Those who cannot
remember the past are condemned to repeat it. – George Santayana
The total number of Union dead during the Civil War ranges
from 360,222 (if you accept the Fox-Livermore estimates from the late 19th
century) to the (approximately) 437,006 estimated by Dr. David Hacker in late
2011. Predictably, many historians
struggle with and debate the revision to more than a century’s worth of settled
fact. What is not being debated is that
approximately two-thirds of those who perished (between 240,148 and 291,337
men) fell not to Confederate bullets, bayonets, sabers or shells but to
disease.
In historical retrospect, this is surprising as huge
investments, and concomitant advances, were made in medicine during the
war. Indeed, when the war began, the
United States Army Medical Corps numbered just 87 men – and promotion was based
strictly on seniority, not on merit. By
the cessation of hostilities in 1865, more than eleven thousand doctors had
served.
Union medical care improved dramatically during 1862. By the end of the year each regiment was being
regularly supplied with a standard set of medical supplies and had an integral
medical staff. In January 1863, division
level hospitals were established, serving as a rendezvous point for transports
to the general hospitals.
By 1865, there were 204 Union general hospitals, capable of
treating 136,894 patients. General
hospitals were designed to accommodate massive numbers of wounded and sick
men. They were built as pavilions with
separate buildings, where thousands of patients could be sheltered. Each building was its own ward, with high
vaulted ceilings and large air vents, accommodating about 60 patients. Ultimately over a million men were treated in
the general hospitals, and the collective fatality rate was below 10%.
Given the rapid development of this tremendous medical
capability, the fact that hundreds of thousands of Union soldiers succumbed to
disease during the war seems counterintuitive.
However, even a cursory look at what passed for field sanitation is illuminating.
Soldiers rarely bathed, and the same pots that were used for
cooking were also used to boil clothing to remove lice. Regulations about camp sanitation and
overcrowding were ignored. Each company
was supposed to have a field latrine.
Some regiments dug no latrines.
In other cases the men went off into open spaces around the edge of the
camp. Inevitable infestations of flies
followed, as did diseases and bacteria they spread to both men and rations.
The Army diet was high in calories and low in vitamins. Fruits and fresh vegetables were notable by
their absence. The food part of the
ration was fresh or preserved beef, salt pork, navy beans, coffee and hardtack;
large, thick crackers, usually stale and often inhabited by weevils. Preparation of the food was as bad as the food
itself, hasty, undercooked and almost always fried.
And so, despite substantial investments in very large, very
visible medical programs, huge numbers of Union soldiers died of disease. Why? Because these programs were inherently
reactive, responding to, but not alleviating, the root cause of the problem,
which was the inherently unhealthful lifestyle of the individual soldier in the
field.
For those in the burgeoning cybersecurity industry, and
especially those who work at the nexus of the public and private sectors,
Santayana’s words ring especially true.
Much like the Army Medical Corps in the early 1860s, a crisis of epic
proportions is faced. The number of
cyber-attacks mounted on an hourly basis against government departments and
agencies as well as their contractors and the national critical infrastructure
is staggering. Reports of data breaches suffered
by major retailers, banks or manufacturers are a weekly, if not daily,
occurrence. There’s an ongoing
information hemorrhage, flowing out through porous perimeters and effective
countermeasures remain elusive.
This isn’t to say that large, visible efforts and
investments aren’t being made. There are
eighteen sector-specific Information Sharing and Analysis Centers (known as
ISACs), established pursuant to Presidential Policy Directive 63, whose
ostensible purpose is to promote risk mitigation, incident response, alert and
information sharing within the discrete national critical infrastructure
sectors. Similarly, the United States Computer
Emergency Readiness Team (US-CERT) was created in 2003 by the Department of
Homeland Security (DHS) to analyze and reduce cyber threats, vulnerabilities,
disseminate cyber threat warning information and coordinate incident response
activities.
These efforts pale, however, when compared to two ongoing
programs intended to secure civilian government networks and systems. The Continuous
Diagnostics and Mitigation (CDM) program is intended to provide
capabilities and tools that identify, prioritize and mitigate cybersecurity
risks on an ongoing basis. The Development, Operations and Maintenance
services in support of the National Cybersecurity Protection System, or
DOMino program is intended to continue DHS efforts to protect the federal .gov
domain with an intrusion detection system that monitors the network gateways of
government departments and agencies for unauthorized traffic and malicious
activity. As an example of the magnitude
of resources allocated to these programs, CDM has a program ceiling of $6
billion.
Acquisitions resourcing is matched by policy efforts. In February 2014, the National Institute of
Standards and Technology (NIST) released the first version of its Framework for Improving Critical
Infrastructure Cybersecurity. The widely
touted document, a collaborative effort of a consortium of industry and
government partners, provides standards, guidelines and practices to promote
the protection of critical infrastructure.
The Department of Defense (DoD) has also overhauled its
cybersecurity policies and guidance so as to be more responsive to the ongoing
cybersecurity emergency. In March 2014,
the DoD declared its information assurance mechanism (the Defense Information
Assurance Certification and Accreditation Process, or DIACAP) obsolete and
replaced it with a set of policies and guidance called the "Risk
Management Framework (RMF) for DoD Information Technology (IT)." The RMF, which aligns with the NIST RMF, is
intended to address IT security risks throughout the IT life cycle.
All of these programs are important, necessary and from a
purely parochial cybersecurity perspective, very welcome. However, they also represent the same sort of
top-down and reactive approach to security that the Army Medical Corps
displayed with respect to soldiers’ health during the Civil War. That is not to say that this sort of approach
is incorrect, but rather that it does not form the basis for a complete
solution to the problem. A complete
solution requires concurrent, systemic applications of both top-down and
bottom-up approaches.
This was recognized by the military healthcare community,
and critical changes were put into place with respect to both the individual
soldier’s hygiene and sanitation in the field and the overall military medical
system. As a result, while there were 62
deaths from disease per 1,000 Union soldiers (using the Fox-Livermore
statistics) during the Civil War, the number dropped to 25.6 per 1,000 in the
Spanish-American War, and 16.5 in the First World War. By the Second World War, less than one
American soldier per 1,000 died from disease.
The systemic machinery of government information technology
is already responding to the cybersecurity epidemic. If the overall cybersecurity treatment is to
be effective, comparable changes and improvements must be made to the
cyber-hygiene requirements at both the operational user and acquisitions
program levels. More precisely, just as
compliance with the high-level, top-down security requirements is required for
a program to gain or maintain authority to operate on a government network,
compliance with low-level implementation guidelines should be required as well.
The good news is that most of these changes are readily
implemented, and not matters of breakthrough research. A non-exhaustive listing of a few examples:
· Assume that a breach is not a matter of if, it’s a matter of when, and design all systems to continue to operate effectively despite the presence of attackers.
· Encrypt everything. This includes data at rest, data in transit and data in use. This way, even if an attacker gains access to protected system resources they will be of little or no value upon exfiltration, thus maintaining confidentiality despite a breach. Additionally, they will be difficult if not impossible to alter, thus maintaining data integrity.
· Implement comprehensive and fine-grained authorization management to ensure that the principle of least privilege is automatically implemented and maintained. The open standard for the implementation of attribute based access control, the eXtensible Access Control Markup Language, or XACML, was first published in 2004, and there is a wide array of tools from which to choose when implementing this capability.
· Ensure that email traffic is subjected not only to in-line spam filtration, but also to psycholinguisitic analysis intended to determine the degree to which a communication is deceptive.
· Require that all personnel received mandatory training on good cyber hygiene and that continued compliance with cyber-hygiene standards is part of an annual or semi-annual performance evaluation.
· Partner with industry to ensure a constant influx of innovative ideas.
It’s often said that government is only capable of broad,
systemic action requiring years to develop and many more years to
implement. With respect to the current
hostile state of cyberspace, the luxury of time simply doesn’t exist. However, as can be seen by the improvements
in military medical and hygiene standards, government is absolutely capable of
implementing extremely effective solutions that merge both top-down and
bottom-up approaches. The battle for
cyberspace can be won. We simply have
to, collaboratively, choose to win it.
No comments:
Post a Comment