By Shannon McMurtrey, Ph.D.
I was very privileged earlier this year to travel to our nation’s capital with a very talented group of students from Missouri State University. A global pool of over 600 schools had been narrowed to 23 who were invited to submit campaigns as part of a competition sponsored by the State Department called, “P2P: Challenging Extremism Initiative.” The competition arose from recognition that terror organizations such as ISIS are masters at using social media to recruit young people online and that perhaps young people could themselves be called upon to create a campaign to counter their efforts. Of the 23 schools invited to submit campaigns, three were selected to travel to Washington D.C. to present their ideas, one each from Australia, Canada, and The United States. Missouri State University represented the only domestic team invited to compete for top honors.
The Missouri State ad team conceived of a digital platform that was then created and operationalized by students in my Advanced Web Development class. The panel of judges, which consisted of executives from media, government, academics and a former ambassador to the United Nations, selected the campaign created by Missouri State University for first place. Working with these students, and focusing on this project, has served as a constant reminder of how serious the problem of cyber terrorism is becoming. While it seems like you cannot turn on the television without hearing about another data breach it is important to note that not all cyber crime is alike. Just like we make the distinction between thefts, acts of terror, and acts of war, we must also distinguish between data breaches, acts of cyber terror and acts of cyber war. There is an active area of academic research aimed at helping make these distinctions. It is important for our leaders to be able to accurately attribute the source of a cyber attack, and to correctly classify the intent to formulate an accurate and appropriate response.
The act of assigning blame for a cyber attack (attribution) turns out to be a very hard problem to solve. Similarly, classifying an attack as an act of war or terrorism is difficult (perhaps made even more difficult by our current “war on terror”). In the early stages of a traditional war, it is easy to recognize and attribute attacks. However, some of the early stages of our current cyber war may be going completely unnoticed. For example, on June 8th, 2015, the website for the U.S. Army was defaced, and then taken offline. The Syrian Electronic Army claimed credit for the attack. Another recent attack (discovered while I was in D.C. with our team), that might accurately be considered an act of cyber warfare, was the data breach that took place at the U.S. Government Office of Personnel Management. Personally Identifiable Information (PII) was stolen on every employee of the U.S. government, along with every individual that has held a security clearance since 1982. The New York Times and the Washington Post cited unnamed sources in the federal government claiming that Chinese hackers were behind the breach. China was quick to deny involvement. These attacks follow on the heels of widespread breaches at the IRS, Anthem healthcare and others that had a direct impact on many of us here in the Ozarks. Some of you may have discovered the problem after filing tax returns, only to be informed that criminals had already claimed refunds in your name!
All of these events are shining a glaring light on our nation’s lack of cyber awareness and training. Admiral Mike Rogers, director of the National Security Agency and U.S. Cyber Command, recently commented that of the 6,200 people engaged at U.S. Cyber Command, currently only 50 percent are capable of carrying out the full operational duties of its current mission. If that is the case at the NSA, imagine the situation at most U.S. businesses and those here in the Ozarks. There is no doubt that training our nation’s cyber warriors and defenders — both those in military and those in civilian service — must become a top priority.
This article appeared in the August 29 issue of the Springfield News-Leader and can be accessed online here.
Shannon McMurtrey, Ph.D., is director of Missouri State University’s master’s program in cybersecurity, as well as program director for the master’s in computer information systems in the department of computer information systems. Email:firstname.lastname@example.org.