“These attacks have demonstrated that companies of all sectors are very lucrative targets. [APTs are] the equivalent of the modern drone on the battlefield. With pinpoint accuracy, they deliver their deadly payload, and once discovered — it is too late.”

One of the methods the article suggests to protect systems from targeted attacks is using a whitelist to allow specific traffic over its networks while excluding everything else. In other words, they want to limit exposure to social engineering by limiting user access to potentially dangerous sites. Plans like these make some sense, but don’t address the core problem. There are too many ways that users can be tricked into accessing something that isn’t protected against for this to work. And for institutes such as higher education that conduct research at random places, restricting site access gets in the way of users doing their job and simply is not going to fly.

As we pointed out in the blog, “Cisco’s 2009 Security Threat Report: We need a patch for the common user!” people are the primary vulnerability going forward. Whether we like it or not, our employees, contractors and partners are continually accessing sites and other media that can cause problems. Rather than dealing with user behaviors that are simply out of our control or are required for them to be effective, enterprises should focus on the real problem — which is to stop the payload of these attacks.

As long as there are people in the mix, they will continue to unknowingly bring things into the network that cause all sorts of havoc. The reality is people make mistakes. They go on sites their company knows nothing about. They open bad emails and download the wrong stuff on their machines. Since we can’t realistically stop what users are doing, we have to address the results of normal, but risky behavior.

The bottom line is we need to stop the payload from getting on the network and becoming a threat. That needs to be the primary thrust, and is the focus of BOUNCER, which protects against unwanted applications while permitting users to go about their business.

Historically, legislation has proven to be woefully inadequate in preparing the U.S. for cyberwar. Why? Because there are no consequences. Until there are repercussions or someone is going to lose their job for not being secure, this will continue to be problematic. This is where the government is missing the boat. Trying to legislate cyber security without holding organizations accountable seems to be the crux of the problem.

Unfortunately, our friend and newly appointed U.S. Cyber Security Czar, Howard Schmidt, is in a tough spot. With no budget or real authority to levy consequences, there’s not going to be much change. Although many believe the government can and should be leading the way to improve the nation’s cyber defenses, Mr. Schmidt believes the best defense remains in the hands of the private sector.

It all comes down to holding people accountable. Without repercussions, there’s no incentive for companies to spend money to get out of the status quo in terms of what security best practices are, and start thinking in a more proactive manner.

It’s only when people’s jobs are on the line that things truly get done. Only then will we start to move beyond our reactive mindset and get ahead of the problem by implementing proactive solutions such as application whitelisting that adequately prepare ourselves for cyberwar.

One comes from the former director of national intelligence, Michael McConnell, who recently testified in Congress by saying the country is already in the midst of a cyberwar — and losing it at that. This comes on the heels of growing speculation from experts that say the Chinese government was behind the recent cyberattacks targeting U.S. government Web sites, Google, and dozens of other U.S. companies. This, of course, raises the question: “If we aren’t already in a cyberwar, are we headed toward one?”

Larry Wortzel, a member of the U.S.-China Economic and Security Review Commission, said in the article, “Expert says Chinese government likely behind massive cyberattacks,” that whether the Chinese government or independent hackers in China were responsible for the recent attacks, we are seeing “persistent, systematic and sophisticated attacks” that are clearly targeting U.S. military, technical and scientific information. Similar trends released at RSA Conference and reported in the story, “Chinese hacks attacks said likely to recur,” said an increase in Internet attacks from China could double if the pace during the first two months of 2010 continues.

People often ask me, given my military background and experience fighting cyber crime, are we in a cyberwar or not? To me, whether or not we are is irrelevant. What defines cyber warfare? What’s important is that we are aware of what is going on and our government and the private sector are doing everything they can to ensure our cyber security. I commended President Obama last October when he said that cyber threats were one of the most serious economic and national security challenges we face as a nation. The fact is, cyber crime has already cost U.S. companies billions of dollars. If these trends aren’t stopped, cyber crime will continue to have a growing impact on both our economy and global competitiveness.

Ensuring our cyber security comes down to one thing — preparedness. The more we understand, and the more proactive steps the government and private sector take independently and collectively, are vital to defending our networks, national assets and critical infrastructures from any type of attack, whether we are in a cyberwar or not.