Speaking at this years RSA Security conference in San Francisco, Deputy Defense Secretary William Lynn was worried about al-Qaeda getting Stuxnet:
al-Qaeda operates as a network comprising both a multinational, stateless army and a radical Sunni Muslim movement calling for global Jihad…Characteristic techniques include suicide attacks and simultaneous bombings of different targets…beliefs include that a Christian-Jewish alliance is conspiring to destroy Islam, embodied in the U.S.-Israel alliance, and that the killing of bystanders and civilians is religiously justified in jihad. (From Wikipedia)
William Lynn is the same official at the US Department of Defense who doesn’t believe in offensive measures to combat cyber terror. In his article several months ago in Foreign Affairs Lynn claims:
Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation. To stay ahead of its pursuers, the United States must constantly adjust and improve its defenses.
Let’s see if we can connect the dots.
1. Who is the attacker?
Lynn has just reiterated that the Obama administration officially considers al-Qaeda a threat to the US, markedly ignoring the Muslim Brotherhood – since the US considers the Muslim Brotherhood a secular, democratic political organization. Neither is Mr. Lynn concerned with other Islamic terror groups like Hamas or the PLO.
2. What are the best security countermeasures against the attack?
Despite believing in good cyber security defenses, Mr Lynn does not offer any security countermeasures against al-Qaeda deploying Stuxnet and falls back on the American shoe bomber security philosophy, considering yesterday’s attack, not tomorrow’s attack.
This is the same security management strategy that resulted in millions of airline passengers taking off their shoes in a fruitless, ineffective security countermeasure against a one-time, one in a million attack.
3. Is Stuxnet a cost-effective attack against the great Satan?
Of course – al-Qaeda might deploy Stuxnet against US critical national infrastructures but then again it might be cheaper and more effective for a Muslim terror organization to do something different – like use Facebook to make friends with a DC college student, make a date with her in Manhattan and have her ride the Red Line to Reagan Airport in DC, go through the non-security measures there, not get profiled and use a text message to a bomb in her bag to blow up in the line of people taking off their shoes, killing 20-30 civilians and taking down the US transportation infrastructure for the day.
4. Is the Obama administration more concerned with media exposure than with combating Islamic cyber terror?
Director of National Intelligence James Clapper told a House panel. al-Qaeda appears more focused on making inroads to unsuspecting Muslim youth through social media. Is Mr Clapper speaking with Mr Lynn, or is the Obama administration making the same mistake that the Bush and Clinton administrations made where the CIA collects intelligence, the DOD defends, the FBI investigates civilian crimes but no one connects the dots?
As I wrote in April 2009 about the Obama cyber security policy review, I was reminded of Melissa Hathaway’s 2009 speech to the RSA Security conference which featured a few cute gems like this one:
“….Matthew Broderick in War Games, Robert Redford in Sneakers, Sandra Bullock in The Net, and Bruce Willis in Live Free and Die Hard. These and other movies present the types of issues that we should care about and solve together.“.
As I wrote back in April 2009 – I thought we should wait 6 months after the report is made public and see how many cost-effective security countermeasures the government Cyberspace security task force has produced.
Less than 6 months later, Ms. Hathaway resigned. People familiar with the matter said Ms. Hathaway had been “spinning her wheels” in the White House, where the president’s economic advisers sought to marginalize her politically. (See Siobhan Gorman’s Wall Street Journal piece from August 2009.
Gorman covers national intelligence issues at WSJ and has written stories exposing the NSA’s computer problems—including those in its multibillion-dollar Trailblazer program aimed at identifying electronic data crucial to the nation’s safety).
Cross-posted from Israeli Software