Homeland Security Watch

News and analysis of critical issues in homeland security

February 23, 2015

Cyber: making national security personal

Filed under: Cybersecurity — by Arnold Bogis on February 23, 2015

David  Sanger writes in today’s New York Times of the escalating cyber conflict between the United States and Iran:

A newly disclosed National Security Agency document illustrates the striking acceleration of the use of cyberweapons by the United States and Iran against each other, both for spying and sabotage, even as Secretary of State John Kerry and his Iranian counterpart met in Geneva to try to break a stalemate in the talks over Iran’s disputed nuclear program.

With all the talk about the threat of cyber theft, attack, and even warfare, we should remember that it isn’t a one way street.  Or, in other words, something only done to us:

It detailed how the United States and Britain had worked together to contain the damage from “Iran’s discovery of computer network exploitation tools” — the building blocks of cyberweapons. That was more than two years after the Stuxnet worm attack by the United States and Israel severely damaged the computer networks at Tehran’s nuclear enrichment plant.

The United States is undeniably the sole superpower.  Unsurpassed in military and economic might. Yet, apparently, we are still seduced by tools that seem to promise big bang for the buck:

“The potential cost of using nuclear weapons was so high that no one felt they could afford to use them,” said David J. Rothkopf, the author of “National Insecurity,” a new study of strategic decisions made by several American administrations. But the cost of using cyberweapons is seemingly so low, Mr. Rothkopf said, that “we seem to feel we can’t afford not to use them” and that “many may feel they can’t afford ever to stop.”

The problem is, unlike nuclear weapons, other states and non-state actors are similarly not restrained in employing cyber tools.  Even if, for the time being, they aren’t particularly sophisticated:

The main targets were the websites of Bank of America and JPMorgan Chase. By 2015 standards, those were relatively unsophisticated “denial of service” strikes that flooded the banks with data, so overloading them it was impossible for a time for customers to access their accounts.

What struck me about this article was that last bit. Sure, there are a lot of issues in the cyber domain involved with deterrence, attribution, escalation, and other issues of doctrine.  However what is new, to the United States at least, is that this form of conflict may connect national security and other foreign policy decisions with the everyday lives of Americans in a way that probably hasn’t existed for decades.

For so long, perhaps even during the Cold War but definitely following the collapse of the Soviet Union, the United States has acted with relative impunity around the world. The costs of our involvement in far flung engagements ranging from special forces deployments in Africa to full on war in the Middle East have not been transferred to the American population writ large.  Reasons for this range from our practical conventional military invincibility (at least when it comes to state actors, not insurgencies…) to an enormous nuclear deterrent (which keeps us out of serious conflicts with Russia and China) to an all volunteer force that has become an incredibly lethal and capable machine, but one removed from most Americans’ everyday lives. Even the reluctance of our elected leaders to pay for these actions through anything but borrowing against the future, rather than taxing in the present.

What’s different about cyber is that the U.S., or any other nation, has yet to demonstrate or develop dominance in this space.  We haven’t yet figured out how to deter various levels of cyber incidents.  We haven’t yet been able to articulate, never mind enforce or coerce acceptance, of “rules of cyber war” or their equivalent.  So what has resulted is an ever shifting landscape where Iran can (for now simply) inconvenience U.S. citizens in retaliation for our cyber attack on their uranium enrichment equipment. But how far off in the future is it when they can do more than simply inconvenience us?  Was that their current limit of capability or simply a warning shot across our cyber bow?  How soon until they are able to mine our systems for personal data that can be sold or simply given to malicious third party actors?

This potential to affect the lives of U.S. citizens in such a manner could very well bring into sharper focus our nation’s national security and foreign policy choices for a much broader audience than is currently engaged. Sure, the public likes the veneer in foreign policy of both competence (usually defined as the perception that every other country is doing what the U.S. wishes it would do, regardless of their own national interests) and strength (usually defined as talking tough/occasionally dropping bombs on other countries).

What changes when they perceive they have a lot more skin in the game?  Will elected officials be pressed as to what really are U.S. national security interests vis-a-vis an Iranian nuclear program?  Today, it sounds scary – Iranians are crazy, developing missiles, and want to wipe Israel off the map.  But if you, your parents’, and your neighbors’ financial or medical security and privacy are at stake, what will be identified as the most important threat – an unrealized nuclear program halfway across the world or loosing control of your own personal life?

After that threshold is crossed, what events or global security situations will be reconsidered in the same light?

National security is about to get personal very soon.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn

7 Comments »

Comment by claire rubin

February 24, 2015 @ 9:10 am

Interesting post. Thanks.

Comment by William R. Cumming

February 24, 2015 @ 9:14 am

Thanks Arnold!
A sentence from the post above:

“The costs of our involvement in far flung engagements ranging from special forces deployments in Africa to full on war in the Middle East have not been transferred to the American population writ large.”

REALLY: How would we know and certainly financial costs imposed on those paying taxes.

And a reminder that if you include cyber security in CIP then the second main mission of the newly created DHS that opened its doors in March 2003 was cyber security.

Comment by William R. Cumming

February 24, 2015 @ 12:33 pm

Check out cyber security issues in 2003 TERMINATOR 3-RISE OF THE MACHINES!

Comment by Arnold Bogis

February 24, 2015 @ 1:54 pm

Bill, I didn’t mean to insinuate that taxpayers never pay a cost for our foreign policy decisions, especially military action. Instead, recently it hasn’t been felt immediately or in the short term due to, for example, raised taxes or cuts in non-military parts of the budget.

I should also clarify that I’m not saying we shouldn’t try to stop Iran from developing nuclear weapons because of the threat of cyber attacks. Just that going forward cyber represents a vector for weaker states to directly make the American public feel something as a result of the actions their elected representatives take.

Comment by William R. Cumming

February 24, 2015 @ 3:27 pm

QUESTION: Any studies of prolonged grid outages? 6 weeks or more?

Most cell phones need recharging every 3 days about the same as restocking of supermarkets!

Comment by William R. Cumming

February 25, 2015 @ 9:49 am

Saw the documentary CITIZEN FOUR on HBO. It raises the key question of the modern age: Does PRIVACY equate to FEEDOM and LIBERTY?

Note that the word PRIVACY does not appear in the CONSTITUTION and its adoption by SCOTUS in the 60’s decision GRISWALD v. CONNECTICUT was its first formulation by SCOTUS.

Trackback by Dror Soref

February 26, 2015 @ 11:56 am

Dror Soref…

Homeland Security Watch » Cyber: making national security personal…

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>