As Ms. Herrera-Flanigan introduced in her last post, it is “Cybersecurity Week” for the U.S. House of Representatives. I am going to go out on a limb and guess that it will neither be as popular as the Cherry Blossom Festival or as successful as the Washington Nationals’ pitching staff so far this baseball season.
The problem is not that cyber issues are not important or do not deserve attention. Legislative action, though almost never the panacea perceived in Washington, would likely be helpful. The larger issue is that cyber _____ (insert your favorite descriptor here: war, crime, espionage, terrorism, etc.) is terribly difficult to define.
Exactly what is the problem and who should be worried about it? What is the threat and the potential consequences of a successful…something?
Starting with the “hair on fire” group, you have national security mavens such as former Special Advisor to the President for Cyber Security (among other things) Richard Clarke, who is concerned about cybercrime:
FOR the last two months, senior government officials and private-sector experts have paraded before Congress and described in alarming terms a silent threat: cyberattacks carried out by foreign governments. Robert S. Mueller III, the director of the F.B.I., said cyberattacks would soon replace terrorism as the agency’s No. 1 concern as foreign hackers, particularly from China, penetrate American firms’ computers and steal huge amounts of valuable data and intellectual property.
But by failing to act, Washington is effectively fulfilling China’s research requirements while helping to put Americans out of work. Mr. Obama must confront the cyberthreat, and he does not even need any new authority from Congress to do so.
Congress should demand answers to questions like: What is the role of cyber war in US military strategy? Is it acceptable to do “preparation of the battlefield” by lacing other countries’ networks with “Trojan horses” or “back doors” in peacetime? Would the United States consider a preemptive cyber attack on another nation? If so, under what circumstances? Does US Cyber Command have a plan to seize control and defend private sector networks in a crisis? Do the rules of engagement for cyber war allow for military commanders to engage in “active defense” under some circumstances? Are there types of targets we will not attack, such as banks or hospitals? If so, how can we assure that they are not the victims of collateral damage from US cyber attacks?
More recently John Brennan, the President’s Counterterrorism and Homeland Security Adviser, took to the Opinion page of the Washington Post to make a similar argument about the threat of cyberattacks:
Before the end of the next business day, companies in every sector of our economy will be subjected to another relentless barrage of cyberintrusions. Intellectual property and designs for new products will be stolen. Personal information on U.S. citizens will be accessed. Defense contractors’ sensitive research and weapons data could be compromised.
Our critical infrastructure — power plants, refineries, transportation systems and water treatment centers — depend on the integrity and security of their computer networks. Approximately 85 percent of this infrastructure is owned and operated by the private sector. Last year alone, there were nearly 200 known attempted or successful cyberintrusions of the control systems that run these facilities, a nearly fivefold increase from 2010. And while most companies take proper precautions, some have unfortunately opted to accept risks that, if exploited, would endanger public safety and national security.
However, noted cyber scholar Evgeny Morozov would like to push down on the brake:
Both Messrs. McConnell and Clarke—as well as countless others who have made a successful transition from trying to fix the government’s cyber security problems from within to offering their services to do the same from without—are highly respected professionals and their opinions should not be taken lightly, if only because they have seen more classified reports. Their stature, however, does not relieve them of the responsibility to provide some hard evidence to support their claims. We do not want to sleepwalk into a cyber-Katrina, but neither do we want to hold our policy-making hostage to the rhetorical ploys of better-informed government contractors.
Steven Walt, a professor of international politics at Harvard, believes that the nascent debate about cyberwar presents “a classical opportunity for threat inflation.” Mr Walt points to the resemblance between our current deliberations about online security and the debate about nuclear arms during the Cold War. Back then, those working in weapons labs and the military tended to hold more alarmist views than many academic experts, arguably because the livelihoods of university professors did not depend on having to hype up the need for arms racing.
Markus Ranum, a veteran of the network security industry and a noted critic of the cyber war hype, points to another similarity with the Cold War. Today’s hype, he says, leads us to believe that “we need to develop an offensive capability in order to defend against an attack that isn’t coming—it’s the old ‘bomber gap’ all over again: a flimsy excuse to militarize.”
The main reason why this concept conjures strong negative connotations is because it is often lumped with all the other evil activities that take place online—cybercrime, cyberterrorism, cyber-espionage. Such lumping, however, obscures important differences. Cybercriminals are usually driven by profit, while cyberterrorists are driven by ideology. Cyber-spies want the networks to stay functional so that they can gather intelligence, while cyberwarriors—the pure type, those working on military operations—want to destroy them.
All of these distinct threats require quite distinct policy responses that can balance the risks with the levels of devastation. We probably want very strong protection against cyberterror, moderate protection against cybercrime, and little to no protection against juvenile cyber-hooliganism.
Perfect security—in cyberspace or in the real world—has huge political and social costs, and most democratic societies would find it undesirable
As you continue to dig deeper, one will find a vigorous continued disagreement about various aspects of the cybertopic. For example, Foreign Policy published he said/he said articles on cyberwar. On the “eh” side, Thomas Rid:
Time for a reality check: Cyberwar is still more hype than hazard. Consider the definition of an act of war: It has to be potentially violent, it has to be purposeful, and it has to be political. The cyberattacks we’ve seen so far, from Estonia to the Stuxnet virus, simply don’t meet these criteria.
Indeed, there is no known cyberattack that has caused the loss of human life. No cyberoffense has ever injured a person or damaged a building. And if an act is not at least potentially violent, it’s not an act of war. Separating war from physical violence makes it a metaphorical notion; it would mean that there is no way to distinguish between World War II, say, and the “wars” on obesity and cancer. Yet those ailments, unlike past examples of cyber “war,” actually do kill people.
Pushing back, noted RAND scholar and co-author of the influential book, “The Advent of Netwar,” John Arquilla:
Cyberwar is here, and it is here to stay, despite what Thomas Rid and other skeptics think.
But another notion arose alongside ours — that cyberwar is less a way to achieve a winning advantage in battle than a means of covertly attacking the enemy’s homeland infrastructure without first having to defeat its land, sea, and air forces in conventional military engagements.
I have been bemused by the high level of attention given to this second mode of “strategic cyberwar.” Engaging in disruptive cyberattacks alone is hardly a way to win wars. Think about aerial bombing again: Societies have been standing up to it for the better part of a century, and almost all such campaigns have failed. Civilian populations are just as likely, perhaps even more so, to withstand assaults by bits and bytes. If highly destructive bombing hasn’t been able to break the human will, disruptive computer pinging surely won’t.
Rid seems especially dubious about the potential for this form of strategic cyberwar. And rightly so. But there is ample evidence that this mode of virtual attack is being employed, and with genuinely damaging effects.
Returning to cybercrime, Melissa Hathaway, former acting senior director for cyberspace on the National Security Council,wants to take a “Byte Out of Cybercrime:”
This paper provides a brief overview of the cybercrime problem and examines five case studies to demonstrate that, while national and international law enforcement authorities are working together to address cybercrime, with additional tools they could make even more progress going forward. Today’s efforts are under-resourced and hampered by outdated laws. Nonetheless, by sharing actionable information and applying novel interpretations of the law, authorities around the globe are finding ways to address the cybersecurity problem. The recommendations that follow the case studies seek to build on the successes and lessons learned.
While two Microsoft researchers want us all to take a deep breath and point out some potential problems in trying to estimate the consequences:
We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it.
Well, not really.
The harm experienced by users rather than the (much smaller) gain achieved by hackers is the true measure of the cybercrime problem. Surveys that perpetuate the myth that cybercrime makes for easy money are harmful because they encourage hopeful, if misinformed, new entrants, who generate more harm for users than profit for themselves.
Are you confused yet? I am. And noted political scientist Joseph Nye does not want to make it any easier by asking simple questions:
The United States may be ahead of other countries in its offensive capabilities in cyber, but because it depends so much on cyber, it is also more vulnerable. What, then, should our policy be? When it comes to thinking about cyber, we are at about the same place people were in 1950 when thinking about the nuclear revolution. We know it is something new and big and that it is transformative, but we haven’t thought out what offense means, what defense means. What is deterrence in such a world? What is strategy? How do we fit the pieces together? Can we establish rules of the road? Can we find an analogue in arms control, or is that an unlikely model for something that is apparently unverifiable? The first efforts at arms control didn’t bear fruit until twenty years after the first nuclear explosion and came about largely to deal with third parties (the Nuclear Non-Proliferation Treaty) or because of concerns with environmental fallout (the Limited Test Ban Treaty). Not until the 1970s, some thirty years after the technology emerged, were the first bilateral arms control agreements signed, and not until the 1980s did leaders of the two superpower nations proclaim that nuclear war cannot be won and must never be fought. Forty years were needed to develop a powerful basic normative agreement. In cyber, we are still around 1950. What this means is that we can no longer treat cyber and the other aspects of power diffusion as something to be left to the technocrats or the intelligence specialists.
We have to develop a broader awareness in the public and in the policy community to be able to think clearly about how we trade off different values and develop sensible strategies for cyber.
So where does this all leave us? With a whole bunch of questions:
What are the cyber threats we should worry about the most?
What cyber threats should be considered “homeland security,” “national security,” “economic security,” or something else entirely?
How can we delineate what are personal, business/NGO, or local/state/federal responsibilities for cybersecurity?
How can we divide up the responsibility pie between all the various actors at the federal level–DHS, DOD, State, etc.?
Will Hollywood do the right thing and resist any temptation to remake “War Games?”
So many questions and, at this point, so few answers.