Who's Watching Your Six in Cyberspace?

Many are called, but few are truly effective.

Some risks attend all travel in the domains of land, sea, air and outer space, but in those realms the voyager is afforded a patently acceptable measure of protection by laws, rules, sanctions against misbehavior, and social norms and comity. Aviators, firefighters, law enforcement officials, soldiers and others obliged to function in highly contested domains can seek added protection from partners who warn of danger from their rear perspective—their six o’clock.

Unfortunately, none of this protects travelers in the fourth domain known as cyberspace, and it is unlikely that similar levels of safety ever can be brought to this new, global, undisciplined and constantly evolving domain. Cyberspace is an environment that requires each traveler to evaluate efforts by others to improve security, determine residual vulnerability and then make individual risk/benefit decisions.

The threat is said to be “growing and endless: [with] rampant cyber-crime, increasing identity theft, sophisticated social engineering techniques, relentless intrusions into government networks, and widespread vulnerabilities continuously exploited by a variety of entities ranging from criminal organizations and entrepreneurial hackers to well-resourced espionage actors” (SIGNAL Magazine, December 2008).

The federal government is adjusting to a changing threat. It has shifted emphasis from policing agency adherence to security policies, and it now has focused on investment in science and technology to defend federal information systems. Former President George W. Bush’s Comprehensive National Security Initiative emphasized leap-ahead defensive technologies for intrusion prevention, intrinsic detection, engagement with the private sector and expanded cyber education. Much of this effort and enabling funds remain classified.

The Commission on Cybersecurity for the 44th Presidency assessed the nation’s cyber infrastructure as too fragile and critical to be trusted to the care of individual agencies. President Barack Obama has issued his agenda. It began with a sweeping review of all government plans to use technology to protect its secrets and data, and his fiscal year 2010 budget contains at least $355 million “to make private and public sector cyber infrastructure more resilient and secure.”

However, cybersecurity is both a global and a singular problem that will not be solved solely by technology or by better coordination and cooperation of public and private enterprise—or by a White House czar. As the new cybersecurity report cautions, “Cyberspace spans the globe. No single nation can secure it and any strategy centered on domestic action will be inadequate … .”

Nor can it be secured while the user terminal remains the center of gravity for attack, where the risk to one becomes a risk to all. The computer and the personal digital device are centerpieces in homes and businesses and are essential to social, political, economic and national security purposes. Cybersecurity should be a personal issue and ought to be on the minds of all Americans. The University of Washington’s David Dittrich explains that “those who design, build, operate and defend the computer systems and networks must, in the final analysis, depend upon the responsible actions of citizens who connect into those networks and provide the entry point for malicious activities.”

Are we at war in cyberspace? Not in the Clausewitzian sense, but replace the word “policy” in his Trinity of the essence of warfare with the word “economics,” then ask the manufacturer squeezed out of the market by data exfiltrated from a poorly defended computer.

War may not be the proper term, but a vigorous global economic struggle is underway in cyberspace. The U.S.-China Economic and Security Review Commission reports “43,880 incidents of malicious activity from all sources against [Defense Department] and defense company computers in 2007.” The U.S. Commerce Department reports that theft of intellectual property is estimated to top $250 billion annually along with the loss of 750,000 jobs.

There are limits to what technology and the security software industry can do to mitigate risk. Defense in depth by multiple moats and firewalls is only marginally effective. The marketplace values convenience over security. When these clash, as a senior national counterintelligence executive remarks, “convenience wins hands down.” Another security expert opines, “We’ve had a flawed view of protection: ‘Keep ‘em out’ not only hasn’t worked, but it’s given many a false sense of security.”

A 20-year veteran of this struggle laments that this process “just creates economic opportunity for consultants, products and services to deploy upon both the flawed network foundations and administered by similarly flawed principles, practices and failure tolerances.” Perhaps, he suggests, “just good enough is what we want and will accept.”

His is not the only voice to despair of finding technical solutions to vulnerabilities in a domain that—unlike air, land, sea and space—has no known physical dimensions or boundaries and constantly is morphing to meet user demands. If the fundamental security problem is human nature, even an Einstein will not help.

One group has concluded that Internet security has become so maddeningly elusive that the only solution is to rethink the Internet and start all over. The Stanford University Clean Slate approach was reported in a February 15, 2009, New York Times article titled “Do We Need a New Internet?”

An Argonne National Laboratory report titled A Scientific Research and Development Approach to Cyber Security (SIGNAL Magazine, March 2009) faults cyber defenses as being passive and reactive rather than anticipatory. That study advocates a “game changing” approach analogous to DNA in biological systems that would enable data to relate to its identity, provenance and integrity and determine the ultimate origins of the information—in short, self-protection.

The federal government has aggressive plans to improve cybersecurity over the next few years. One program is the Trusted Internet Connections Initiative (TIC), which seeks to improve security of federal systems by reducing Internet connection points from thousands to dozens. But critics caution that simplifying the task of security through greater consolidation, commonality and reduction of Internet connections also amplifies risk.

Scott Borg, the director and chief economist of the U.S. Cyber Consequences Unit, a nonprofit research institute, argues for a more balanced approach. He points out that “it is important to recognize that some government effort along these lines is probably necessary,” and that “while this is useful and perhaps necessary to reduce the level of human intervention, it also creates uniform and centralized targets that share common access routes and regular labeling conventions.” 

Paul Strassmann, distinguished professor of information sciences at George Mason University, commenting on the risk of centralized management, shared that “there are enormous advantages favoring centralized security management. There are many innovative ways for defeating vulnerability, such as totally isolated access privileges that are based on specific situations.”

Experts from “Strategic Cyber Risk and Response,” a National Defense University-sponsored seminar, agreed that the single greatest impediment to technical solutions to cybersecurity is expressed by the word “anonymity.” Simply put, how can any response be launched against an adversary whose identity and motive cannot be proven positively? Those who advocate a new Internet envision a “gated community” that would require users to foreswear any thought of anonymity.

Should the anxious user look to the military for help? The U.S. armed forces are deeply concerned about the vulnerability of information systems, as many of their direct combat and combat-support functions depend on an unimpeded flow of uncorrupted data through commercial systems. The U.S. Strategic Command is responsible for cybersecurity in the Defense Department. Its commander, Gen. Kevin P. Chilton, USAF, says bluntly, “We are under attack. We are behind. We are reactive. We are not proactive. And, we—all of us—are making it too easy—too easy—for those who would exploit and attack our networks today.” The military is applying some tough love on troops who violate security rules.

Each military service is scrambling to marshal the tools, skills, techniques and organizations to prevail in cyberspace, should that be deemed necessary, appropriate and legal. The Director of National Intelligence issues an annual threat assessment, and it forecasts that disruptive cyber activities will be the norm in future political or military conflicts. The armed forces are carefully assessing implications of the seminal interplay of kinetic and cyberwar unleashed in the conflict between Russia and Georgia and the massive distributed denial-of-service attacks on Estonia and Kyrgyzstan.

The attack on Kyrgyzstan was tracked back to Russian-based servers run by a Russian cybermilitia known to be organized and funded by the Russian government. But whether they were acting with the support or even the knowledge of the Russian government cannot be proven. The inability to positively attribute such activities to specific actors and motives means it is impossible to distinguish among war, crime, terrorism and political maneuvering. Without proof, there is no basis to establish the legal framework to respond to an attack (SIGNAL Magazine, March 2009).

Maj. Gen. William T. Lord, USAF, is charged with developing cyber capabilities for the new 24th Air Force. His response to queries about the military’s role in cyberoperations is straightforward. “[The] same laws of armed conflict that you would use for kinetic weapons apply to the nonkinetic capability for defense as well as offense,” he says.

While experts differ over the best technical approach, they do agree that better education of users would help, but it must address sharply different needs of two distinct groups called digital natives and digital immigrants. John Perry Barlow could not foresee today’s Internet when he issued his 1996 declaration that cyberspace was independent of governments because they had neither the right to rule nor any method of enforcement. He ordained that the culture, ethics and unwritten codes of his digital natives in cyberspace—the home of the mind—would maintain requisite order.

Barlow’s natives are today’s millennials—the 20-somethings who grew up with and cannot function without unlimited use of computers. They appear indifferent to the risks of downloading malicious software from social networks such as MySpace and Facebook. They resent being disciplined about such behavior and seem to believe in safe texting. This clash between the dictates for security and the expectations of unfettered freedom to roam the Internet has obliged government, industry and the military to impose constraints on Internet access.

But also needful of counseling and discipline are the digital immigrants—the ignorant or guileless who “just don’t get it”: that a powered personal digital assistant no longer is personal and may be assisting a stranger; that going mobile bypasses security built into the fixed infrastructure; that uncontrolled file-sharing puts proprietary data at risk; or that it is not wise to Twitter the exact location and destination of a congressional party touring Iraq.

Some day a combination of science, technology, education and discipline may produce an information infrastructure less sensitive to human foibles. But, unless and until then, let’s reflect on the wisdom of Pogo and these words by Thomas Jefferson that answer the question posed by this essay’s title:

“I know no safe depository of the ultimate powers of the society but the people themselves; and if we think them not enlightened enough to exercise their control with a wholesome discretion, the remedy is not to take it from them, but to inform their discretion by education.”

Col. Alan D. Campen, USAF (Ret.), is a SIGNAL contributing editor. His Web site is www.cyberinfowar.com

WEB RESOURCES
Commission on Cybersecurity for the 44th Presidency: www.csis.org/tech/cyber
Barlow Declaration of Cyberspace Independence: http://homes.eff.org/~barlow/Declaration-Final.html