Is your enterprise or agency vulnerable to information espionage or an electronic attack? That’s the stark question posed by Richard Clarke, author of the new book Cyber War: The Next Threat to National Security and What to Do About It.
Clarke, a national security advisor under three U.S. presidents, contends that the threat level is relatively high in an era of increasingly borderless networks and unmet security risks. While he believes the ability to hold tests and demonstrations held nations in check during the nuclear era, there are no such checks on power — or clear deterrence — in an age of cyberweapons. Indeed, it’s far easier to hide your identity — or pretend to be someone you are not.
This raises the stakes for organizations and agencies that might be vulnerable to external attacks, particularly if they are part of the nation’s critical infrastructure (as is the case with financial services, utilities and telecommunications).
Clarke is urging the government to do more on this front. “As a matter of law and policy, the federal government should actively counter industrial espionage,” he says. “Most U.S. government counterintelligence operations are focused on intelligence against the government, not companies, and most of those are focused on spies. It’s a very 20th-century approach.”
While Britain’s spy agency MI5 will send out warnings to corporate organizations, there’s no agency in the United States that currently has the legal authority to take such actions.
Given these vulnerabilities, Clarke counsels organizations to identify their greatest vulnerabilities — and secure them. “Corporations need to figure out what their crown jewels are,” he says. “You can’t protect everything and defend your entire corporate network equally. It’s not all equally important, either. So is it your intellectual property? Your marketing plans? Your research and development? Isolate them and provide them with special defenses and recognize that the other stuff will escape or be stolen.”
He maintains that organizations tend to be very reactive with regard to such risks. They won’t address them until they’ve already been exploited. Or they’ll argue that attack-proof security is too expensive. “It’s not all that expensive and it may not even require an increase in IT spending,” says Clarke. “We’re spending a lot of money now on cybersecurity software and services that don’t work, or work only against low-level threats.”
Take steps to learn more about how your agency can proactively take protective action by downloading our white paper, Activating Integrated Threat Defense. [PDF]