The reliance on computers to operate key infrastructures has created a tunnel of vulnerability previously unrealized in the history of conflict.

I first wrote that sentence in 1993 as part of my M.A. thesis on information warfare and my thesis adviser made me remove it for being “overly sensational”.  Final revenge was mine, however, when I snuck it into the 1996 Defense Science Board on Information Warfare.  Now you can search on that phrase and get a few dozen results as its been coopted along the way by other reports as well.  Regardless, my little pet phrase will be old enough to drive this year and the infamous “Can You Trust Your Toaster” paper is a teenager.

While I’ve always believed that cyberthreats are misunderstood and that much of the current debate lacks a risk management context, I can’t help but think that 2009 will be a precipice year in the cybersecurity domain.  We’ve certainly had lots of build-up in 2008:

  • A major think-tank issues what some regard as “yet another” cybersecurity strategy.
  • We’ve had major and minor penetrations by foreign entities into dozens of major corporations, institutions, and even the political campaigns.
  • For the first time, we are looking at a cabinet level Chief Technology Officer position at the White House.
  • From my personal experience in dealing with the national security and intelligence communities, there is an increased understanding and appreciation of the issue over the past year.  I can’t tell you how many conversations I’ve had with folks who dismissed the topic in the past and now articulate how important an issue it is.

If one is optimistic, we might actually start turning the corner on cybersecurity issues, but will do so only to find ourselves faced with a really steep hill.  The best-case scenario, we take some baby steps in 2010.  Therefore, I’m declaring 2009, the year of living cyberdangerously. Here are just a few things to think about:

  • Capability and intent are still mismatched, but that hasn’t prevented major intrusions, just those with an impact on the operation of critical infrastructure.
  • Big carrot, little stick. Cyberattacks have been launched against major companies, the U.S. government, and the McCain, Clinton, and Obama campaigns.  Consequences for the attacker have been non-existent. This just further incentivizes adversaries to push the envelope.
  • Economic disincentives are disintegrating.  I’ve often cited economic interdependence as a major deterrent to cyberattack.  However, when the U.S. economy is already in fail mode, the deterrent quotient diminishes.
  • Attribution still sucks.  See bullet number two.
  • Budget cuts and economic issues will serve to diminish corporate security postures in 2009.  End result, increased vulnerability.  That said, current attackers don’t seem to be lacking of vulnerabilities for intended targets.

These factors and a few others will bring a few stars into alignment and it should make for an exciting year.

As for me, I’m looking forward to taking a good hard look at these issues again this year at both the technical and national strategic level.  Watch for a follow-up to the Toaster paper and some additional efforts.  You can leave your title recommendations for the Toaster paper in the comments (e.g How I learned to stop worrying and love my toaster).