Homeland Security Watch

News and analysis of critical issues in homeland security

April 23, 2012

What Is The Nature of the Cyber Threat?

Filed under: Cybersecurity — by Arnold Bogis on April 23, 2012

As Ms. Herrera-Flanigan introduced in her last post, it is “Cybersecurity Week” for the U.S. House of Representatives. I am going to go out on a limb and guess that it will neither be as popular as the Cherry Blossom Festival or as successful as the Washington Nationals’ pitching staff so far this baseball season.

The problem is not that cyber issues are not important or do not deserve attention.  Legislative action, though almost never the panacea perceived in Washington, would likely be helpful.  The larger issue is that cyber _____ (insert your favorite descriptor here: war, crime, espionage, terrorism, etc.) is terribly difficult to define.

Exactly what is the problem and who should be worried about it? What is the threat and the potential consequences of a successful…something?

Starting with the “hair on fire” group, you have national security mavens such as former Special Advisor to the President for Cyber Security (among other things) Richard Clarke, who is concerned about cybercrime:

FOR the last two months, senior government officials and private-sector experts have paraded before Congress and described in alarming terms a silent threat: cyberattacks carried out by foreign governments. Robert S. Mueller III, the director of the F.B.I., said cyberattacks would soon replace terrorism as the agency’s No. 1 concern as foreign hackers, particularly from China, penetrate American firms’ computers and steal huge amounts of valuable data and intellectual property.

But by failing to act, Washington is effectively fulfilling China’s research requirements while helping to put Americans out of work. Mr. Obama must confront the cyberthreat, and he does not even need any new authority from Congress to do so.

And cyberwar:

Congress should demand answers to questions like: What is the role of cyber war in US military strategy? Is it acceptable to do “preparation of the battlefield” by lacing other countries’ networks with “Trojan horses” or “back doors” in peacetime? Would the United States consider a preemptive cyber attack on another nation? If so, under what circumstances? Does US Cyber Command have a plan to seize control and defend private sector networks in a crisis? Do the rules of engagement for cyber war allow for military commanders to engage in “active defense” under some circumstances? Are there types of targets we will not attack, such as banks or hospitals? If so, how can we assure that they are not the victims of collateral damage from US cyber attacks?

More recently John Brennan, the President’s Counterterrorism and Homeland Security Adviser, took to the Opinion page of the Washington Post to make a similar argument about the threat of cyberattacks:

Before the end of the next business day, companies in every sector of our economy will be subjected to another relentless barrage of cyberintrusions. Intellectual property and designs for new products will be stolen. Personal information on U.S. citizens will be accessed. Defense contractors’ sensitive research and weapons data could be compromised.

Our critical infrastructure — power plants, refineries, transportation systems and water treatment centers — depend on the integrity and security of their computer networks. Approximately 85 percent of this infrastructure is owned and operated by the private sector. Last year alone, there were nearly 200 known attempted or successful cyberintrusions of the control systems that run these facilities, a nearly fivefold increase from 2010. And while most companies take proper precautions, some have unfortunately opted to accept risks that, if exploited, would endanger public safety and national security.

However, noted cyber scholar Evgeny Morozov would like to push down on the brake:

Both Messrs. McConnell and Clarke—as well as countless others who have made a successful transition from trying to fix the government’s cyber security problems from within to offering their services to do the same from without—are highly respected professionals and their opinions should not be taken lightly, if only because they have seen more classified reports. Their stature, however, does not relieve them of the responsibility to provide some hard evidence to support their claims. We do not want to sleepwalk into a cyber-Katrina, but neither do we want to hold our policy-making hostage to the rhetorical ploys of better-informed government contractors.

Steven Walt, a professor of international politics at Harvard, believes that the nascent debate about cyberwar presents “a classical opportunity for threat inflation.” Mr Walt points to the resemblance between our current deliberations about online security and the debate about nuclear arms during the Cold War. Back then, those working in weapons labs and the military tended to hold more alarmist views than many academic experts, arguably because the livelihoods of university professors did not depend on having to hype up the need for arms racing.

Markus Ranum, a veteran of the network security industry and a noted critic of the cyber war hype, points to another similarity with the Cold War. Today’s hype, he says, leads us to believe that “we need to develop an offensive capability in order to defend against an attack that isn’t coming—it’s the old ‘bomber gap’ all over again: a flimsy excuse to militarize.”

The main reason why this concept conjures strong negative connotations is because it is often lumped with all the other evil activities that take place online—cybercrime, cyberterrorism, cyber-espionage. Such lumping, however, obscures important differences. Cybercriminals are usually driven by profit, while cyberterrorists are driven by ideology. Cyber-spies want the networks to stay functional so that they can gather intelligence, while cyberwarriors—the pure type, those working on military operations—want to destroy them.

All of these distinct threats require quite distinct policy responses that can balance the risks with the levels of devastation. We probably want very strong protection against cyberterror, moderate protection against cybercrime, and little to no protection against juvenile cyber-hooliganism.

Perfect security—in cyberspace or in the real world—has huge political and social costs, and most democratic societies would find it undesirable

As you continue to dig deeper, one will find a vigorous continued disagreement about various aspects of the cybertopic.  For example, Foreign Policy published he said/he said articles on cyberwar.  On the “eh” side, Thomas Rid:

Time for a reality check: Cyberwar is still more hype than hazard. Consider the definition of an act of war: It has to be potentially violent, it has to be purposeful, and it has to be political. The cyberattacks we’ve seen so far, from Estonia to the Stuxnet virus, simply don’t meet these criteria.

Indeed, there is no known cyberattack that has caused the loss of human life. No cyberoffense has ever injured a person or damaged a building. And if an act is not at least potentially violent, it’s not an act of war. Separating war from physical violence makes it a metaphorical notion; it would mean that there is no way to distinguish between World War II, say, and the “wars” on obesity and cancer. Yet those ailments, unlike past examples of cyber “war,” actually do kill people.

Pushing back, noted RAND scholar and co-author of the influential book, “The Advent of Netwar,” John Arquilla:

Cyberwar is here, and it is here to stay, despite what Thomas Rid and other skeptics think.

But another notion arose alongside ours — that cyberwar is less a way to achieve a winning advantage in battle than a means of covertly attacking the enemy’s homeland infrastructure without first having to defeat its land, sea, and air forces in conventional military engagements.

I have been bemused by the high level of attention given to this second mode of “strategic cyberwar.” Engaging in disruptive cyberattacks alone is hardly a way to win wars. Think about aerial bombing again: Societies have been standing up to it for the better part of a century, and almost all such campaigns have failed. Civilian populations are just as likely, perhaps even more so, to withstand assaults by bits and bytes. If highly destructive bombing hasn’t been able to break the human will, disruptive computer pinging surely won’t.

Rid seems especially dubious about the potential for this form of strategic cyberwar. And rightly so. But there is ample evidence that this mode of virtual attack is being employed, and with genuinely damaging effects.

Returning to cybercrime, Melissa Hathaway, former acting senior director for cyberspace on the National Security Council,wants to take a “Byte Out of Cybercrime:”

This paper provides a brief overview of the cybercrime problem and examines five case studies to demonstrate that, while national and international law enforcement authorities are working together to address cybercrime, with additional tools they could make even more progress going forward. Today’s efforts are under-resourced and hampered by outdated laws. Nonetheless, by sharing actionable information and applying novel interpretations of the law, authorities around the globe are finding ways to address the cybersecurity problem. The recommendations that follow the case studies seek to build on the successes and lessons learned.

While two Microsoft researchers want us all to take a deep breath and point out some potential problems in trying to estimate the consequences:

We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it.

Well, not really.

The harm experienced by users rather than the (much smaller) gain achieved by hackers is the true measure of the cybercrime problem. Surveys that perpetuate the myth that cybercrime makes for easy money are harmful because they encourage hopeful, if misinformed, new entrants, who generate more harm for users than profit for themselves.

Are you confused yet?  I am.  And noted political scientist Joseph Nye does not want to make it any easier by asking simple questions:

The United States may be ahead of other countries in its offensive capabilities in cyber, but because it depends so much on cyber, it is also more vulnerable. What, then, should our policy be? When it comes to thinking about cyber, we are at about the same place people were in 1950 when thinking about the nuclear revolution. We know it is something new and big and that it is transformative, but we haven’t thought out what offense means, what defense means. What is deterrence in such a world? What is strategy? How do we fit the pieces together? Can we establish rules of the road? Can we find an analogue in arms control, or is that an unlikely model for something that is apparently unverifiable? The first efforts at arms control didn’t bear fruit until twenty years after the first nuclear explosion and came about largely to deal with third parties (the Nuclear Non-Proliferation Treaty) or because of concerns with environmental fallout (the Limited Test Ban Treaty). Not until the 1970s, some thirty years after the technology emerged, were the first bilateral arms control agreements signed, and not until the 1980s did leaders of the two superpower nations proclaim that nuclear war cannot be won and must never be fought. Forty years were needed to develop a powerful basic normative agreement. In cyber, we are still around 1950. What this means is that we can no longer treat cyber and the other aspects of power diffusion as something to be left to the technocrats or the intelligence specialists.

We have to develop a broader awareness in the public and in the policy community to be able to think clearly about how we trade off different values and develop sensible strategies for cyber.

So where does this all leave us? With a whole bunch of questions:

What are the cyber threats we should worry about the most?

What cyber threats should be considered “homeland security,” “national security,” “economic security,” or something else entirely?

How can we delineate what are personal, business/NGO, or local/state/federal responsibilities for cybersecurity?

How can we divide up the responsibility pie between all the various actors at the federal level–DHS, DOD, State, etc.?

Will Hollywood do the right thing and resist any temptation to remake “War Games?”

So many questions and, at this point, so few answers.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn

7 Comments »

Comment by William R. Cumming

April 23, 2012 @ 4:47 am

Terrific post so thanks for the effort a major one no doubt Arnold. I fall into the category that there should be created in the Congress before this legislation is enacted, probably the next Congress in reality when I expect both Houses to be in a Republican majority major restructuring of Committees, including new Joint Committees on National and Homeland Security and these new joint committees would have prominent cyber security subcommittees. The subject is too technical for a largely ignorant Congress to legislate on without making major errors.

And convinced that major breachs are under reported mandatory reporting for analysis to some entity needs to be adopted promptly.

Comment by Claire B. Rubin

April 23, 2012 @ 6:01 am

Sorry to rain on the parade, but I do not think a blog is not the right medium for lengthy statements/ challenges/essays if you want to foster discussion.

Comment by Alan Wolfe

April 23, 2012 @ 7:51 am

Cyberwar is the new WMD, and by that, I mean the incessent hyping, misinterpretation, and strawman development to support aggrandized agendas and fund-raising.

Comment by William R. Cumming

April 23, 2012 @ 10:14 am

Well Alan the real Weapons of Mass Destruction are the politicians, banksters, hedgeters and others that feel they are “owed” by everyone else.

Comment by Arnold Bogis

April 23, 2012 @ 4:46 pm

Thanks Bill. I agree regarding Congress’ technical abilities, though I suppose while it would be nice to have a few more sitting Representatives or Senators with a science background I’m more concerned about the level of the staffers’ technical knowledge.

Ms. Rubin, apologies if the quoted text went on a bit long. I was attempting to share a small portion of the multitude of various cyber-related opinions/conversations that exist out there that might possibly escape the wider notice of the homeland security community (mostly because they have day jobs and are likely not to have the time to always read Foreign Policy or RAND reports). And I suppose we have different opinions on the different forms blog postings can take, though I would agree your statement would be true if you replace “blog” with “Twitter.” That would get really annoying…

Alan, not cyber-related but if you haven’t already read it you might be interested in this recent Foreign Affairs piece by Micah Zenko and Michael Cohen: “Clear and Present Safety.” http://www.foreignaffairs.com/articles/137279/micah-zenko-and-michael-a-cohen/clear-and-present-safety

(It was out from behind the paywall for awhile, but appears to be protected again from the unwashed masses. If you don’t have access, the Boston Globe offered up a long review of their essay: http://articles.boston.com/2012-04-22/ideas/31372679_1_foreign-policy-threats-military-solutions)

Comment by KNG

April 24, 2012 @ 10:19 pm

A cyber threat is a very real threat. Unlike the Cold War threat of nuclear weapons, a cyber attack might not be deadly, but just as devastating. Numerous aspects of our lives rely upon vulnerable cyberspace- banking systems, electrical and utilities, military, communications, etc. A cyber attack on critical infrastructure could significantly disrupt our economy, communications, and infrastructure and be a risk to homeland security. Because of this, all aspects of our country, including public, private, and military sectors, should be organized and prepared to defend against a cyber attack as well as have the plans and mechanisms in place to react and respond to a significant cyber attack. We need to ensure that a cyber attack, if not defended against, will have minimal disruption and the continuity of government and critical infrastructure is maintained. We should not bury our heads in the sand and assume there is not cyber threat or that it is not significant enough. Our country needs to be prepared and able to maintain homeland security in cyber space before a cyber attack occurs.

Pingback by Computer Technology » Blog Archive » Unsecured: Cyber Security And Your Data

August 2, 2012 @ 10:03 pm

[...] would help you protect data and information, that tool you for a long time and effort to finish.How many times have we heard about cyber security problems? Credit card information and identify sto…ity is very much needed to be improved and reinforced, most especially since most of activities are [...]

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>