链接: http://pan.baidu.com/s/1pJ4uzj1 密码: fb46
From Risk to Resilience: The Global Mission to Secure Cyberspace
Thomas Joseph Ridge
Sept. 24, 2014
Good morning ladies and gentlemen.
First, I would like to thank the several sponsors of this conference for their invitation. It is a pleasure to join you. The digital world is full of promise and of peril. It has neither geographic nor political boundaries. It has an ever expanding cohort of attackers – nation states, hacktivists, organized crime, individuals. The attack surface expands everyday as does the level of complexity and sophistication of the malicious code. Cyber-attacks are a global menace and meeting the challenges to manage those risks and to build a culture of resiliency within an organization is critical to its survival and success. I am pleased to offer my thoughts on these and related subjects at your conference today. I have had the opportunity to serve my community and my country in many difference capacities. Those experiences, from my time as an infantry soldier in Vietnam to my service as the first Secretary of the U.S. Department of Homeland Security, have provided priceless opportunities to observe, learn, perform and lead. The totality of those experiences provide the foundation for the thoughts and opinions I share with you. I am old enough to have witnessed the dawn of the internet, the growth and ascendancy of the hyper connected, inter dependent digital world and bold enough to predict the opportunities and challenges of the digital forevermore are permanent. The digital sun will never set.
It wasn’t that long ago that the original computer based data transmission protocol was created to facilitate communication between the U.S. Department of Defense and major research universities. While certainly primitive compared to the digital global ecosystem that drives commerce and culture throughout the world today, its core features remain the same.
The internet is an open system based on anonymity. It was not designed to be a secure communication platform. The opportunities and vulnerabilities within this global network, with electrons racing everywhere, and the capacity, uncertainty and inter dependency within the network bring us together at this conference. The ubiquity of the internet is its strength. The ubiquity is also its weakness. We are all exposed to the potential malicious and malignant use of the internet. We all have a role and a need to combat its improper use. The risk escalates every day. It is a clear, present and permanent danger! The malicious actors are known to all of us. Nations, organized crime, hacktivists, and individuals. Some governments are complicit with these actors. Some are indifferent to their activity. Others are fully aware, but unable to control it. Their motivations and desired outcomes are known to us as well. Disruption, sabotage, theft, espionage. We also know that these digital trespassers are motivated, resourceful, focused and often well financed. As the former U.S. Secretary of Defense Donald Rumsfeld once observed about certain conditions on the battlefield, all of these elements in the digital space are “known knowns”. A comparison with contemporary war fighting, particularly with special operations, illustrates the challenges faced by those responsible to defend their country, company or organization from exploitation by the cyber guerrilla warrior. Cyber soldiers are asymmetric fighters. They eschew traditional battlefield strategy and tactics. They camouflage their identity and activity in the vast, open and often undefended spaces of the internet. Their reconnaissance capabilities are both varied and effective. They constantly probe for weakness, an unauthorized point of entry, a “crack in the defense.” They often use low tech weapons to inflict damage, yet they are able to design and build hi tech weapons to overcome specific defenses and hit specific targets.
The major American retailer, Home Depot, recently reported that a unique previously unseen malware was responsible for the exfiltration of over 56 million pieces of personal information. Attackers have the ability to adapt. Defenders must do so as well. Holding your enemy accountable from the air, land or sea is easier than in the digital space. A military sentry on guard at the perimeter can eliminate the aggressor on sight. Attributing a digital breach to a specific actor and holding him accountable in a meaningful way is often impossible. Let’s be clear. A digital perimeter defense, at one time the most important barrier to attack, is now just part of a multilayered defense strategy. In the 21st century, there are only two kinds of organizations: those that have been hacked and know it and those that have been hacked and don’t know it. There is a Chinese proverb that states “flies never visit an egg with no crack.” Well, the internet is full of cracks. The barbarians are no longer at the gate. They are inside and often exquisitely concealed. That is the chilling and permanent reality of the digital universe forevermore. If this is the reality, then how do governments and companies organize themselves to deal with it? Are they built to play offense, defense or both? For centuries, governments have fought to gain information about their adversaries. As Sun Tsu wrote: “It is only the enlightened ruler and the wise general who will use the highest intelligence of the army for purposes of spying and thereby they achieve great results.” First, by intercepting letters. By the 19th century, the efforts included intercepting telegraph messages. And, in the 20th century, radio and telephonic communications. But today, cyber traffic is more than just communicating. The digital world is connected to critical industrial control systems, financial systems, life sustaining systems and more. All susceptible to attach and destruction. There have never been any international norms around such behavior. And the possibility of a cyber-attack or attacks escalating into conflict is real. Nations will always act to protect, promote and improve their national and economic security interests.