Thoughts on 9/11 and CyberthreatsThinking of the Unthinkable
Fears of a cyber 9/11 focus, not on a terrorist organization, but on a nation-state seeking to disrupt our key information networks, banking systems or electric grids. Little evidence has surfaced in the past decade that terrorists have the interest or wherewithal to stage a massive cyberattack. Groups such as al-Qaida focus on physical and human assaults; for instance, the threat surfacing of potential terrorist attack in New York and Washington over the weekend marking the 10th anniversary of the Sept. 11 are not aimed at IT networks, but at property and people (see Feds Confirm 9/11 Terrorist Threat).
Yet, physical assaults could disrupt IT networks. So, the main concern of IT security managers should be disaster recovery and business continuity planning. Being ever vigilant is the main lessons of 9/11. "Have your plans always up to date and ready to execute at a moment's notice," says Karen Evans, a former federal CIO (see 9/11 Remembered: What We've Learned).
The unthinkable was suddenly thinkable and the known risks weren't only known to us, but could be easily exploited by the terrorists unless we took real fast action.
Some IT security experts believe cyberterrorism cannot exist. One skeptic is Jim Harper, coauthor of last year's Terrorizing Ourselves, a book that contends politicians use fear for political purposes and spend vast sums of money on dubious security measures. In an interview I had with Harper when he was writing the book (see Are D.C. Insiders Stoking Cyber Fears?), the director of information policy at the libertarian Cato Institute said: "I think there is no such thing as cyberterrorism because cyberattacks can't cause terror. They don't scare us and that is an essential element of terrorism as the name implies."
Harper may have a point. IT security professionals don't fret too much about terrorists threatening their systems. A Symantec survey of global IT security managers earlier this summer listed terrorism as dead last among seven risks that could threaten their businesses.
Still, just because Harper dismisses and I doubt the potential of a terrorist cyberattack, that doesn't mean it couldn't happen. After all, how many people 10 years ago imagined terrorists hijacking several jetliners in a single day and crashing them into the World Trade Center and Pentagon? Sept. 11 teaches us to be prepared for the unexpected. "Think the unthinkable," says Patrick Howard, chief information security officer at the Nuclear Regulatory Agency. "When we consider the threat, concentration on the worst-case scenarios is not only viable, but essential," he says.
The 9/11 attack served as a wakeup call to a wide variety of threats the nation faced.
"The day after 9/11, everybody realized that these (IT security) weaknesses had to get shored up very quickly," says Mark Forman, the federal CIO on the day of the terrorist attacks (see Shifting Course on Infosec Post-9/11). "The unthinkable was suddenly thinkable and the known risks weren't only known to us, but could be easily exploited by the terrorists unless we took real fast action."
A decade later, Forman says he feels IT systems are much more secure than they were in 2001.
DHS as a Cybersecurity Leader
The biggest impact on government IT security from the Sept. 11 attack was the creation of the Department of Homeland Security. The impetus of DHS was to thwart future attacks such as those that occurred in New York, Virginia and Pennsylvania. But over time, more of the federal government's efforts to secure government and civilian information security shifted in DHS, especially since President Obama took office in 2009. Indeed, Obama in May proposed legislation to give more cybersecurity authority in dealing with threats to executive branch systems to DHS (White House Unveils Cybersecurity Legislative Agenda).
Forman thinks the administration's plan presents new challenges in governing IT security in the federal government. The E-Government Act of 2002 gave much of IT security authority to the White House Office of Management and Budget and the administrator for e-government and IT (the federal CIO). "That's really hard for one federal agency to oversee another federal agency," Forman says. "It will be very interesting to see bureaucratically, how successful that becomes."
The 9/11 attacks had a major impact on those charged with keeping government IT operational.
Before the aforementioned Karen Evans became the top IT official in George Bush's White House, she served as a senior manager at the Office of Justice Programs in the Justice Department, a job she held on Sept. 11, 2001. In an interview I had with Evans (see 3 Questions for Karen Evans), I asked her what was her most memorable moment in her career?
"That's really easy for me to talk about is because of the work that I did after Sept. 11 and that was when I was at the Office of Justice Programs and I was given the opportunity to work directly with the fire department up in New York City, the police department and the Port Authority and there were benefit programs that OJP had available. They were under the Public Safety Officers Benefits Program and so we had the opportunity to work directly with them.
"And in an aftermath of that, it's really very interesting because they weren't letting a whole lot of people help them. They wanted to take care of themselves. You can imagine how fire departments, police departments and things like that, and they were very open to our programs. I'm still friends today with several of the people who I worked with that had to administer those benefit programs for the fire department. It really was a very moving, emotional experience. It was something that really helped me to be able to explain to my family what I do for a living because it was very real, because every day I would be late and tell them I'm working on something and he could see direct impact because they were talking about it on TV about how the federal government was helping the city of New York recover."