Take Me to Your Cyber Leader

Public trust and resilience are keys to cybersecurity.

The threat to cyberspace now rivals that of terrorism and weapons of mass destruction. That is the message in the latest effort to rouse the public from slumber induced by ignorance, indifference, apathy, confusion and denial. Government is inundated with reports and studies from think tanks, academia, prestigious government research agencies and the cybersecurity industry—each decrying the weak and deteriorating state in our cyberdefenses and proffering advice to the new administration.

Alarm over the vulnerability of our critical infrastructures is not new. It reaches back at least to 1998 and Presidential Decision Directive 63 (PDD-63) establishing a White House structure to strengthen cyberdefenses. Next came The National Strategy to Secure Cyberspace in 2003, followed by Homeland Security Directive 7 and then the still-classified Comprehensive National Cybersecurity Initiative (CNCI) in 2007. None got more than marginal traction with a disinterested public. Now we have the Obama administration’s May 2009 Cyberspace Policy Review.

Presidential candidate Barack Obama promised to appoint a cybersecurity official who would “report directly to me” and coordinate all government efforts to protect the nation’s networks against spies, criminals and terrorists. He also ordered a “clean-slate” study to assess U.S. policies and structures for cybersecurity. The response was a report titled Assuring a Trusted and Resilient Information and Communications Infrastructure. It reaffirmed the conviction that the federal government had a responsibility to lead, but found it lacked policy and structure to guide. Further, it proclaimed that the United States should signal to the world its intent to address this challenge with vision and strong leadership “anchored within the White House.”

A statement of national cybersecurity policy should be the first order of business for the Obama administration. Absent that, debate over reorganization is pointless, and the effectiveness of a cyber leader—wherever located—would be limited.

Cyber policy first must convince people that these persistent and highly publicized intrusions into the Internet pose a potential threat to U.S. national and economic security. Only then can the federal government assert a role over the assets of a global commons that is owned, operated, defended and financed almost entirely by the private sector.

Clearly crime and espionage are rampant and increasing in intensity and pose enormous risk to the intellectual property and privacy of incautious people and institutions—and, unfortunately, to many innocent as well. But while denial-of-service interruptions are annoying, disruptive and costly, they are not the prime vulnerability and are not precursors to the digital Armageddon that alarmists predict (SIGNAL Magazine, November 2009).

Nor do they necessarily presage a cyber jihad. To the contrary, terrorist organizations appear to value a functioning Internet to further their objectives.

Security expert Bruce Schneier writes that, “Cyberterrorism is nothing more than a media invention designed to scare people.” He adds that while cyberattacks by governments are not to be ignored, we should not confuse “kids playing politics” with war, remembering that “for there to be a cyberwar, there first needs to be a war.”

Also to be factored into any threat assessment is the influence of hyperactive marketing by a competitive information security industry, whose efforts are at times conflated by the media prowling for the illusive “digital Pearl Harbor.” Readers who desire more than anecdotal evidence of vulnerabilities and risks should read the Department of Homeland Security report Information Technology Sector Baseline Risk Assessment, dated August 2009.

The Bush administration sought to formalize a public/private partnership to defend the Internet. Industry complained—and still does—that government cloaks threat details in an unnecessary and counterproductive veil of secrecy, making it difficult for industry to know where or how to employ its own internal defenses.

Evgeny Morozov assesses the divergent views of cyberthreat in a posting on Boston Review recommending that government define credible dangers in a way that would clearly justify an expanded federal role. In a New York Times op-ed, Morozov added that “Unfortunately there is a growing risk that governments … are only intensifying the secrecy that already surrounds anything even remotely connected to cyber-security … [and] fearing future attacks, governments are likely to classify even more information on the subject, making it impossible for the public to understand the real threat.”

More issues remain to be addressed in cyber policy. First, the whole of the Internet cannot be intensely protected, so attention must be given first to guarding the most critical cross-cutting systems, such as power, transportation and finance. To this end, the 2009 report by the Intelligence and National Security Alliance (INSA), titled Critical Issues for Cyber Assurance Policy Reform, is instructive.

Second, what is the role of U.S. armed forces in defending the civil components of the information infrastructure? The Internet provides the bulk of the military Global Information Grid, but the law inhibits military activities in civil matters. And international policy questions loom as well. The laws of armed conflict (LOAC)—which our military spokespersons repeatedly aver will govern their rules of engagement in cyberspace—are silent as to conflict with non-state actors. Further, they do not speak to the difficulty of differentiating between military and civilian assets in the Internet.

Next, there needs to be a careful assessment of the feasibility of computer network attack (CNA). As John Markoff and Thom Shanker report in a New York Times article, the United States did consider attacking Saddam Hussein’s bank accounts prior to the Iraq war in 2003, but rejected that option because of inability to predict second-order effects on global financial networks.

The potential for unintended consequences and unpredictable collateral damage, along with the inability to positively identify adversaries and their motives—called attribution—are very real limitations to CNA. These and other concerns are described in a report by the National Research Council titled Technology, Policy, Law and Ethics regarding the U.S. Acquisition and Use of Cyberattack Capabilities. It cites these key points:

• Today’s policy and legal framework for guiding and regulating the U.S. use of cyberattack is ill-formed, undeveloped and highly uncertain.

• Both the decision-making apparatus for cyberattack and the oversight mechanisms for that apparatus are inadequate.

• Secrecy has impeded widespread understanding and debate about the nature and implications of U.S. cyberattack, so the government should engage in a broad, unclassified national debate and discussion about cyberattack policy.

• The international legal framework for LOAC and the Charter of the United Nations predates the information age, so the application of these principles is uncertain.

It also is important that a cyber policy reflect a cost/benefit assessment of the balance between the human and technical resources devoted to defense. The open Internet architecture requires defending millions of potential access points, so it must be policed by a huge, well-trained work force. Efforts underway by several government and private organizations would recruit as many as 10,000 young Americans to be the “the next generation of skilled cyber defenders.”

There is merit to increasing cyber awareness in our youth through competitions, scholarships, internship program and jobs. But this “help-wanted” call should be only an expedient, not one that promises lifetime employment to a huge work force. We should not be perpetuating the marginally effective defense mechanism that critics call “patch mentality” at the network endpoints. As one critic says, “It is time to move away from defenses that simply don’t work.” Instead, we should be reducing the number of Internet access points that need defending while increasing funding for game-changing technology that will enable systems—and perhaps data itself—to self-detect, self-protect and, indeed, possibly to self-manage with far less human oversight.

Three persuasive reasons exist to reduce demands for human defenders. First, people are too slow; they cannot react at net speed. Successful defense demands that incursions be detected, evaluated and countered instantly. People cannot do that. One analyst notes that while a layered defense may be 99.9-percent reliable, that still represents a security lapse of an average of one minute per week—ample time to launch lurking malware.

Second, people cost too much. That same analyst observes that while “prices for computing hardware are dropping at a rate of greater than 15 percent per year, the full costs of personnel are rising at roughly 5 percent per year.”

Third, people have limited attention spans and need frequent, expensive refresher training to sustain an acceptable level of situational awareness.

The Obama administration enters the cyber battleground when, according to a Brookings Institution report, public trust in government is “close to all-time lows.” Nevertheless, the words trust and resilience in the Obama 60-day policy review show appreciation of two challenges that must be overcome.

Trust means having a public convinced that the cyberthreat is more than a troublesome distraction to others; that vulnerabilities can be reduced by permitting government to probe ever more deeply into Internet traffic searching for malicious code; and that a federally led cooperative effort can reduce both the possibility and the probability of attacks.

Columnist Fareed Zakaria had something other than cybersecurity in mind when he wrote in Newsweek that the public seems to become engaged only when problems reach the crisis level. If so, should the potential catastrophic cyberthreat ever materialize, there will be no time for the bully pulpit, town-hall meetings or consensus building.

Resilience has two components: human and technical. The public must accept the fact that no defense is perfect, that the Internet cannot be secured against all threats, and that individuals must be willing and able to manage the consequences when it fails.

Resilience involves more than bolstering existing terminal defenses. It means having alternative nodes and routes, out-of-band management and control, reserved bandwidth, backup processes and perhaps even dissimilar software. These resources will permit essential functions to be performed until services are restored. These resources do not exist today, there being inadequate patriotic or financial incentives for industry to invest in items that do not directly serve enterprise objectives.

The Obama administration should concentrate first on drafting a cyber policy that convinces the public about what must be done and why. Then, perhaps, a leader will emerge.

Col. Alan D. Campen, USAF (Ret.), is a SIGNAL contributing editor and contributing editor to four books on cyberwar. His Web site is www.cyberinfowar.com