20 Years After 9/11: How US Cybersecurity Landscape EvolvedThe Priority Has Shifted From Physical Threats to Cyber Concerns
In the 20 years since the Sept. 11, 2001, Al-Qaida terrorist attacks on targets in the U.S., the need to shore up critical infrastructure and build resilience into systems remains a priority for the federal government as well as the businesses that operate these facilities.
But according to experts, over the past two decades, concerns about physical attacks have been displaced by the equally large concern of cyberthreats.
The basic issues that cybersecurity professionals are dealing with in 2021 - including information assurance, insider threats and access management - were in play in 2001. But 20 years ago, there was more concern about physical security breaches. The move toward cyber was taking place, however, according to some former government and industry professionals.
"At the time, almost all cybersecurity focus was placed on how physical security compromises might impact cyber," says Jake Williams, formerly of the U.S. National Security Agency's elite hacking team and currently CTO at BreachQuest.
Roger Caslow, CISO at the Virginia-based water treatment firm HRSD and formerly an intelligence analyst with the U.S. Defense Intelligence Agency, says the basic goal of dealing with data - being able to make it available to the end user - has not changed. The main difference now, he says, is the cloud.
"There was no cloud issue because it actually wasn't there yet," Caslow says. "They weren't really concerned with breaches much back then. They were maintaining the availability of the data to the user."
20 Years of Evolution
In the past two decades, the whole notion of security has changed, including the terms used to describe the problems.
"It wasn't cybersecurity; it was information security. And it wasn't called AI; it was called neural networks," says Etay Maor, a former researcher with the International Institute for Counter-Terrorism and currently senior director of cybersecurity strategy at Cato Network.
Although the terminology has changed over the years, Maor notes, the threats have remained the same. He says he recently looked back on some research and notes from 10 years ago, and he was surprised at how much it resembled something he'd write today.
"You see almost the exact same concerns. Maybe there was no zero trust, but there was endpoint security and access control. It wasn't called IAM; it was called access control. All these things were around at the time," Maor says.
Caslow points out that access control was the key in 2001 and remains so today. Twenty years ago, there was a lot of physical access to control because the data was stored in file cabinets, he says.
"A lot of it [at the time] was about the integrity of the data, whether it was a financial transaction, the audit of confidential data, if it was secret, top-secret or classified some other way," Caslow notes, adding that even the basic concept of risk assessment was barely on the radar.
There were also few tools in place at the time to protect data that was stored electronically, Caslow says.
"There are so many technologies that have come into play, and most of them are focused on the single-core attribute of security access," he says. But in the end, he adds, if there was a failure and access was given or taken - physically or electronically - by a threat actor, all was lost.
Defenders have made positive changes in the area of critical infrastructure during the 20 years since Sept. 11.
The Biden administration has done a good job at shining a light on the security shortcomings in the nation's critical infrastructure, which can then help shore up both the physical and cyber capabilities of power plants, oil and gas facilities, and the electrical grid, says Chris Painter, who served as the U.S. State Department's top cyber official during the Obama administration and is also a former Justice Department prosecutor.
"All the precautions we have taken to harden critical infrastructure and all the focus on cybersecurity issues is a kind of rising tide that lifts all boats, and so these precautions can prevent a lot of different threats, including those [terrorist] threats," Painter says.
Another part of the nation's infrastructure that received attention after 9/11 was the country's financial institutions and how the federal government tracked money flowing through a system that could hide terrorist activity or funding. While Painter has issues with some parts of the PATRIOT Act, which came into law in the wake of the Sept. 11 terrorist attacks, he notes that expanded know-your-customer provisions and anti-money laundering statutes are helping combat some forms of cyberthreats that the U.S. now is confronting.
For instance, these laws can be applied to cryptocurrency that helps fuel ransomware attacks and could be used by terrorists to hide their activities, Painter notes.
"We're not saying 'ban cryptocurrency,' but we are saying that there are laws out there - such as know-your-customer rules and anti-money laundering rules - that we can apply more rigorously to this new system," Painter says. "And while some of these laws are a pain to homebuyers when applying for a loan, they do make it harder for money to move around and that's a key feeder to terrorism. … Strangling the money flow is really important, and tracking the money flow is important because that helps you in investigations."
Threats in 2001
While problems such as access control are somewhat timeless, the security pros also note what was not a concern in 2001.
Maor says that attacks such as ransomware existed but only on a very small scale. Other major threats faced today - such as third-party and supply chain attacks - were not even thought of at the time.
But other attacks were taking place.
"We did see all kinds of attacks. A lot of it was more around viruses and malware. Cybercrime was just starting to pick up," he says.
The advent of cybercrime led to the development of bitcoin and cryptocurrencies, which are outside the basic framework of cybersecurity but are currently having a major impact.
"The introduction of bitcoin and cryptocurrency [allow cybercriminals] to remain more anonymous. There was a time I remember, not 20 years ago but a little bit after that, when some criminals tried to get money through Western Union or those prepaid cards," Maor says. "Now that you have bitcoins, [it has] become a lot easier - both transactionwise and to find their tracks."
ISMG Managing Editor Scott Ferguson contributed to this story.