Real and Virtual Worlds Becoming OneThreats Don't Always Differentiate Between the Two
On Oct. 1, the state of Michigan will merge its physical and information security operations into a single unit, known as Cybersecurity and Infrastructure Protection, which will be headed by the new Chief Security Officer Dan Lohrmann, the current state chief technology officer and a onetime chief information security officer (see Michigan Merges Physical, Digital Security Functions)
Among Lohrmann's responsibilities will be overseeing emergency management. Michigan has two emergency coordination offices - one for infrastructure and the other for computers - but often they responded to the same emergencies, such as massive blackouts and fires. With the merger, they'll be managed by a single entity.
By trying to pull them apart ... you're going to have issues between the collaboration that needs to happen between the physical and virtual worlds.
"We're looking holistically at all the different aspects of emergency management," Lohrmann said in an interview. "That's one area we think we can come together and provide a better service to the state."
Another example of the merging of real and digital is far different from managing emergencies but one involving threats in the real world but taken out in the virtual world. This past week the hacking group Anonymous, on the eve of the execution of Troy Davis for murdering an off-duty police officer - despite the recantation of witnesses and no physical evidence linking him to the killing - threatened law enforcement officers in a tweet:
U.S. Police Officers and Law Authorities Personnel: QUIT YOUR JOB NOW. YOU ARE TARGET. Thank your Government.
As I write this blog midday Friday, no word has surfaced whether Anonymous went through with its threat. Still, the point that police officers might find their personally identifiable information posted on a website could have an adverse impact on their day-to-day lives in the physical world.
The merging of the real and virtual can be found in another realm: cyberwar. For many experts, cyberwar only occurs as part of kinetic warfare. Simply, as Surviving Cyberwar author Richard Stiennon points out, cyber is as a component of a shooting war (see Cyberwar: Defining It, Surviving It). That's a point echoed by James Miller, principal deputy assistant secretary of defense for policy, who said last year in a lecture (see Placing Limits on Cyberwar). "We understand that not everything that happens in cyberspace is an act of war. As we think of the role of cyberspace in supporting military operations, and the role of cyberattacks as ... the front-end of a kinetic military attack, then we would think about the potential for responses that are not limited to the cyber domain."
Phillip Reitinger, then the highest ranking cybersecurity executive at the Department of Homeland Security, testified before Congress last year that it's more effective to address jointly the risks to key physical and cyber infrastructures (see Linking Physical and Virtual Security): "The private sector speaks the language of all hazards, they worry about risk, as a telecom would say, whether it's from a cyberattack or a back hoe. We, in government, need to step to that, and speak their same language if we want to influence how they behave in an all-hazards way, in a risk-based way, and if something bad happens, physical or cyber, to be able to address it seamlessly."
Patricia Titus, former federal Transportation Security Agency CISO said in an interview that she agree with Reitinger (see Physical, Virtual Security Commonalities): "Logical security utilizes infrastructure such as card readers and biometric and video surveillance, which are all based on technologies, so there are cyber implications that are virtual implications. By trying to pull them apart and to put them into different agencies, you're going to have issues between the collaboration that needs to happen between the physical and virtual worlds."
We see the linkage between real and virtual in the growing interest in information risk management, which fundamentally is protecting the information assets that make governments and businesses function.
I've been covering IT and IT security for the better part of a quarter century, and the most notable trends over those years are how IT became integrated into business in the latter part of the 20th century and how, since the dawn of the new millennium, the virtual world has become a significant part of our everyday lives through the use of mobile devices, social media and the convergence of all types of technologies.
In 2005, I interviewed futurist Ray Kurzweil, who predicted that by the 2020s, tiny bots will be injected regularly into our bodies to ward off diseases, and extend our lifespan by scores of years, because of the year-to-year, exponential advances in information technology. Computing devices already are being implanted, so the predictions of one futurist aren't that far fetched.
Our approach to security must include the real and virtual because the threats we face won't necessarily differentiate between the two.