The challenge of talking openly about cyber

Defense Secretary Leon Panetta is set to make a major speech on cyber security on Thursday night, but U.S. officials acknowledge that thus far they have fallen short in publicly explaining the nature of cyber threats and the government’s efforts to respond to them.

"Protecting ourselves in cyberspace is an important issue we need to talk about, but it’s exceptionally difficult to be forthcoming and reassuring when so much of our effort is classified or sensitive," a senior White House official told Killer Apps on Oct. 10.

"The truth is that we are actively working with all the tools at the government’s disposal, day in and day out, to protect the American people from some very serious cyber threats. But the last thing we’d want to do is harm our ability to protect ourselves by putting all of our tactics, techniques, and procedures out in the open for our adversaries to see," the official said. "So, we end up speaking in broad strokes about the principles of our policies as a substitute for providing the details."

The result has been a lot of vague public discussion with little public action (and plenty of classified action, we’re told).

Just this past month, there have been numerous Washington forums on cyber security with the intent of ‘framing the debate’ and to ‘better inform the public about the grave risk posed by a ‘cyber Pearl Harbor.’ And experts say that massive amounts of intellectual property — equivalent to trillions of dollars or a Library of Congress worth of data — is being stolen from American firms by hackers in far off lands.

Still, government officials lament that the public — especially banks, airlines, utilities, and Internet service providers — isn’t doing enough to protect its networks from cyber attack. Some of the same government officials also complain about Congress’s failure to establish laws dealing with minimum cyber security standards, information-sharing practices about cyber threats, and a clear picture of who is responsible for defending the country against different types of cyber threats.

The high degree of classification surrounding the government’s work is a big hindrance.

"Because the capabilities are so sophisticated, they’re rapidly evolving, and they are on the edge of where our intelligence capabilities meet our military capabilities, there is a hesitancy to speak openly about what the American government is doing to protect the nation from cyber attack," a Pentagon official told Killer Apps on Oct. 10.

"But, the reality is, we need to do a better job at being more clear about the challenges that we’re facing and to the best of our ability the capabilities we’re bringing to bear to meet those challenges," the official said.

One of the most basic reasons that the government needs to improve its communications about cyber is the fact that "only the best" cyber operators are able to see when they are being attacked and then do something about it, added the official. "It takes a significant level of capability to be aware of an intrusion and an even higher level of capability to be aware of what’s" been stolen.

As the government struggles to establish a cohesive national approach to cyber security, it is becoming better at sharing information.

While "we’ll never be fully open" because of the heavy involvement of intelligence-related activities in cyberspace, the trend is slowly "but steadily [moving] towards being more open," added the official. "We must move that forward."

Panetta’s speech is one attempt to move toward openness, and over the last year Pentagon officials have begun to reveal a trickle of information about the military’s offensive operations in cyberspace  — something that was never discussed previously.

And the government, via something called the DIB CS/IA program, has even become better at sharing information about cyber threats collected by intelligence agencies with private companies in a way that doesn’t compromise sources or methods.