Cyber Attacks on Business – A National Security Threat?

By Kevin Coleman
Defense Tech Cyber Warfare Analyst

Cyber attacks on businesses have risen in frequency and sophistication and the monetary damages that accompany these incidents are rising as well. America’s corporations are under constant attack from cyber criminals, terrorists and rogue nation states. The devastating consequences of a cyber attack on our business community have now risen to a level where it must be considered a threat to our nation’s security.

So why has the U.S. Military and Homeland Security not moved to address this threat head on? The answer is easy – it is the private sector! There are regulations that come into play as well as the availability of resources to help; but the biggest reason is the private sector has not asked for help. Many in the private sector believe they “know more” or are “better at defending” themselves than the government entities. Those beliefs are no longer true.

For a decade now I have had one foot on each side (private vs. Gov/Military). The rapid growth of techniques, tools, capabilities, experience and cyber intelligence on the government /military side has now placed them well ahead of every private sector cyber security organization I know of. Of course, that doesn’t include private sector cyber mercenaries that routinely called upon and illustrate superior offensive and defensive cyber capabilities in support of U.S. defense forces and the intelligence community.

These capabilities must be brought to the defense of our critical infrastructure and in support of private sector research and development efforts that will produce the next generation of security products needed to address the increasing threats we are seeing in cyberspace. Working together is the answer. Working disjointedly will ultimately lead to falling short of what we need in the near future and beyond.

So – does the current level of attacks on the U.S. business community rise to the level of a national security threat?

  • will baird

    Too bad that pic is of a a government supercomputer[1] retired 2 years ago[2] rather than a real business data center.


    • mitch

      will baird,
      Too bad that you do not have something more substantive to add to the discussion than a snarky comment about a dated photo. This is a serious topic, and affects critical infrastructure of our country. Please share with us if you have anything of value. I look forward to good commentary on this subject.

      • Bob

        Business is wise to avoid asking the government for help. The government is not very efficient and everything it does costs twice as much. Besides government help comes with too many strings attached. GM asked the government for help and look what they got, the government and unions now own and run GM. The schools asked for government aid, now the government runs local schools systems. Please lets keep the government out of private business.

    • jordan

      Im glad you commented and even gladder that you provided links.

  • The_Hand

    It’s hard to say where the tipping point is between “annoying criminal activity” and “clear and present danger to the United States”. The current level of activity, I think, is the former, but there also clearly needs to be a level of vigilance maintained and countermeasures developed since that could change in fractions of a second.

    Government needs to work with private industry to develop procedures, if not regulations, for industry to follow. That would include describing the security measures that need to be maintained for day-to-day operations, and also communications and procedures for use to detect and respond to attack. Speaking as an admin, right now private industry has practically zero guidance from the government beyond trying to protect identity information. I would have to go to the FBI and ask for it, and what I’d get back wouldn’t be terribly current or detailed.

  • Brian

    In the commercial world security runs counter to productivity thus profits. Security exists to mitigate losses against theft etc and maximizes profit. Think of this way, a bank builds a safe because it makes robberies lesslikely if they know that all the money is inaccessible. If teft was not a concern the bank would not build a safe as it would lower return on capital.

    So to tie it together, the thfreat of sabotage is of little concern to most businesses, and to those that it would, generally have the best systems money can buy to mitigate. Government action is thus unnecessary as any additional security would be uneconomical. Given the size of IT in the private sector, additional security would be cost prohibitive. Well that and well it’s a pipedrea, to think you could properly secure. Most businesses simply work on backups, recovery and failover systems rather than preventing failure in the first place.

    • Dean

      Brian, I’m a network guy currently and we take security very very seriously. To suggest that the commercial world as a whole doesn’t care about security is a bit uneducated on your part. Businesses can afford security lapse, loss of customer data, corporate secrets/property, etc. The one thing we don’t need is an idiot from the Government telling us how to do it and why. There is no government person/entitiy who can match private industry as a whole in the security arena. After all-I don’t see government creating firewall and security products, and building switches and routers-do you?

  • Scott

    It seems to me that there is a problem on both ends — not just with the private sector. In many instances, the private sector would benefit from greater government assistance with respect to cybersecurity, but at the same time there is a desire (need?) for the private sector to keep the feds out of their facilities. Economic espionage (via cyber tools) is on the rise and will only continue to increase, which puts certain industries (i.e., defense) at risk and thus our national security at risk. There needs to be better collaboration between the public/private sectors, and perhaps it would help if the feds started making examples of those committing what amounts to cyber/economic espionage. The laws are in place to combat that issue, but they are rarely used.

  • Tim Adkison

    Itll catch the buisness’ attention when they cant operate there daily tasks because someone hacked them. Thats what its ganna take

  • Mark Ritchie

    This is also an issue at the state and local government level so thinking about cyber security at all levels of private and public sector vulnerabilities would be very important to the whole society. Thank you for this conversation.

    Mark Ritchie, Minnesota Secretary of State

  • Dorsai

    As a consultant who has also has feet in both camps (government and commercial), it boggles my mind that you think the government does things better than the commercial world. There are some technical geniuses hidden in various government agencies doing good work on security, but they’re few and far between. The speed, quality, and effectiveness of innovation in the commercial world still dramatically outstrips what’s happening in the government.

    Don’t get me wrong, many in the commercial world may drag their feet in implementing the sort of threat-centric security effort that has existed in the government for years – but the quality of technical skill, methodical analysis and countermeasures in the commercial world more than make up for this.

    What specific government groups are you aware of that are doing things much better than the commercial world? Commercial efforts which I feel blow away military efforts include several of the CIRT/CERT’s at large corporations (GE is a good example), commercial products like Tipping Point and the Core tools. If you broaden the comparison to include open source projects like OpenBSD and nmap, and training organizations like SANS, I think the advantage is NOT in the government camps.

    Please give some examples of where the government is doing so much of a better job than the commercial/open-source sector.