Ed. note: This is the second in a series looking at the cyber wars that are raging worldwide. In the first piece in the series, “Caught in the Crossfire”, we looked at how a new, serious threat has appeared that has the resources to circumvent traditional firewalls and other perimeter defenses and take up permanent residence in corporate and governmental networks without anyone knowing. In this second part we look at the Internet, which provides the basic connectivity that the cyber warriers use to attack their targets. In the next part we will look at what this means to corporate security officers and CIOs and to corporate operations in general.

Security experts are fond of describing the Internet in terms of the “wild, wild west.” To many people, this evokes a romantic vision of a period when men were men and people were free, when government didn’t poke its nose into everybody’s business. But the downside of the wild west is that you never knew who the stranger was who rode into town. Sometimes it was just someone riding through. Other times it might be a bank robber or worse.

Security experts see the same problem with the Internet. When the Internet protocols were formalized in 1982 and later, when Tim Berners-Lee created the WorldWide Web at CERN in 1989, nobody thought seriously about security. The network was seen mainly as a tool to connect research labs, and the presumption was that everyone on it would be honest. It was an idealistic vision, and for awhile it worked, more or less.

This openness, says Shawn Henry, former FBI Executive Assistant Director (EAD) for CyberSecurity and now President, CrowdStrike Services,is a two-edged sword. On the one hand it allows people who need to be anonymous for valid personal reasons – for instance victims of spousal abuse who need to hide from their abusers or people who criticize their government or employer in repressive countries – to do so safely. But it also leaves the Web totally open to any kind of illegal as well as legal activity. Henry should know, he spent his FBI career chasing, and often catching, cyber criminals.

Specifically, Henry says, companies operating on the Internet need attribution and assurance. “It’s really important that the organization that’s being connected to understand who’s making that connection. There has to be better assurance as to who is touching that infrastructure, so there’s credibility and reliability. Being unable to do attribution, we’re unable to deter, we’re not able to go out and block. Without that the attacks will get grander and bolder, the amount of loss will continue to increase, and that is absolutely not a sustainable model long term.”

This is particularly important in financial services and when protecting the industrial control systems that maintain the nation’s infrastructure. Today the electrical grids worldwide are basically open to attack, with only rudimentary password defenses and firewalls that the new breed of cyber criminals have already shown they can easily circumvent for protection. The same kind of sophisticated malware used in Stuxnet could in principle infect the key control systems of the nation’s electrical grid and trigger a nationwide blackout. Recovery could take months or years, depending on the kind and amount of damage done.

“It’s one of these mutually assured destruction things,” says Mike Rothman,  analyst and president of security consultancy Securosis. “Every nation knows they are equally vulnerable and that any attack will trigger a devastating counter-attack.”

And small countries can play this game just as well as large ones. “You have to be a certain size country to be able to field an air force, for example,” Rothman says. “But there aren’t as many restrictions on hackers.”

The United States and Israel have already attacked Iran’s infrastructure with Stuxnet. No one wants to speculate on whether Iran is capable of an attack on the infrastructures of Israel and the United States.

Building security into the Internet will, of course, not by itself end cyber-crime, and it certainly will not defeat the very sophisticated, state-sponsored players in Cyber Wars. But it would make things more difficult for the criminals and help to level the playing field that today is definitely tilted against legal businesses and governments. Henry says that “the market and technologies need to make the determination as to what the right way forward is.” That is one reason that he elected to join CrowdStrike after retiring from the FBI.

“I believe there is a lot more we can be doing,” he says. “I have said many times that the private sector needs to innovate, the private sector needs to step up, the market’s going to drive these initiatives. And here I was presented with the opportunity to join a company whose vision was very much in line with my vision of what I wanted to do.”