Introduction
The terrorist attack on the September 11th still stands as a wake up to the state on the need to develop counterterrorism measures that take into consideration deterrent measures of possible cyber attacks. While there have been major strides in the development of policies in regard to cyber attack, there still remain a number of weaknesses that must be explored to ensure the safety in the management of information. Furthermore, the constant usage of networks of computer systems attached to the internet poses the greatest danger of cyber attacks. Both the government and the private sector accept the reality that our infrastructure in the form of information systems demands new and effective approaches to cyber security. According to Gourley (2008), “among the ideas being considered is the possible declaration of a national policy of “Cyber Deterrence.”
The strengths of US policy to prevent a cyber attack
The strengths of the policies on the deterrence of cyber attacks include a number of measures that seek to disable the capacity of the enemy to achieve its objectives. The policy of asset confiscation of individuals and organizations involved in the assistance of the enemy in terms of either financial or technical is a major stride in the fight against cyber attack. Executive Order 13224 issued by President Bush as illustrated by (Day, Berry & Howard Foundation, 2004) expounds that it “prohibits transactions with individuals and organizations deemed by the Executive Branch to be associated with terrorism and allows the government to freeze all assets controlled by or are in the possession of these entities and those who support them”.
The capacity to launch a cyber attack in the United States must be accompanied by adequate funding and technical skills on computer information management and computer forensics. The denial of these two fundamental aspects of cyber attack planning renders the enemy in- effective. The major shift toward the policy of deterrence strengthens the United States ability to defend itself against a possible cyber attack. “In a national security context, deterrence is an influence strategy designed to prevent attack and it involves understanding adversaries and what motivates them, communicating to adversaries in a way that makes it perfectly clear what behaviors will put them at risk, and demonstrating an ability to respond” Gourley (2008). In addition to the above, funding to organizations that have failed to implement the accepted levels of information management systems are frozen. “Agencies won’t be able to spend money sought to modernize their IT systems until they show improvement in information security management and that the agencies should use money sought for new IT development to improve information-security management if additional resources are needed to resolve weaknesses” (Chabrow, 2004).
This policy is geared towards ensuring that all relevant agencies comply with the rules of safe information management that are effective in deterring cyber attacks. The office of management and budget, in its effort to coerce agencies to institute safe information management systems, demand a report on information security measures undertaken by these agencies. Office of Management and Budget (2003) demonstrates this by indicating strongly that “Continuation of IT security performance measures that involve the reporting of the results Agencies and IGs work against a key set of IT security performance measures”.
Weaknesses of US policy to prevent a cyber attack
The application of the above policies have greatly assisted in the deterrence and prevention of cyber attacks in the United States but a number of weaknesses and challenges in the implementation of some of these policies still opens a window of threat to the United States critical infrastructures. It is worth appreciating that deterrence still remains the policy in combating cyber attack yet still, a notable list of challenges and weaknesses still form part of complications in the full implementation of this policy. In the deterrence policy alone, there stand at least six weaknesses. Gourley (2008) states that “These six challenges have been with us since the start of the Internet age and if there were simple solutions to any of these, they would have been solved by now”. This indicates that not all of these challenges and weaknesses have been solved and as such cyber attack cannot be fully deterred. “Addressing these challenges will likely require mobilizing the intellectual capital of a broad swath of experts in industry, academia and government, yet still, the nation has responsibilities to our citizens that require defense”(Gourley, 2008).
The most challenging aspect in the analysis of the weakness of this policy is the attribution of attack. The possibility of deterring comes along with the ability to punish and you cannot punish without attribution. The key challenges of this policy remain in the technical aspects of it. The state of current internet accepts anonymity and as such the details of the user may be concealed. “Adversaries can spoof addresses, use anonymiser servers, and use open access to the net from a wide range of physical locations” (Gourley, 2008). Secondly, correct and accurate identification of the enemy still remains a weakness in the policy on cyber attack. Gourley (2008) effectively demonstrates the complexity and weakness of this policy by stating that “We already know the many kinds of threat actors in cyberspace (Nation State, Terrorist Group, Organized Crime, Hackers, etc), and we have a great deal of experience in defending against them and, unfortunately, suffering losses to them, but a deterrence strategy requires even more knowledge and deterrence requires an understanding of how adversaries view their security and how they assess risk”. In addition to the above, Gourley (2008) continues to explain that “Deterrence also requires an understanding of how adversaries might assess their cost/benefits and adversaries might not be concerned about our responses if they think they will be measured and proportional”.
The third challenge lies on our ability to prove that we have the technical capacity to identify our attacker without undermining the procedures and steps we have applied in this application. The number of personal computers has surpassed the one billion mark and is rapidly rising. In recognizing that any of these PCs and cell phone has the capacity to launch a cyber attack, the complexity and weakness hinges on the fact that we cannot positively and accurately identify the individual behind the attack and going further to maintain the procedures employed (Gabrys, 2002).
Evaluation of the strengths and weaknesses of US policy
Our ability to protect our information and infrastructure rests on our capacity to understand and evaluate our strengths and weakness in regard to cyber attacks. Cordesman (2002) clearly illustrates that “cyber terrorism is a growing global threat and as such state actors and the private sector must improve their management information security to remain safe”. While this indicates a higher level of cyber security threat and the need to strengthen our strengths and reign on our weaknesses, the statistics alone are still very grim. A large number of organizations still remain exposed to possible cyber attack threat due to lack of full implementation of secure information management systems. “In its annual Federal Government Information Security Management report to Congress, OMB says fewer than two-thirds of federal IT systems had been accredited by December 31, falling far short of its goal of 80% and still, that was an improvement over 2002, when only 47% were certified” (Chabrow,2004).
Such statistics indicate to us that even though we have made serious steps in reducing the level of threats posed to our institutions and infrastructure by possible cyber attack such as strengthening our institutions, improving our information management systems and initiating major security measures, the weaknesses of our policies still overweigh their strengths. This reflects that we are still not assured of total security safety and our information and infrastructure are still exposed to possible cyber attacks. To bridge the gap between our strengths and weaknesses in this regard, the approach is to focus more on research. “Strengthening defense while continuing research is the mantra of the day when it comes to cyber defense, cyber deterrence and all other aspects of cyber conflict and cross-functional, cross-discipline, public and private intellectual work remains before a solid foundation for success can be laid” (Gourley, 2008).
Importance of computer security and its effects on the critical infrastructure of the US
The determination of the importance of computer and cyber security is a central tenet in understanding the need to protect our critical infrastructure. It is true that critical infrastructure faces threat from cyber attack (Verton, 2002). The central role of computer security lies on the ability to reduce the risks associated with cyber attacks. Lewis (2006) demonstrates that “homeland security Policy Directive 7 (HSPD 7),which lays out federal priorities for critical infrastructure protection, begins by noting that it is impossible for the United States to eliminate all risk and calls on the Secretary of Homeland security to give priority to efforts that would reduce risk in critical infrastructure and key resources that could be exploited to cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruction”. To understand the importance of computer security in detail, a definition of the word risk must be carried out. According to Lewis (2006), “for the purposes of this article, the definition of risk used to assess the need for cyber security will be the probability of an outcome that (a)causes death and injuries, (b) affects the economic performance of the United States and (c)reduces U.S. military capabilities”.
The effects of cyber attack on the critical infrastructure of the United States would be of devastating results. In this context, the critical infrastructure refers to a number of critical industries fundamental to economic stability and development. “According to the National Infrastructure Protection Plan, food and water systems, agriculture, health systems, emergency services, information technology and telecommunications, banking and finance, energy (electrical, nuclear, gas and oil, dams), transportation (air, road, port waterways), the chemical and defense industries, postal and shipping entities and national monuments and icons constitute some of the critical infrastructure.” (Lewis, 2006), It is therefore a fact that the importance of computer security in the protection of critical infrastructure lies on the assumption that most of the operations of these critical infrastructures depend almost wholly on computer networks.
The economic effects of a cyber attack on any of the critical infrastructure would be huge measure to the economy. An examination of the telecommunication, finance and the electrical power failure to a cyber attack would have a direct effect on the national security in that these institutions remain the cornerstone of our security and safety aspects. The banking industry remains at constant threat to cyber attack and the amount of loss would be huge enough to cripple the whole banking sector (Smith, 2004). An example includes an attack on Fedwire. Lewis (2006) illustrates that “Fed wire, the financial settlement system operated by the Federal Reserve Banks, provides a crucial service to banks and interfering with Fedwire would cripple (temporarily) the U.S. banking system and as such the Federal Reserve has expended considerable effort to harden Fedwire, and the Fed’s desire to prevent online bank robbery provides an incentive to continue these efforts”.
US legal requirements regarding computer security and cyber security
There are a number of laws and amendments to the existing laws and executive orders in regard to cyber attack and computer security in the United States. These includes Patriotic law, executive order Executive Order 13224 issued by President Bush which “prohibits transactions with individuals and organizations deemed by the Executive Branch to be associated with terrorism and allows the government to freeze all assets controlled by or are in the possession of these entities and those who support them” (Cordesman, 2002). The patriotic law instills a sense of patriotism by denying the assistance to organizations deemed as involved in terrorist organizations financial and technical assistance. Furthermore, this law has gone through amendments to fully deter assistance to terrorist groups. Day, Berry & Howard Foundation (2004) illustrates that “As amended by the Patriot Act, Federal law now imposes significant fines and terms of imprisonment for any entity that provides material support or resources knowing or intending that they are to be used in terrorist acts or by Foreign Terrorist Organizations and the term “Material support” encompasses an exceptionally broad range of assistance, and would appear on its face clearly to include grants, microfinance services and many types of technical assistance – if the recipient engages in terrorist acts or is a Foreign Terrorist Organization”.
A Comparison of the difficulties and needs of a competent computer forensics program to effectuating results within public and private venues
Competent computer forensic experts face a lot of difficulties in their efforts to carry out their duties effectively. This is based on the fact that cyber attacks can be launched from any part of the globe (Boyle, 2005). The differences that exist in the laws as regards the obtaining of information for forensic examination complicates their operations in such countries that do not have strong democracies and legal frame works capable of dealing with this threat. Furthermore, there is a tendency of private and public organizations to distort information so as to conceal sections of information that they consider sensitive. Such practices complicate the work of computer forensic experts. Lastly, the long process of obtaining the legal authority to carry out their duties within the information management systems of these organizations deters the speed at which they perform their work.
References
Boyle, M. (2005). The latest hit: CSI in your hard drive. Fortune, 152(10), 39.
Chabrow, E. (2004). OMB: Security First. Web.
Cordesman, A. H. (2002). Cyber-Threats, information warfare, and critical infrastructure protection: Defending the U.S. CT: Praeger.
Day, Berry & Howard Foundation (2004). What US. Nonprofits and Grant makers Need to Know. Web.
Gabrys, E. (2002). The international dimensions of cyber-crime, part 1. Information Systems Security, 11(4), 21-32.
Gourley, B. (2006). Towards a Cyber Deterrent.
Lewis, J. A. (2006). Cybersecurity and Critical Infrastructure Protection. Web.
Office of Management and Budget. (2003). FY 2003 report to Congress on federal government information security management. Washington, D.C.: OMB. Web.
Smith, G. S. (2004). Recognizing and preparing loss estimates from cyber-attacks. Information Systems Security, 12(6), 46-57. Web.
Verton, D. (2002). Critical infrastructure systems face threat of cyberattacks. Computerworld, 36(2), 8. Web.