|
Cyber threat now rivals terrorism and weapons of mass destruction! That's the message in the latest effort to rouse the public from slumber adduced by ignorance, indifference, apathy, confusion and denial.
Government is inundated with reports and studies from think-tanks, academia, prestigious government research agencies and the cyber security industry, each decrying the weak and deteriorating state in our cyber defenses and proffering advice to the new administration.
Alarm over the vulnerability of our critical infrastructures is not new. It reaches back at least to 1998 and Presidential Decision Directive 63 establishing a White House structure to strengthen cyber defenses. Next came The National Strategy to Secure Cyberspace in 2003, followed by Homeland Security Directive 7 and then the still-classified Comprehensive National Cybersecurity Initiative (CNCI) in 2007. None got more than marginal traction with a disinterested public. Now we have the Obama Administration's May 2009 Cyberspace Policy Review.
Presidential candidate Barack Obama promised to appoint a cyber security official who would "report directly to me" and coordinate all government efforts to protect the nations networks against spies, criminals and terrorists and he ordered a "clean-slate" study to assess U.S. policies and structures for cyber security. The response was a report titled Assuring a Trusted and Resilient Information and Communications Infrastructure. It reaffirmed conviction that the federal government had a responsibility to lead, but found it lacked policy and structure to guide. Further, it proclaimed the U.S. should signal to the world it's intent to address this challenge with vision and strong leadership "anchored within the White House".
A statement of national cyber security policy should be the first order of business for the Obama administration. Absent that, debate over reorganization is pointless and the effectiveness of a cyber leader, wherever located, would be limited.
Cyber policy first must convince the public that these persistent and highly publicized intrusions into the Internet pose a potential threat to U. S. national and economic security. Only then can the federal government assert a role over the assets of a global commons that is owned, operated, defended and financed almost entirely by the private sector.
Clearly crime and espionage are rampant and increasing in intensity and pose enormous risk to the intellectual property and privacy of incautious people and institutions, and unfortunately to many innocent as well. But while denial-of-service interruptions are annoying, disruptive, and costly, they are not the prime vulnerability and aren't precursors to the digital Armageddon that alarmists predict.
Nor do they necessarily presage a cyber-jihad. To the contrary, terrorist organizations appear to value a functioning Internet in furthering their objectives.
Security expert Bruce Schneier writes that "cyberterrorism is nothing more than a media invention designed to scare people." He adds that while cyberattacks by governments are not to be ignored, we should not confuse "kids playing politics" with war, remembering that "for there to be a cyberwar, there first needs to be a war."
Also to be factored into any threat assessment is the influence of hyperactive marketing by a competitive information security industry, whose efforts are at times conflated by the media prowling for the illusive "digital Pearl Harbor." (Readers who desire more than anecdotal evidence of vulnerabilities and risks should read the Department of Homeland Security report Information Technology Sector Baseline Risk Assessment, dated August 2009.)
The Bush administration sought to formalize a public/private partnership to defend the Internet. Industry complained-and it still does- that government cloaks threat details in an unnecessary and counter-productive veil of secrecy, making it difficult for them to know where or how to employ their own internal defenses.
Evgeny Morozou assessed the divergent views of cyber-threat in a posting on Boston Review recommending that government define credible dangers in a way that would clearly justify an expanded federal role. In a New York Times op-ed Morozou added that "Unfortunately there is a growing risk that governments...are only intensifying the secrecy that already surrounds anything even remotely connected to cyber-security...[and] fearing future attacks, governments are likely to classify even more information on the subject, making it impossible for the public to understand the real threat."
Here are more issues to be addressed in cyber policy. First, the whole of the Internet cannot be intensely protected, so attention must first be given to guarding the most critical cross-cutting systems, such as power, transportation and finance. To this end, the 2009 report by the Intelligence and National Security Alliance (INSA), titled Critical Issues for Cyber Assurance Policy Reform, is instructive.
Second, what is the role of U.S. armed forces in defending the civil components of the information infrastructure? The Internet provides the bulk of the military Global Information Grid, but law inhibits military activities in civil matters. And there are international policy questions as well. The laws of armed conflict (LOAC)-which our military spokespersons repeatedly aver will govern their rules of engagement in cyberspace-are silent as to conflict with non-state actors. Further, they don't speak to the difficulty of differentiating between military and civilian assets in the Internet.
Next , there needs to be a careful assessment of the feasibility of computer network attack (CNA). As John Markoff and Thom Shanker report in their New York Times article, the U.S. did consider attacking Saddam Hussein's bank accounts prior to the Iraq war in 2004, but rejected that option because of inability to predict second-order effects on global financial networks.
The potential for unintended consequences, unpredictable collateral damage and the inability to positively identify adversaries and their motives-called attribution-are very real limitations to CNA. These and other concerns are described in a report by The National Research Council titled Technology, Policy, Law and Ethics regarding the U.S. Acquisition and Use of Cyberattack Capabilities. It makes these key points:
- "Today's policy and legal framework for guiding and regulating the U.S. use of cyberattack is ill-formed, undeveloped, and highly uncertain,
- "Both the decision-making apparatus for cyberattack and the oversight mechanisms for that apparatus are inadequate,
- "Secrecy has impeded widespread understanding and debate about the nature and implications of U.S. cyberattack, so the government should engage in a broad, unclassified national debate and discussion about cyberattack policy.
- "The international legal framework for the laws of armed conflict (LOAC) and the Charter of the United Nations predates the information age, so the application of these principles is uncertain."
It is also important that cyber policy reflect a cost/benefit assessment of the balance between the human and technical resources devoted to defense. The open Internet architecture requires defending millions of potential access points and so must be policed by a huge, well-trained workforce. Efforts are underway by several government and private organizations to recruit as many as 10,000 young Americans to be the "the next generation of skilled cyber defenders".
There is merit in increasing cyber awareness in our youth through competitions, scholarships, internship program and jobs. But this "help-wanted" call should be only an expedient, not one that promises lifetime employment to a huge work force. We ought not be perpetuating what critics call the marginally effective defense mechanism called "patch mentality" at the network end-points. As one critic said, "it is time to move away from defenses that simply don't work". Instead, we should be reducing the number of Internet access points that need defending, while increasing funding for "game-changing" technology that will enable systems-and perhaps data itself-to self-detect and self-protect: indeed, possibly to self-manage with far less human oversight.
There are three persuasive reasons to reduce demands for human defenders. First, people are too slow: they can't react at net-speed. Successful defense demands that incursions be detected, evaluated and countered instantly. People can't do that. One analyst notes that while a layered defense may be 99.9 percent reliable, that still represents a security lapse of an average of one minute per week: ample time to launch lurking malware.
Second, people cost too much. That same analyst observes that while "prices for computing hardware are dropping at a rate of greater than 15 percent per year, the full costs of personnel are rising at roughly 5 percent per year."
Third, people have limited attention spans and need frequent, expensive refresher training to sustain an acceptable level of situation awareness.
The Obama administration enters the cyber battleground when, according to a Brookings Institution report, public trust in government is "close to all time low's". Nevertheless, the words trust and resilience in the Obama 60-day policy review show appreciation of two challenges that must be overcome: Trust means a public convinced that the cyber threat is more than a troublesome distraction to others; that vulnerabilities can be reduced by permitting government to probe ever more deeply into Internet traffic searching for malicious code; and that a federally-led cooperative effort can reduce both the possibility and the probability of attacks.
Columnist Fareed Zakaria had something other than cyber security in mind when he wrote in Newsweek that the public seems to become engaged only when things reach the crisis level. If so, should the potential catastrophic cyber threat ever materialize, there will be no time for the bully pulpit, town-hall meetings or consensus building.
Resilience has two components: human and technical. The public must accept the fact that no defense is perfect: that the Internet can't be secured against all threats, and that individuals must be willing and able to manage the consequences when it fails.
Resilience involves more than bolstering existing terminal defenses. It means having alternative nodes and routes, out-of-band management and control, reserved bandwidth, back-up processes and perhaps even dissimilar software: resources that will permit essential functions to be performed until services are restored. Those resources don't exist today, there being inadequate patriotic or financial incentives for industry to invest in things that don't directly serve enterprise objectives.
In sum, the Obama administration should concentrate first on drafting a cyber policy that convinces the public about what must be done and why. Then, perhaps, a leader will emerge.
Alan D. Campen, Col. USAF (Ret) is a SIGNAL contributing editor and contributing editor to four books on cyberwar. His website is www.cyberinfowar.com
INSA Cyber Review: https://secure.insaonline.org/pages/INSA%2060%20Day%20Cyber%20Review.htm
DHS risk assessment: http://www.dhs.gov/xlibrary/assets/nipp_it_baseline_risk_assessment.pdf |
