2012 was an eventful year for cybersecurity, but 2013 could see one event that didn't happen then: the passage of legislation.
2012 was an eventful year in the world of cybersecurity, to say the least. High-profile cyberattacks, multiple failed attempts to pass legislation, and the continuing buildup of the U.S. Cyber Command and military cyber capabilities are just a few of 2012’s most important cyber-related events.
Experts and insiders almost unanimously pointed to a handful of prominent attacks around the world as defining moments in the year’s cyber landscape. The Shamoon virus unleashed on Saudi Arabia’s state oil company destroyed 30,000 computers, an unprecedented occurrence in cyber warfare. Before that, the release of New York Times reporter David Sanger’s book “Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power” unveiled the United States’ involvement in the development and release of Stuxnet — itself a crucial affair with reverberations far beyond the confines of cyberspace.
“With the publication of this book, you essentially had a play-by-play of how this went from idea to effect,” said Richard Bejtlich, chief security officer at Mandiant. “It revealed how having a piece of code [could] not just disrupt a computer or steal information but actually have a physical effect to destroy machinery and while doing so have a major international relations event. Now that we know, more or less, that the U.S. and its ally Israel were involved in creating Stuxnet, other countries have a tool they can use when discussing cybersecurity relations with the U.S.”
Meanwhile, the cybersecurity discussion continued to churn. On Capitol Hill, ongoing battles over the best way to legislate cybersecurity resulted in gridlock. An executive order came to be seen as the best short-term solution, but nobody believed it was a good substitute for comprehensive legislation, and the battle in Congress is certain to resume in 2013.
“I think we’ll see some legislation coming out of Congress this year,” said Charles Croom, vice president of cybersecurity solutions at Lockheed Martin and former director of the Defense Information Systems Agency. “It’ll probably take the executive order and put some of that into law, and take parts of existing proposed legislation and put that into law as well. Things everyone seems to agree on — research and development, education, information sharing, critical infrastructure protection — those will be topics at hand that will at least get into proposed legislation. The hard part will continue to be how much to regulate versus incentivize.”
At the Defense Department, the services are continuing to build cyber capabilities. The ranks and capabilities of the fledgling Cyber Command are filling out, and its leaders are determining the evolving requirements for the Pentagon’s newest domain: cyberspace.
In 2013, training will likely be a top priority as a new generation of military personnel sharpens much-needed cyber skills, and cybersecurity will be an area of budgetary exception, unlikely to face the ax as much as other DOD programs.
“The demand signal has increased and will continue to increase,” said Lt. Gen. Michael Basla, the Air Force’s CIO. “Why is that? Because the threat is out there. It’s not just a Department of Defense thing. It’s a national imperative that we must protect our country against the cyber threats. We have to address how to respond to that demand signal.”
Cybersecurity should not be subject to budget cuts and, indeed, could be one of a few growth areas in the age of scarce funding, Basla said. “Cyber is integrated across all our capabilities and everything we do as a nation,” he said. “We need to be prepared for that.”