While the recent New York Stock Exchange and United Airlines hours of gridlock have since been attributed to internal malfunctions (slightly less is known about the Wall Street Journal shutdown at this time), the happenings of the day served as a microcosm of just how beholden we are upon technology's reliability, and how the prospect of Armageddon can descend upon us within a matter of minutes when it fails. In these times, however, there is far more than technological failure to be feared.
The opening line of Executive Order 13636 says it unabashedly, "repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity." While the NYSE and United Airlines shut-downs were not attacks by hackers, they have provided us with a taste of the potential fallout of a cyberattack. The three simultaneous glitches that occurred yesterday should serve--if not as a foreboding omen--as a stark reminder that we all must be more concerned with integrating our systems and communicating more effectively within the realm of cybersecurity. Cyberattacks have become more frequent, from attacks on Target, Sony, Snapchat, and others within the last two years. To prevent more severe attacks in the future, we must treat these events as learning experiences to better prepare ourselves for our responses to technological failings and potential cyberattacks to come.
Cybersecurity, in it of itself, is an issue that is becoming increasingly concerning to the American psyche, and opposing camps in the private and public sector are vying for the American public's trust as precedent-setting legislation is all but certain to dominate the political landscape in the coming weeks leading up to the 2016 election cycle, and for years thereafter.
Simply allocating a significant portion of one's budget to cybersecurity in the general sense has proven to be myopic--as JP Morgan can attest when it fell victim to an attack that ultimately exposed private information about 76 million households and 7 million small businesses after devoting $250 million annually to the cause of cyberattack prevention.[1] And of course, trillions of dollars in resources and the threat of the Espionage Act have proven ineffective for the United States government in regards to deterring whistleblowers such as Chelsea Manning and Edward Snowden.
Yesterday, to reiterate, was not a security breach in the manner that the above examples were. But it could have been, or could have opened the door for one to occur in conjunction with or directly following the self-induced standstills. In the words of James Angel, associate professor of finance at Georgetown University's McDonough School of Business, "What surprises me is how infrequently these major outages occur."[2] Thus, yesterday needs to be treated, analyzed, and approached as an opportunity to learn how we react when a cyberattack might well be upon us. Critically we must take steps to improve our prevention and response tactics.
A first step is to hone a collective conscience that such widespread cyber breaches can happen, as Angel asserts should happen more often than they do, and will continue to happen with enhanced frequency if courses of action are not altered. As Sal Arnuk, principal at Themis Trading notes, "Is the NYSE technologically the most (robust) exchange in the world? No. The fact of the matter is the different exchange operators have diverse standards, different architecture. Some of them are more legacy than others."[3] We can debate whether the largest stock exchange in the world should be the most robust exchange in the world another time, but the takeaway here is that the integration process of newfound technologies needs to be appreciated and prioritized.
As new technologies begin to supplant and work alongside older technologies at faster rates than ever before, the old and new order are inevitably going to clash. Add in the human element, one that is feeling more threatened by technology than ever before, and the conflicting elements with conflicting motives can reap chaos. "We need better technology," noted one stock exchange employee mid-outage, "...it makes me worried that they are trying to make this a fully automated exchange, and what they are doing, they are slowing things down on purpose, saying 'we don't need people.' If we had different technology and we didn't have people running certain things, we wouldn't have this problem. They are trying to make everything electronic. That's what happened."[4]
This sort of rhetoric could conjure up unfounded images of 1984, and these words notably did come in the middle of an unprecedented moment for the NYSE at a time when consumers are scouring for just a glimmer of good news amidst European uncertainty and Chinese market freefall, but it is difficult to discount that there is a degree of disconnect between man and technology. There is an undercurrent of longing for better technology and frustration that the new technology hasn't completely replaced the old--even if this begs the question of man's necessity in a tech-heavy landscape. In its current state, however, ineffective integration leaves everyone exposed--internally and externally.
It is ultimately exposure that has everyone so worried. Although President Obama's Executive Order 13636 received rather milquetoast criticism and was deemed "an important step toward protecting critical infrastructure from cyber threats" in the Harvard Journal of Law and Public Policy,[5] the order was of course implemented prior to the Snowden revelations. As a result, the American public and the private sector have grounds for a level of skepticism and defiance that may have seemed excessive in, say, 2012.
In recent days, FBI director James Comey has argued, "to protect the public, the government sometimes needs to be able to see an individual's stuff." If this sounds all too familiar, this has been the federal stance for quite some time, as the debate over encryption can be traced back to the 1990s when the FBI argued unsuccessfully for a 'clipper chip' that would enable the agency to unscramble a device's encrypted contents.[6] The Obama administration is arguing for similar work-arounds that would give federal investigators access to users data--but tech firms are proving to be uncompromising and are refusing to provide the FBI with a method to unscramble data.
But as quoted in the Wall Street Journal, "...the Obama administration has been reluctant to spell out exactly what it wants."[7] While in theory, the idea that the government should have access to data that pertains to national security is not a controversial notion on the surface, overreach permitted by the Patriot Act to the Iraqi Invasion to the war crimes and spying uncovered by whistleblowers has damaged its credibility, perhaps beyond repair. As Matt Blaze, computer-science professor at the University of Pennsylvania, presents matter-of-factly, "there is no method to guarantee that only the right people [in the government] will have access... it's not simply a matter of difficulty, it involves the most fundamental unsolved complications in computer science."[8]
According to sources, at one meeting, administration officials appeared interested in a 'split key' solution, in which either tech companies, the government or a third party would hold sections of an encryption that could be recombined and used to decipher messages if crucial to fulfill a court order.[9] But again, such compromises if you will, are only as safe as who's holding the keys. Given the government's susceptibility to getting hacked, technology companies may have no good reason to trust Washington.
And as Patrick Eddington of the Cato Institute wrote in the Hill, "given the large number of investigative tools available to the FBI... the notion that encryption imperils all law enforcement operations is ludicrous."[10]
All of this recent debate is in fact what makes yesterday's mishaps so critical--and perhaps detrimental to technology companies and the private sector at large. In spite of security breaches to Target and JP Morgan amongst others, there is little doubt that the private sector had the upper hand in the eyes of the public due to just how damning the evidence presented by whistleblowers against the US government has been. Companies like Apple, Google and Yahoo embraced encryption as a way to assure their clients that nobody--not even the government--could access their data; in effect championing privacy at the very time the United States government was doing everything in its power to do the very opposite.
But as debacles continue--yesterday to private victims United Airlines and the Wall Street Journal--the American public wonders where it can turn. Who will champion its privacy? Well, the government has proven inadequate, but, whether deliberately or not, private companies aren't fitting the bill either. Invest in the New York Stock Exchange, and it appears the processing of money is being handled by out-of-sync technology and people who disdain said out-of-sync technology. Seek respite by traveling via United Airlines (maybe kicking back with your Wall Street Journal), and millions are left grounded and unaware as to whether their security may be at risk. As reported in the Chicago Tribune, technical issues and poor training of employees led to rampant delays and cancellations, which over time led to mass customer defections and damaged profits at the airline. Joseph Schofer, a professor of civil and environmental engineering at Northwestern University, stated on United Airlines, "it undermines a lot of what they've done to rebuild the airline and build its market image because it makes a strong statement about reliability."
All of these breaches, glitches, self-inflicted, external, they continue to leave black eyes. Black eyes for the government, black eyes for private companies, and black eyes for the public that doesn't know where to turn. The public can only hope one side, or both, emerges in this debate and protects its interests.
"We're over-reliant on these systems," says Schofer.[11] He's undoubtedly right. But we're not turning back either: we need to learn from yesterday, or it will be repeated. If changes are not made, our world could begin to mirror that of an Orwell book.
To prevent becoming Orwellian, we must do more than simply acknowledge our over-reliance on these technologies. We must learn how to effectively deal with scenarios as humans when these systems fail. Looking at the way in which these malfunctions were responded to, the reaction of the New York Stock Exchange was less than adequate. The way events like today are meant to be dealt with is clearly laid out in Exec. Order 13636 with the procedure: "Identify, Detect, Protect, Respond, Recover." Some of these were done well, and others need to be improved upon.
The strongest step taken by the NYSE was to "Protect." The NYSE was reportedly in almost constant communication with the United States Government and security agencies. This is a positive aspect of their response, as one of the keys to successful cybersecurity is consistent communication to protect critical infrastructure at times during which it's vulnerable. While communication and protection were adequate, other facets of the response were not.
The most problematic step was the very first: "Identify." The origin of NYSE glitch is still relatively vague. News reports describe it as an "internal technical problem," or a "configuration problem," which to the average reader doesn't mean much. There are no detailed explanations. In addition, the investigation into what specifically caused the technical problem, according to New York Stock Exchange President Thomas Farley, wasn't launched until Wednesday night. Had this event been a cyberattack, going this long without a specific, identified, and fixable problem would have been devastating.
Another issue with vague identification of the problem is that, in reality, the key to solving a problem effectively is to know exactly what the problem is. Mistakes are made when swift responses to nothing but symptoms are coupled with actions based on assumptions. It sounds almost stupidly simple, but diagnosing an issue is critical before taking action to resolve it.
For example, many people were under the impression that the NYSE glitch was the result of a cyberattack. Hypothetically, let's say they responded accordingly without knowing that it--in fact--was only a technical difficulty. Even worse, let's say that the hypothetical tables had been turned and a cyberattack was treated merely as a technical problem, the results would have been catastrophic.
The easiest way to improve cybersecurity is to integrate the systems that we have in place across the country, or as they are called in Exec. Order 13636, "critical infrastructure." This term simply means "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." Clearly, the NYSE, major airlines, and even the Wall Street Journal all fit under this umbrella.
Adopting the outlined framework in an effort at increased system integration provides for numerous advantages, one being the setting "of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks." This would eradicate any errors and provide a uniform guideline for all systems within the framework to follow. This uniformity is not overdone, however, as the framework provides for different procedures and protocols for organizations or different sizes or organizations who are more at risk of cyberattack than others.
The main takeaway from adoption of the framework is that it provides a common language through which organizations can communicate, and, as was evidenced today, communication is one of the foundations of effective cybersecurity. If all the systems within the critical infrastructure of the United States speak the same language and follow the same procedures, that takes away any elements of panic or improvisation, and removes much of the potential for error.
It is paramount that these issues be brought to the forefront at this moment when people can feel the effects of a possible cyberattack. People sat on tarmac, missed connecting flights, and will still be feeling the repercussions of the United glitch for the next few days. People who're used to bustling around the stock floor stood around with nothing to do. While these experiences are still readily available in memory, they can be used as reminders that action needs to be taken and change needs to be made as cybersecurity is becoming one of the most prevalent issues of our time.
[1] Straight, Jason. "The Role of the Board In Cybersecurity: 'Learn, Ensure, Inspect'" Dark Reading. July 8, 2015. Accessed July 8, 2015.
[2] Karp, Gregory. "What United, NYSE Glitches Tell Us about Technology." Chicagotribune.com. July 8, 2015. Accessed July 8, 2015.
[3] Yuhas, Alan. "Stock Trading Closed on NYSE after Glitch Caused Major Outage - as It Happened." The Guardian. July 8, 2015. Accessed July 8, 2015.
[4] Yuhas, Alan. "Stock Trading Closed on NYSE after Glitch Caused Major Outage - as It Happened." The Guardian. July 8, 2015. Accessed July 8, 2015.
[5] Broggi, Jeremy. "BUILDING ON EXECUTIVE ORDER 13,636 TO ENCOURAGE INFORMATION SHARING FOR CYBERSECURITY PURPOSES." Harvard Journal of Law & Public Policy. 2013. Accessed July 8, 2015.
[6] "FBI Chief Pushes for Encryption 'back Door' despite Tech Experts' Opposition." RT USA. July 7, 2015. Accessed July 8, 2015.
[7] Yadron, Danny, Damien Paletta, and Jennifer Valentino-Devries. "Technology Experts Hit Back at FBI on Encryption." WSJ. July 7, 2015. Accessed July 8, 2015.
[8] Yadron, Danny, Damien Paletta, and Jennifer Valentino-Devries. "Technology Experts Hit Back at FBI on Encryption." WSJ. July 7, 2015. Accessed July 8, 2015.
[9] Yadron, Danny, Damien Paletta, and Jennifer Valentino-Devries. "Technology Experts Hit Back at FBI on Encryption." WSJ. July 7, 2015. Accessed July 8, 2015.
[10] "FBI Chief Pushes for Encryption 'back Door' despite Tech Experts' Opposition." RT USA. July 7, 2015. Accessed July 8, 2015.
[11] Karp, Gregory. "What United, NYSE Glitches Tell Us about Technology." Chicagotribune.com. July 8, 2015. Accessed July 8, 2015.
The opinions expressed here are solely those of the author and not those of any other entity.
Linkedin: http://www.linkedin.com/in/ernestod
Follow @ernestod
