain of salt. His positions on information security remind me a lot of Al Gore’s positions on global warming. They both overemphasize and focus on worst-case scenarios, but they do so because they see a problem being largely ignored. That said, I think the big takeaway from this is that although we face many attacks from foreign nations (a fraction of which are state-sponsored), the main target of the attacks is not the military or government.
The Department of Defense has pretty strong policies in place to protect their information systems (how well those policies are implemented vary widely). An external attack would require a lot of work for relatively little payoff. Insider threats (such as Bradley Manning) are the issue that should really worry the military.
It is private industry that is being assaulted from overseas, because this so-called “cyberwar” is a war of economics. Corporations are global entities, and by obtaining inside information of a U.S.-based corporation, foreign companies and individuals can gain a distinct advantage.
To use one of my favorite movie quotes:
The world isn’t run by weapons anymore, or energy, or money. It’s run by little ones and zeroes, little bits of data.
Too many companies are lax on security because they think they don’t have anything desirable. “We don’t have any military contracts or credit card information, why would we be a target?”
These companies end up being some of the biggest targets, since they are easier to exploit and their inside business information can be as valuable as stolen credit card numbers, if not more so.