9/11: My story

How the information security community can support law enforcement in preventing another large scale attack.

1363297505 0cc28c65b6 b

On Sept. 11, 2001, at 6:45 am, AA flight #1017 lifted off LaGuardia runway #4 on its way to Minneapolis. As it made a lazy right turn over Manhattan and past the twin towers, I remarked to myself how crystal clear the sky was. Having lived in NYC for 25 years, I remembered many peaceful fall mornings like that. Our flight was completely uneventful until we reached MSP airport where chaos was in the air and on the monitors. People were hoping that a small plane had hit the North Tower, but I knew it was a terrorist attack. On such a clear day I knew that no pilot could make that mistake. I didn’t know it would take me a week to get back home.

It feels like a lifetime has passed since 9/11, although it has been only 15 years. We lost friends and neighbors. A pall hung over the city for months and I was hesitant to revisit the place where I had worked as an information security consultant and trainer only a few years earlier. Recently, visiting the new Freedom Tower gave me hope and thanks in our ability to bring out the good in people.

I am also grateful to the FBI, Secret Service and other law enforcement teams that have prevented another similar attack. Supported by the information security community, I believe that they have made great progress in stopping similar attacks. I am noticing more prosecutions for “low level” cybercrimes, like the recent arrest of two men for hacking email accounts of government officials. This is how NYC itself cleaned up in the 1980s…through the “broken windows” program of prosecuting low level street crimes. With all the warts in the CFAA, we need to continue to enforce it against similar types of cybercrimes.

[ MORE 9/11 REMEMBRANCES More than lost buildings ]

The government’s response to 9/11 was to create DHS, now a behemoth of 240,000 employees. Normally, in business, the response to an agile enemy is to create an agile defense. Not so with DHS. On the other hand it is amazing that the number of FBI special agents has increased from 14,000+ to only 19,000 over 2001-2014. Who thinks the cybercrime and terrorist threat increased by only 30% since 2001?  

My conclusion is that our private security community needs to be an active part in preventing terrorism. There will be no government deflector shield. It means being an active member of InfraGard and supporting initiatives like the 2015 Cyber Intelligence Sharing and Protection Act.

The foremost job of security professionals is to help educate the public about good security practices. We know that people are the root cause of many security breaches and that collective bad practices will put our collective government and critical infrastructure at risk. We are reminded of this in the headlines about hacking the 2016 election.

I believe it is also the responsibility of security professionals to support reasonable requests of law enforcement engaged with protecting citizens from crime or terrorist attacks. This covers both incident response and proactive investigations. Questions of privacy are too often cast in black and white terms, with a one size fits all solution. I do have an EFF sticker on my laptop. But have we been too quick to forget that Zacarias Moussaoui was captured in Minnesota a full month before 9/11? The FBI was not able to get a warrant to search his laptop. We need continued, open discussion of privacy and security issues as both the threats and technology change.

Remember Thomas Jefferson: “Eternal vigilance is the price of liberty”.

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report