better cyber security through effective cyber deterrence_the role of active cyber defense in...
TRANSCRIPT
Realizing National Security Imperatives
Using Active Cyber Defenses:
A New Deterrence Model for America
by
Brent W. Guglielmino
OVERVIEW
Since the Stuxnet attack against Iran was discovered in 2010, much has been written about
cyberspace, cyberwar, and cybercrime. Even before Stuxnet, the sheer volume of cyber related
attacks targeting both public and private sector entities had increased significantly1.
Subsequently, Edward Snowden's revelations regarding the NSA's capabilities2 and the impact
they may have on civil liberties, security, and business, have fueled a groundswell of support,
both within the U.S. and internationally, for more public discourse focused on the idea of
scoping, regulating, and enforcing cyberspace rules, regulations, and standards of conduct.
This public debate is long overdue and may eventually result in a safer, more secure, domain
where we can all exist without fear of being exploited. However, substantive policy
development in cyberspace faces an uphill battle laden with complicated legal and ethical issues
requiring a seldom-seen, collaborative, global effort if progress is to be made.
The challenge of developing adequate governance in cyberspace is manifold. Given the various
interests affected, it will be difficult to reach consensus and nearly impossible to arrive at
solutions that can be implemented globally and uniformly. Yet, it is critically important that we
somehow do just that. America's broader national security interests are being threatened by the
vulnerabilities inherent to cyberspace.
Worse, while technical vulnerabilities certainly exist, they are exacerbated by broader policy
and legal deficiencies which do nothing but undermine the few piecemeal efforts that do exist
aimed at mitigating the threat. In short, the current cyberspace security landscape threatens the
broader security of many of society’s core institutions from banking and finance to medicine,
insurance, and our even our physical infrastructure, including air-traffic, power generation, and
water safety. The time has come for America to take action to secure her cyberspace interests.
This paper describes the current and emerging cyber landscape, observing what makes
cyberspace unique from its physical counterparts and assessing why it is comparatively difficult
to effectively secure. Next, it broadly outlines the legal landscape as it pertains to cyberspace,
observes threats, vulnerabilities, and consequences associated with our inability to adequately
secure cyberspace, and posits that cyberspace is a global common3 and as such, that effective
cyber security is a societal imperative in an increasingly global economy. Finally, it asserts that
America's national security agenda is best realized through the development of a more secure
1 TBD source showing an upward trend in the number of attacks
2 Edward Snowden is an American computer specialist and former employee of the National Security Agency who disclosed top secret intelligence documents to the media revealing operational details of a broad, global communications surveillance capability run by the
US and certain government and private industry partners. The leaks have been portrayed by many within the US defense and intelligence
community as the most significant in US history and the full scope and long-term implications of his actions have likely yet to come to light. Snowden is currently in exile in Russia and his situation has developed into an ongoing debate between two principal camps; those who think
Snowden rendered a great service and a victory for advocates of privacy and civil liberties and those who feel he is a traitor to his nation and
should face the consequences. As of the writing of this paper, Russia has refused extradition to the U.S.
3 Global Commons refers to the areas of the world used commonly by all nations and owned by none. They are the domains through
which we carry on international travel, trade, exploration, and commerce, and they include the seas and airspace outside declared territorial boundaries, large portions of the polar regions and space surrounding the Earth.
cyberspace domain and, that the best way to achieve a more secure cyber domain is through the
use of a deterrence model grounded in an active cyber defense paradigm.
WHAT IS CYBERSPACE?
When the internet was first conceived in 1958, the world was a vastly different place. There
were no e-mails, cell-phones, laptops, or tablets. There was no such thing as Twitter, Facebook,
or Instagram in fact, there was no such thing as “social media” at all. Long-distance telephone
communications were very expensive and “snail mail” was considered one of the best means to
communicate over long distances. But for a team of engineers like those employed at the newly
established Advanced Research Projects Agency (ARPA)4 tasked with highly complex, time-
sensitive defense projects, an inexpensive way of communicating in a timely fashion with
colleagues over long-distances was required.
The ARPA engineers who invented the internet certainly had no intention of building a world-
wide web or an information superhighway, at least not for public use. They just wanted to build
a dedicated professional workspace where they could exchange ideas quickly and inexpensively
over existing architectures in a collaborative setting. Oddly, particularly for a defense-related
agency, security was never a consideration, primarily because no one thought that anyone
outside the group would ever know about or have access to the technology. Little did they
know that in creating that professional workspace, now known as the internet, they had actually
created the enabling technology that would become the backbone of a new global economy and
would lead to some of the most dramatic technological and societal advances in the history of
mankind; they had in effect, created cyberspace; a virtual place, unlike the physical world,
unbounded by geography and constrained only by imagination and technology.
There is still widespread disagreement as to how to define cyberspace. Many feel cyberspace is
simply the electro-magnetic (EM) spectrum. Others argue that the EM-spectrum is merely the
means by which we traverse cyberspace. We see new definitions all the time but to help frame
the discussion, this paper uses the current Department of Defense definition of cyberspace as
follows...
“A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”5
Although a definition of cyberspace is included in this paper, it is this author's opinion that
defining something which by nature is constantly evolving in terms of scope, speed, and
complexity, is something of a fool's errand. However, for the purposes of this paper it is useful
to have a broadly understood conception of the construct when considering how best to
organize, train, equip, and operate within it. In that context, said definition should be
considered nothing more than a point of departure.
4 The Advanced Research Projects Agency (ARPA), which later became the Defense Advanced Research Projects Agency (DARPA),
was created in 1958 to provide a high-level defense organization capability to formulate and execute R&D projects that would expand the
frontiers of technology.
5 Cyberspace was defined in Deputy Secretary of Defense Memorandum, dated 12 May 2008. While the definition of cyberspace is
accepted across the department, there are still multiple perspectives as to the characterization of cyberspace as a domain.
While the creation of cyberspace has created an endless array of possibilities in nearly every
facet of our lives, the nature of cyberspace as an operational domain akin to the physical
domains of air, space, land, and sea, presents some complex problems for businesses,
governments, and average citizens. Depending upon how one defines it, cyberspace has existed
since at least 1958 (considerably longer if your position is that electro-magnetic spectrum itself
is cyberspace) yet we are only now starting to come to grips with the realities of life in
cyberspace. Why is that? What makes cyberspace so different from its physical counterparts?
Why is it so hard to create a safe and secure cyberspace environment?
Why Cyberspace Is Different?
Cyberspace is different from the physical domains (e.g. land, sea, air, and space) in five very
important ways, all of which shape and define our ability to build an adequate defense within
the domain. Learning how to overcome, or at least accommodate these differences, will be key
to moving forward in developing acceptable cyberspace standards of behavior and
consequently, a more secure and stable global security landscape.
Man-Made Unlike its physical counterparts, cyberspace is man-made and consequently, it evolves in terms
of scope, speed, and complexity in concert with technology. Put another way, while the seas
have been the seas since the dawn of time, they don't fundamentally change. Water is water,
and no matter how one chooses to interact with it, either sailing over it, swimming in it, or
diving under it, the laws of physics guide everything, including the requirements for
successfully operating in that domain.
The same is true for each of the physical domains, but the fact that cyberspace is defined and
limited only by the rate and use of technology is an enormous difference. It means that what
may be fundamentally true about the characteristics and boundaries of cyberspace today, may
not be true tomorrow. As an example, imagine if one were to build an entire defense strategy
based upon the maritime domain and every couple of years, the physical characteristics of water
itself changed. Worse yet, imagine that not only does water change but it will likely continue to
do so indefinitely and at a constantly accelerating pace! What are the security implications?
From a defense/security perspective, how could a nation ever hope to build a defensive
capability that keeps pace? Imagine the immense costs associated with research and
development, acquisition and fielding, training, doctrine development, and force presentation
for normal weapon systems that we currently use like ships, planes, guns, etc. These things take
years, often decades, to develop. Imagine how much more daunting the task becomes under
these circumstances. How could a nation ever hope to build an effective, lasting defense? This
is exactly the situation facing the U.S. and the rest of the world today vis-à-vis cyberspace.
The implications of this reality are far-reaching. Things that used to make perfect sense within
a stable, physics-based domain no longer do. Due to the speed of technological advancement,
we've now reached the point where even long accepted maxims like Moore's Law6 have become
6 Moore's Law was postulated by Intel co-founder Gordon Moore in his 1965 article entitled, “Cramming More Components Onto
Integrated Circuits”, first published in Electronics magazine. In it, he essentially stated that the capacity and capability of computer hardware
antiquated relics of the past. In other words, in cyberspace, time itself has become compressed.
Cyberspace Compresses Time Cyberspace compresses time in a number of different ways. The tactical level of war is perhaps
the area where this is most pronounced. At this level, within the physical domains, there are
tools to help track the tactical actions of an opponent (e.g. radar, sonar, satellite, etc.), in
cyberspace, such tools are extremely limited in terms of their capability to track and attribute
culpability within a tactically actionable timeframe. Often, attacks just happen as if out of
nowhere and just as often, the defender may not be aware an attack has even occurred until it's
far too late.
This reality drives another important point: that the nature, structure and inherent networked
architecture of the world today now make it possible for tactical actions to achieve strategic
objectives in very little time, from nearly any point on the globe, across any number of attack
axis', almost simultaneously. The ability to directly affect strategic targets (e.g. critical
infrastructures like power grids, water and chemical facilities, and financial systems) via tactical
level attacks, a concept first realized by introduction of the airplane and later augmented by
introduction of precision guided munitions and stealth technologies, can now be fully realized
via cyberspace.7
At the tactical level in cyberspace, combatants are no longer being asked to keep up with
evolutionary changes to technologically static weapon systems tied to equally static delivery
platforms, doctrines and employment tactics. In cyberspace, combatants are often confronted
with revolutionary changes in the weapons they encounter, commonly known as zero-day
attacks.
A zero-day attack is a never-before-seen software attack allowing a defender literally zero-days
of advance notice of their existence and affording a defender zero opportunity to develop a
countermeasure. They are specifically designed to exploit previously unknown vulnerabilities
in a target network or system and are thus highly dependent upon timely and accurate
intelligence collection and analysis. Zero-day attacks never manifest physically until they are
actually used, so they can't be seen, collected against, or prepared for by defenders unless they
are somehow discovered in development.
In short, a well-designed zero-day exploit can be fielded in comparatively short order and is
over before the target knows it has even occurred. Further, it may take years to discover. It can
be delivered in seconds from almost anywhere and can come from any number of different
attack axis' simultaneously. Moreover, by the standards of existing case law, when compared to
traditional kinetic attacks, zero-day exploits, under certain circumstances may even be entirely
legal and sanctioned by the international community!
doubles approximately every two years. Moore actually specified the number of transistors and integrated circuits doubles in that time however,
over time, the focus of quoting Moore centered more on the end result of that process, which was to say that computing power (e.g. speed,
processing power, memory, etc.) in general doubles over that time.
7 Historically, prior to the advent of the airplane, combatants first had to traverse through an opponent's fielded military forces, often
via contested terrain such as seas, mountains, rivers, and valleys, often without the use of enabling infrastructures like bridges and roads before they could reach the vital, core, strategic targets of a nation. This all changed as aircraft were able to fly over these obstacles and directly attack
strategic targets located deep inside the opponent's homeland.
In the mid-1970s, U.S. Air Force Colonel John Boyd introduced the concept of the Observe,
Orient, Decide, Act Loop commonly referred to in contemporary military parlance as the
OODA Loop. While its conceptual roots go as far back as Sun Tzu8, the OODA Loop provided
an operational model for Sun Tzu’s concepts and is now considered a foundational principle
within contemporary military circles for achieving success in battle. The OODA Loop clearly
articulates the complex processes involved with combat operations and the various facets which
must be considered by combatants at all levels of war (e.g. tactical, operational, strategic, grand-
strategic) in order to achieve success.
OODA Loop theory teaches that every (combat) decision consists of an OODA Loop
culminating in a decision, suggesting that victory in battle will go to the side that is able to most
quickly complete its own OODA Loop. In other words, to be successful in war, one must make
effective decisions faster than one's opponent. Doing so allows one to seize the tactical
initiative and forces one's adversary to be reactive rather than proactive. It puts the defender on
his heels and makes it much easier to achieve one's offensive objectives.
At its core, the OODA Loop is about speed and accuracy in decision-making. However, in
cyberspace, particularly in a tactical sense, the OODA Loop is for all practical purposes non-
existent. Events occur in fractions of a second, often from undetermined locations, and by
unknown perpetrators. Time is so compressed that in effect, one is left attempting to operate
within an OODA Dot rather than an OODA Loop, and THAT is a game-changer when it comes
to combat operations and/or combating cyber-crime. It requires a level of precise, predictive
intelligence that is uncommon, perhaps even unattainable. Moreover, it also requires a
streamlined process for integrating that intelligence into the hands of the appropriate
operator(s), something that by itself is considered a challenging endeavor by today's standards.
While the effects of time compression on the OODA Loop are tremendous at the tactical level,
at the strategic level, time compression manifests itself in terms of the acquisition, fielding, and
doctrinal development processes. For a defender, this too portends bad things. Imagine being
responsible for compiling a weapons and tactics manual to train friendly forces in battle or for a
computer emergency response team attempting to thwart cyber-criminals. Such manuals are
published regularly by security and defense agencies around the world. They are done so using
extensive intelligence collection, exhaustive research and testing, and by applying practical
lessons-learned.
Until now, the rate of change for such documents has been tied to the pace of the acquisition
process. It takes years, often decades, to develop and field new weapon systems like a bomber,
a tank, or a new class of aircraft carrier. Thus, once written, from a time perspective, it has not
been difficult to regularly update these manuals so they can be used effectively in practice.
Correspondingly, it has not been too difficult, given the appropriate investment of resources, for
nations to develop counter-measures against most threats included in such manuals.
When the first bomber aircraft became a reality, it did not take long before defensive systems
8 Sun Tzu was a Chinese general and philosopher who is believed to have lived from approximately 544 BC to 496 BC. He is generally credited with authoring the classic military and statecraft work, The Art of War, a work which has been highly influential in the
development of contemporary military doctrines to this day.
like fighter aircraft, radar, and air defense artillery were developed to counter them. Often, the
information included in these manuals was foundational to developing these counter-measures.
In cyberspace however, all bets are off. How does one develop a tactics manual to combat a
zero-day attack? The short answer is, you don't. It's simply not possible to develop a counter-
measure for something that hasn't previously existed. All one can really do is attempt to
identify one's own vulnerabilities and mitigate/compensate/or eliminate them before the enemy
exploits them.
If there is any hope at all of successfully countering a cyber attack, the strategic level
acquisition process, along with the corresponding R&D, testing, fielding, and doctrine
development processes, must radically shift to a significantly faster, more agile model, one that
is comparable to the pace at which adversaries are able to develop cyber weapons. No longer
can defenders take years or decades to develop countermeasures. Rather, they must be
developed in weeks or days, and in some instances hours, to prevent catastrophic consequences.
In short, the entire acquisition process must be tactically responsive and agile because a
properly coordinated cyber attack launched across a suitably broad front in a near simultaneous
manner could yield damage commensurate with a full-fledged nuclear strike.
A cyber attack may not yield as much direct physical damage as a nuclear strike but it would
manifest immediate damage on some of our core capabilities, like water, power, and finances
and there may ultimately be a significant amount of physical damage as well resulting from
second and third order effects (e.g. rioting, looting, etc.). In the end, a cyber attack could render
a nation defenseless, its cornerstone institutions and infrastructures all but destroyed, and its
people reduced to navigating a chaotic, potentially anarchic environment in a matter of
milliseconds.
Cyberspace is Geographically Unconstrained; a.k.a. The Attribution Problem Another distinctive characteristic of cyberspace is that it is geographically unconstrained. In the
physical sense, this means that those geographical impediments to presenting military force
across a physical domain (e.g. mountains, deserts, rivers, and swamps) no longer exist.
Throughout history, commanders have striven to identify key choke-points in the terrain,
suitable areas to establish forward bases, favorable terrain for employment of artillery, the list is
endless. Battles and wars have largely been decided by which side was better able to take
advantage of geography in order to more effectively present his military forces. In cyberspace,
it is possible to bypass such impediments.
Additionally, and from a legal perspective more importantly, unlike in the physical world,
borders mean nothing in cyberspace. Attacks can occur simultaneously from any number of
locations with little or no warning. They can, and often do, traverse international borders in an
effort to obfuscate their point of origin and make retaliation difficult if not impossible.
According to Dr. Sandro Gaycken of the University of Stuttgart, “Cyber criminals, for instance,
regularly use intermediary computers, hijacked previously [for] their attack. These intermediary
computers are usually distributed worldwide, in a number of countries. This process is called
routing or server hopping and, to a certain degree, it is a standard feature of the internet.
Routing by use of a number of pre-determined hijacked servers makes tracking extraordinarily
difficult.”9
This problem, popularly referred to as the attribution problem, is a fundamental cornerstone of
everything from the laws of war and laws of armed conflict, to international agreements
regarding things such as claims to national territorial waters and airspace, and globally accepted
business norms. In short, if one is unable to attribute responsibility for any given action to a
particular state or non-state actor, it presents a litany of difficulties in terms of validating any
sort of legally justifiable response against an attacker.
Dr. Gaycken points out that tracing an attacker's location with certainty is not easy. “The only
thing a victim of a cyber attack can determine with certainty is the location of the computer
which led to the immediate, last strike against it.”10 While this may be useful in some sense, it
still doesn't conclusively attribute responsibility for the attack, thus producing just enough
uncertainty into the equation that nations and often private, non-state actors, are reluctant to
respond due to the legal consequences of doing so without sufficient proof.
Worse still, the attribution problem works as a force multiplier in terms of the time compression
phenomenon associated with cyberspace. Since attacks can occur so rapidly and since so much
time may be required to attribute blame and to take any sort of action in response, it truly places
the defender at a disadvantage both operationally and legally.
Operationally, in the physical world, attribution provides the means to retaliate against an
aggressor with certain knowledge that your response will directly affect the culprit. Generally,
in the physical world, when operational actions are taken to conduct an attack or a crime, there
is a physical asset that acts in some sense; one that can be seen, tracked, and attributed
conclusively. If a nation moved bombers from base X to base Y, others could see it. If a nation
chose to launch a missile, sensors would detect it and could attribute the launch conclusively.
Over time, nations have developed methods of intelligence warning, notifying them of when to
expect an attack. They monitor for specific, physics-based imperatives and can anticipate a
logical sequence of required actions necessary to employ the weapon system. Thus, in a general
sense, nations have become quite adept at detection and surveillance of physical assets. This
has served as a foundational capability making it less likely that attacks will occur since the
identity of the attacker is not in question and they are often not inclined to endure the impact of
a potential counterstrike.
While history is replete with examples of intelligence failures, with the advent of space-based
collection platforms, internet connectivity, and advanced surveillance technologies, in the
modern-era, these failures, particularly as they pertain to actions taken within a physical
domain, are generally attributable to failures to discern enemy intentions rather than enemy
capabilities and actions. So, while it is doubtful a military build-up and invasion the size of
China's 1950 North Korean incursion could ever again go undetected in the physical world, the
9 Gaycken, pg. 2
10 Gaycken, Dr. Sandro, The Necessity of (Some) Certainty - A Critical Remark Concerning Matthew Sklerov’s Concept of “Active Defense”, the Journal of Military and Strategic Studies, VOLUME 12, ISSUE 2, WINTER 2010,
http://www.jmss.org/jmss/index.php/jmss/article/viewFile/293/304
same is not true of cyberspace.
In cyberspace, a massive assault emanating from multiple unidentifiable locations, targeting
multiple components of a defender's networks and systems, could occur with little or no
warning, resulting in devastating effects. According to Dr. Gaycken, when it comes to
cyberspace, “Not only does the type of actor need to be identified, but the location needs to be
identified as well...accurate identification of an attacker’s location is a clear necessity...”.11
Unfortunately, in cyberspace, this sort of attribution is extremely difficult to achieve and from a
tactical perspective, virtually impossible, at least in an actionable time-frame.
Exacerbating the problem is the fact that not all nations have the same rules of etiquette in
cyberspace. This is partly because of a lack of supervisory capability but also due in part to the
fact that some states might even find it advantageous to employ or allow citizens or private
contractors to conduct cyber attacks on their behalf. These individuals may or may not even
reside within the host state.
While a defender may ultimately be able to track an attack all the way back to the individual
computer terminal where an attack originated from, they really have almost no way of
conclusively determining who specifically was on that terminal and who actually launched the
attack. Unfortunately, Dr. Gaycken says, “Any certain attribution of location has to be
considered a systematic impossibility. Yet it is a necessary condition.”12
Some nations (e.g. China and Russia) are believed to practice this sort of activity regularly,
knowing they have plausible deniability and can claim they had no knowledge of the specific
attack, or that they didn't authorize or condone it. Instead, they blame it on an individual or
organization engaged in a criminal act, often living outside of that nation's borders, for which
they as the government cannot be held accountable.
For most cyberspace practitioners, this distinction between a criminal act and a state-sponsored
cyber attack is absolutely critical as it is the foundation for being able to legally respond via
accepted international norms. For criminals or actors intent upon conducting attacks via
cyberspace, the distinction matters very little and in fact, they often count on the attribution
ambiguity as a foundational requirement for conducting their nefarious activities.
Cyberspace is Inexpensive While it may seem obvious, the barriers to entry for someone who wants to become an active
participant in cyberspace are pretty low. All that's required is an internet connection, an
interface device, and the technological know-how to conduct a cyber attack. Worse still, the
connection doesn't have to be physically wired and users don't even have to own it. For a few
hundred dollars, the cost of a laptop or tablet, one can go to a local coffee shop or bookstore,
connect to the local wireless network, and with the right skills and tools, instantly become a
significant cyber threat.
This is extremely problematic from both a national security perspective as well as from a
11 Ibid, pg. 2
12 Ibid, pg. 6
criminal perspective in that as described previously, attribution on the internet is difficult at
best. Additionally, there is ample information available via the internet to enable any willing
and determined individual, organization, or state to develop cyber weapons or cyber criminal
enterprises with impunity.
When one considers how much time and money have been invested in large weapon systems of
the past it becomes apparent that very few actors (state or otherwise) can afford to play in that
sandbox. Hundreds of billions of dollars and decades of research, development, testing, and
evaluation are required to develop and field the unique capabilities these weapons offer. They
are prohibitively expensive and slow to field yet, they provide an asymmetric advantage to
those who wield them. In that sense, cyberspace is the great equalizer.
It is much more cost-effective to combat a major military power like the U.S. via cyberspace
than it is to engage in the comparatively expensive task of engaging it force-on-force in the
physical world. For comparatively little investment, aggressors can affect strategic U.S.
interests both at home and abroad, by employing simple social engineering and/or spear
phishing techniques targeting U.S. military personnel or by writing malicious script and
inserting it into the industrial control system of a local power sub-station. The possibilities are
endless and most importantly, extremely inexpensive.
Due to the comparatively low costs and low barriers to entry in employing cyber weapons, both
state and non-state actors are much more likely to engage in warfare in this domain as opposed
to any other going forward. It is the only domain where they can be assured a relatively even
playing field. Of course, the current patch-and-fix, passive response paradigm the U.S. and
most of the world currently employs also goes a long way towards ceding the initiative to
aggressors and placing defenders at a distinct disadvantage.
Cyberspace is Ubiquitous Unlike the physical domains, cyberspace is ubiquitous. At home and in the office place, we
now leverage the most powerful computers in history to enable social media, real-time online
chat rooms, video-teleconferencing, 3-D imaging and a host of other technologies. We like to
surf the internet, shop online, view videos, download music, and collaborate in online forums.
Increasingly, we are able to manage our home appliances, home security systems, finances, our
cars, and utilities via wireless internet connections from almost anywhere.
On the go, we can barely operate without our cell phones, laptops, and tablets. Our critical
infrastructure is now almost exclusively dependent upon internet enabled Supervisory Control
and Data Acquisition systems (a.k.a. SCADA). Our cars can park themselves, and we've
developed vast, virtual worlds inhabited by millions of people who seek to live out a second life
via an endless array of contrived circumstances of their own choosing.13 Our banking systems,
traffic lights, and medical records, and even medical equipment, are now almost entirely web-
enabled. Indeed, the very fabric of our everyday lives and our societal institutions are now
inexorably tied to cyberspace.
Interestingly, of the known operational domains, cyberspace is the only one that not only
13 Second Life
enables all the others, it actually shapes them as well. Just as our everyday lives are entrenched
and dependent upon cyberspace, so too are the weapons, command and control systems, and
various other supporting functions used to create those tools.
Many, like the stealth technologies of the B-2 bomber, the hyper-thrust capabilities of the F-22
Raptor, and the capability to observe and kill targets anywhere on the globe resident within
modern unmanned aerial systems like the MQ-9 Reaper, owe their very creation to the
technologies derived from cyberspace and in nearly every case, they can only operate
effectively when connected in some way to other tools within cyberspace (e.g. some
combination of non-resident servers, computer networks, satellites, etc.)
The tools and technologies developed and derived in and/or through cyberspace are shaping the
systems, employment doctrines, tactics, techniques, and procedures used inside all the other
domains. In other words, a quantum leap in processing speeds or data storage invariably
generates new, previously impossible capabilities and/or technologies which are then employed
throughout all the physical domains yet, even a revolutionary change in one of the physical
domains, does not necessarily equate to a similar changes in the other domains.
Cyberspace has enabled the creation of a litany of new tools and technologies. Unfortunately, it
comes replete with a bevy of vulnerabilities that can be exploited by adversaries. That reality is
about to take society into vast, uncharted waters in which those vulnerabilities will become
even more pronounced unless actions are taken to prevent it.
Today, the internet connects between ten and fifteen billion devices, a figure representing less
than 1% of the things that could become connected.14 Experts suggest we are about to enter
into a new information paradigm wholly rooted in cyberspace, known as the Internet of Things
(IoT) which will be followed shortly thereafter by the Internet of Everything (IoE). The rise of
these new versions of the internet represent not just, evolutionary changes to cyberspace as we
currently know it. Rather, they portend revolutionary changes to how society will function in
the future, affecting the physical world in profound ways.
According to Michael Chui, Markus Löffler, and Roger Roberts of McKinsey and Company, a
global management consulting firm, the IoT can be described as...
“...the physical world itself is becoming a type of information system. In what’s called the Internet of Things,
sensors and actuators embedded in physical objects—from roadways to pacemakers—are linked through wired and
wireless networks, often using the same Internet Protocol (IP) that connects the Internet. These networks churn out
huge volumes of data that flow to computers for analysis. When objects can both sense the environment and
communicate, they become tools for understanding complexity and responding to it swiftly.” 15
According to Cisco's Chief Futurist, Dave Evans, “As things add capabilities like context
awareness, increased processing power, and energy independence, and as more people and new
types of information are connected, IoT becomes an Internet of Everything — a network of
14 Evans, Dave, Cisco White Paper on the IOE, pg. 2
15 The Internet of Things, McKinsey Quarterly, March 2010, Michael Chui, Markus Löffler, and Roger Roberts http://www.mckinsey.com/insights/high_tech_telecoms_internet/the_internet_of_things
networks where billions or even trillions of connections create unprecedented opportunities as
well as new risks.”16 In other words, the world is about to experience revolutionary changes
stemming from development of cyberspace technologies.
Evans expands on this vision citing a future in which people themselves will become part of the
net. He suggests people will be able to swallow a pill that reports their medical status over
secure links allowing for real-time medical monitoring and diagnosis. This data could be
plugged directly into a first-responder network theoretically allowing medical services to be
rendered to patients prior to an imminent medical emergency like a heart-attack or stroke.
Further, as the capabilities of things connected to the net increases, they will become
contextually aware, and will move away from reporting raw data to central processing stations
and towards developing and reporting higher-order information directly to other devices,
increasing the speed and quality of our decisions.
Evans purports that smart sensors will connect bridges, roads, and other critical infrastructures
to the net as well, allowing them to report any problems they may be experiencing immediately
so that repairs can be rendered before a disaster occurs.
From a security perspective, these technologies will continue to drive advances in virtually
every sphere of human endeavor and will be the engines behind sea changes in how we will
conduct our lives in the coming decades. Fundamental shifts in the speed of transactions and
the access to information will be the order of the day and they will have far reaching
consequences, some of which have yet to be imagined. This is a truly scary thing for anyone
practicing information security and while it may present substantial new opportunities to
improve our lives, it also introduces a level of risk to the fast-evolving foundational backbone
of our societal institutions, the internet.
The Threat Landscape
In February of 201317, the cyber security firm Mandiant released a report attributing for the first
time, significant cyber criminal and cyber corporate-espionage activities to the Chinese
government. The report detailed how one Chinese military unit, cited as a representative
sample of larger Chinese government cyber efforts, had “systematically stolen hundreds of
terabytes of data from at least 141 organizations...”.18 For many, Mandiant's findings served as
nothing more than confirmation of long-accepted suppositions but it was a significant first step
in attempting to more accurately assess the scope of the threat landscape in cyberspace.
Broadly speaking, the cyber landscape consists of an array of threat actors each employing their
own tool-kits or offensive capabilities. The most capable threat actors are usually peer-state
competitors like Russia and China who engage in cyber-espionage, either directly using state
resources, or indirectly by employing cyber-mercenaries. Nation states typically are better
16 Ibid, Evans, pg. 2
17 Mandiant Corporation Report, “APT 1: Exposing One of China’s Cyber Espionage Units”, February 2013,
intelreport.mandiant.com/Mandiant_APT1_Report.pdf
18 Ibid
resourced and better able to develop cutting edge cyber capabilities than non-state actors.
However, increasingly non-state actors including terrorist organizations, private businesses, and
organized crime are systematically developing and employing cyber tactics to achieve their
objectives as well. Finally, we still see the more traditional, usually less capable, home-based
hacker or script-kiddie, who just wants to see what kind of chaos they can generate by defacing
a web page or implanting a virus in a seemingly impossible to hack network. It's the challenge
that motivates them more than the act.
Together, these threat actors represent a broad array of tactics and capabilities that in some cases
are even shared in sort of an off-the-books, black market research and development program
whereby anyone and everyone works to improve or develop new zero-day attacks, thus
increasing the collective's capabilities. This open development forum is the fastest, most agile
method for developing new cyber tools as it doesn't come with any oversight, restrictions, or
governmental or contractual impediments. It is yet another reason cyber attackers have such a
sizeable advantage over cyber defenders. In the U.S., there are multiple regulatory and
statutory impediments in place which slow the acquisition and fielding process, not the least of
which is the fact that most defenders, those in the corporate world, do not share their knowledge
of threats, vulnerabilities, and current and evolving cyber tactics with one another for fear that
proprietary information will be compromised.
Attacks in cyberspace, can manifest themselves in a variety of ways. From distributed denial of
service (DDOS) attacks to Trojan Horses, worms, and BOTNETS, the tactics, techniques, and
procedures employed by cyberspace aggressors are varied and agile. Through news reporting
or perhaps even first-hand experience, we've all seen these attacks and how apparently
powerless cyberspace defenders are against them. From banking industry giants like Bank of
America, Wells-Fargo, and Chase19 to insurance providers like Tri-Care20 and Blue-Cross-Blue-
Shield21, and retail superpowers like Target22, and Neiman Marcus23, seemingly nobody is
19 Perry, Miranda, Is Your Money Safe? US Banks Hacked: Wells Fargo, Bank of America, U.S. Bank, Chase and Citigroup,
September 27, 2012, http://www.scambook.com/blog/2012/09/middle-eastern-hamas-islamic-terrorists-hack-major-us-banks/, A series of DDOS attacks targeting the US Banking industry in September of 2012. Experts assessed the attacks were up to 20 times larger than normally
seen and twice as large as the previous record for a denial of service attack. The attacks originated in the Middle East and the Izz ad-Din al-
Qassam Cyber Fighters, an Islamic hacker group associated with Hamas, claimed responsibility. US Senator Joe Lieberman, Chairman of the Senate’s Homeland Security Committee, suggested that Iran executed the assault as retaliation for US economic sanctions levied against Iran.
20 Ungerlieder, Neal, Medical Cybercrime; the Next Frontier, August 15, 2012, http://www.fastcompany.com/3000470/medical-cybercrime-next-frontier. In 2011, electronic medical records for over 4.9 million TRICARE members' entered into the public sphere after one
of their subcontractors lost a series of tapes housing the data. The tapes contained sensitive personal data such as clinical notes, laboratory test
results, and prescriptions. To date, the TRICARE theft is believed to have been the single largest theft of American electronic medical records. It is still unknown what the long-term impact of the theft may be. TRICARE is the Defense Department's civilian healthcare program which
services Armed Forces members, retirees, and their dependents.
21 Goldman, Jeff, Horizon Blue Cross Blue Shield Data Breach Affects 840,000, December 10, 2013,
http://www.esecurityplanet.com/network-security/horizon-blue-cross-blue-shield-data-breach-affects-840000.html. This 2013 attack occurred
in New Jersey and is believed to have resulted in the compromise of personal information of nearly 1 million clients. Information included names, addresses, birth dates, social security numbers, and some clinical information.
22 Wallace, Gregory, Target Credit Card Hack: What You Need to Know, http://money.cnn.com/2013/12/22/news/companies/target-credit-card-hack/, December 23, 2013. A major cyberattack on Target retail stores during the days leading up to Christmas 2013. The attack
targeted the Point of Sales devices used to conduct in-store transactions and was enabled by a virus insertion into the Target sales software
which quickly propagated across the Target network and ultimately resulting in over 40 million credit cards of Target customers being compromised and a second set of personally identifying information for an additional 70 million customers also being compromised.
23 Brodkin, Jon, 1.1 Million Payment Cards Exposed To Malware In Neiman Marcus Hack, January 24, 2014, http://arstechnica.com/security/2014/01/1-1-million-payment-cards-exposed-to-malware-in-neiman-marcus-hack/. A data breach targeting
Neiman-Marcus customers extending from July until October of 2013. The breach is believed to have exposed as many as 1.1 million payment
immune to the endless array of attack vectors and methodologies employed by nefarious
cyberspace actors.
In the physical world when a criminal robs a bank or a nation bombs another country, a clear,
unambiguous, kinetic event has taken place. More to the point, these kinetic events involve an
aggressor taking an active, physical action, which yields an unambiguous impact for which
there is no question as to the intent of the aggressor. The intent of dropping a bomb on a target
in another country is to affect that nation's behavior, with the ultimate goal of compelling the
defender to acquiesce to the will of the aggressor.
The initiation and employment of kinetic physical force against an adversary is considered an
active attack and there are specific legal connotations associated with that attack as identified
within the United Nations Charter, the Hague and Geneva Conventions, and a multitude of other
vehicles for international governance and standards of behavior. These vehicles spell out
expressly what are acceptable actions and reactions in the face of an active attack and most all
nations abide by these legal constructs.
However, in the physical world it is often considered unacceptable to employ military force
against another nation unless certain specific criteria are met. Thus, a nation might employ
alternative, less destructive, courses of action, like diplomacy or economic sanctions. Often
however, diplomacy or economic sanctions do not yield the desired response thus compelling
nations to apply additional pressure in the form of a 'show of force'. A prime example of a show
of force might be the positioning a carrier battle-group off an enemy's coastline in an effort to
influence that enemy's behavior without literally committing an act of physical aggression.
While no kinetic action has been taken, the threat of one underpins that show of force. Since no
kinetic action has been taken, from a legal perspective in particular, a show of force does not
constitute an attack per se but it most certainly sends a message. A show of force might be
considered a passive attack, a phenomenon more commonly referred to in statecraft by another
name; deterrence.
Webster's Dictionary supports this position defining deterrence as... “the inhibition of criminal
behavior by fear especially of punishment or the maintenance of military power for the purpose
of discouraging attack.”24 Clearly there are subtleties associated with equating deterrence with
a passive attack but in at least one sense, the idea of attempting to affect a nation's or even an
individual's behavior, by threatening significant physical damage to that nation or individual, is
applicable.
Regardless of what one calls it, the distinction between passive attacks and active attacks in the
physical world is extremely clear throughout the community of nations. It is a critical
distinction which serves as the fundamental premise behind all internationally accepted
standards of behavior and governance. In contemporary statecraft, it is practically a binary
phenomenon that an action is either considered an attack or it is not. There is no ambiguity on
cards to malware, and that 2,400 cards have been used fraudulently as a result. The software is believed to have been a variant of that employed
in the Target attack in December of 2013.
24 Merriam-Webster online dictionary, http://www.merriam-webster.com/dictionary/deterrence.
that point and that is significant when one considers the legal landscape for what constitutes an
act of war and what does not, particularly in cyberspace.
In cyberspace, this kind of clarity does not exist. A passive attack in cyberspace is often defined
as an act designed to collect information or data on target networks and/or systems, the data
they house, the security methodologies and structures they employ, or on the personnel who use
the systems, in order to provide indications and warning of a possible attack, identify
vulnerabilities for attack, or to gain valuable insights into enemy intentions. In the physical
world, this is referred to as espionage and it is deemed acceptable and proper by any legal
measure.
But what if, in the course of conducting cyber-espionage operations, a nation implants an
otherwise benign script designed to track the data that traverses a network which, under certain
circumstances, becomes weaponized and destroys the network permanently. Suddenly, you've
crossed a line from a legal act, to an illegal act or even an act of war. Yet, you haven't taken any
additional physical actions. Thus, implanting a script of that nature, might be considered
tantamount to pre-positioning nuclear weapons in Cuba like the Soviet Union did in the early
1960s, an act the U.S. did not tolerate because the potential security repercussions were too
great.
It is this incongruity that represents the dilemma facing those attempting to develop global
cyberspace policy and governance standards. In the physical world, things are generally black
and white. An action is either deemed an attack or it's not, it's either legal or illegal, it's an act
of war or it's not. In cyberspace, none of these questions has been answered.
Legal Landscape
The legal canon and subsequent policy addressing these matters have developed and matured
over time and are used as the baseline of accepted norms for international commerce, law
enforcement, and national defense. In cyberspace however, these questions have yet to be
answered.
There are a multitude of key legal questions remaining before there will ever be widespread
adoption of cyberspace standards of behavior, accepted practices, or vehicles of governance.
Most stem from existing standards as codified within the UN Charter, the Hague and Geneva
Conventions, and other similar internationally accepted agreements.
The single biggest impediment to any successful work towards development of equivalent
cyberspace standards, is the lack of agreement on how and/or whether existing laws and
standards apply to cyberspace. For example, the concept of “timely response” is an
internationally accepted requirement for self-defense under the law of armed conflict and it is
also a critically important notion in terms of developing a national security policy grounded in
the tenets of deterrence.25
The inability of a defender to accurately attribute an attack to a specific entity in a timely
25 United Nations Charter SITE SPECIFICS
fashion places him on dubious legal ground as it pertains to his response options. Consequently,
it represents an equally problematic situation in terms of implementing an effective deterrence
strategy in that if one is unable to identify the guilty party, how can one deter their actions?
According to Catherine Lotrionte, Associate Director of the Institute for Law, Science and
Global Security at Georgetown University, “Proving a link between non-state actors,
hacktivists, and the government may be difficult, impossible, or take too long to confirm in
order to provide legal authority to take swift action.”26 Not only does this mean that legal
standards of sufficiency may not be met in order to validate a response, but it also means it's
practically impossible to deter a cyber aggressor since a) they have no fear of being caught in
the first place and b) there is no internationally accepted legal standard governing the
boundaries of that response.
Lieutenant General Keith Alexander, former Commander of United States Cyber Command and
Director of the National Security Agency, explained during his confirmation testimony to the
Senate, “there is no international consensus on a precise definition of a use of force, in or out of
cyberspace. Consequently, individual nations may assert different definitions, and may apply
different thresholds for what constitutes a use of force.”27
Alexander's comments are accurate and consequently, the U.S. attempted to add some clarity to
the matter via the 2012 National Security Strategy, effectively stating it reserves the right to
defend itself by whatever means necessary against whatever threats manifest themselves,
including specifically, those in cyberspace. Although that position does not provide the
necessary legal foundation or clarity on the many contentious legal aspects of cyberspace, it
does send a clear message regarding the U.S. position on those matters. The U.S. is prepared to
respond to cyber threats in the same fashion and under the same rules which govern physical
attacks. Unfortunately, to date, the U.S. has failed to follow-through on that stated position thus
yielding any hope at deterrence ineffective.
In that context, Catherine Lotrionte explains, “While there is no clear statement in international
law that outlines legally acceptable or unacceptable cyber defensive actions, there are legal
principles and past state practice that establishes the right to counter a cyber attack as a valid
legal response to acts of aggression.”28 Unfortunately, under current international law, there are
a significant number of key areas requiring adjudication in terms of their applicability to
cyberspace.
As previously noted, the primary vehicles of governance used by the international community
today include, the United Nations Charter, the Laws of Armed Conflict (as derived from the
Hague and Geneva Conventions), and Customary International Law. All reflect some sort of
governance and articulate standards of acceptable behavior under specific circumstances in
order to ensure the stability of the global community of nations, but none address cyberspace
26 Lotrionte, Catherine, “Active Defense for Cyber: A Legal Framework for Covert Counter Measures”,www.taiaglobal.com/wp-
content/uploads/2012/02/Lotrionte.docx
27 Alexander, Lt Gen Keith, testimony to the Congress, confirmation hearings
28 Lotriante, pg. 6
specifically.
As an example, Article 2, section 4 of the UN Charter prohibits the “threat or use of force
against the territorial integrity of political independence of a state”.29 Additionally, Article 51 of
the Charter states, “nothing in the present Charter shall impair the inherent right of individual or
collective self-defence if an armed attack occurs against a Member of the United Nations.”30
At first glance, these two Articles would seem to provide adequate clarity, but in fact, from a
cyber perspective, they don't.
With respect to Article 2, there is disagreement as to whether a cyber attack or cyber intrusion
meets the threshold of “threat or use of force” as described by the Charter. Under normal
circumstances, an intrusion is categorically not considered an attack and thus would be
categorized as espionage, and consequently, a legal activity. However, as has already been
pointed out, the circumstances are somewhat different in cyberspace given the ambiguity in
defining a cyber attack and as a consequence of the potentially devastating impact of what may
initially be considered merely an intrusion but which can quickly become much more.
The matter that has not yet clearly been resolved is whether a passive intrusion into a system,
which may become weaponized if specific circumstances are realized, constitutes an attack or
harmful action. Stuxnet was undoubtedly an attack on Iran but what about all the other
countries in the world where the virus managed to propagate but never became weaponized?
The language of Article 51 is equally contentious. While Article 51 likely represents an
exception to Article 2's prohibition on the use of force, thereby allowing states to use force if
necessary to defend themselves, it does not address whether cyber attacks are equivalent to
armed attacks.
There is additional ambiguity as to whether a cyber intrusion or cyber crime meets the
thresholds to be considered “use or threat of force”, a matter further complicated by the blurred
lines between state-owned or privately contracted critical infrastructure services used by states.
The lack of accepted international standards as to what does and does not constitute a use of
force via cyberspace is thus, extremely problematic.
The International Telecommunication Convention prohibits parties from harmfully interfering
with telecommunications, and the Agreement on the Prevention of Dangerous Military Activities
prohibits “harmful interference with the command and control systems of military opponents”
but once again, neither defines specifically how a cyber intrusion, cyber espionage, or a cyber
attack might apply.31,32 Is an intrusion inherently harmful? What if it doesn't actually interfere
29 United Nations Charter, Article 2, section 4.
30 United Nations Charter, Article 51.
31 The International Telecommunication Convention was an international agreement which established a need and the specific roles of
the International Telecommunications Union. It was first agreed to in 1865, it saw annual revisions made until 1989 when a permanent
constitution and convention were established. The Union currently meets every four years to discuss evolving international telecommunications issues.
32 Treaty between the United States and the Union of Soviet Socialist Republics, Agreement on the Prevention of Dangerous Military Activities, Moscow, June 12, 1989. Posted online at http://en.wikisource.org/wiki/Prevention_of_Dangerous_Military_Activities_Agreement.
with anything?
In terms of internationally accepted law, in Corfu Channel, the International Court of Justice
(ICJ) held that a state has an “obligation not to allow knowingly its territory to be used for acts
contrary to the rights of other States”. Under international law, a state will be held responsible
by the ICJ for the acts of a third party — such as a terrorist organization — if it has at least
“indirect responsibility” over the actor and if the state refuses to stop sheltering the actor after
another state asks it do so.33
While this would seemingly provide a suitable legal precedent to justify retaliation against a
state or non-state actor under the circumstances cited, once again, the finding does not address
whether a state can be considered culpable for a third party who uses a state's cyber
infrastructure, presumably from outside its borders, to conduct a cyber attack or intrusion
(either knowingly or unwittingly). Moreover, it fails to specify whether a cyber intrusion,
which may or may not actually constitute an attack or a crime, is an “act contrary to the rights
of other States”.
Some feel the most prudent course is to observe cyber actions specifically vis-a-vis the Laws of
Armed Conflict (LOAC). Under LOAC, there are two parts of the law: jus ad bellum, the law
of conflict management, and jus in bello, the law of armed conflict. Jus ad bellum applies prior
to a conflict, while jus in bello governs behavior during a conflict (primarily governed by the
Hague and Geneva Conventions and Customary International Law).
But according to Kegan and Hayes there is still a measure of ambiguity, “In addition to
necessity and proportionality, self-defense under jus ad bellum also requires immediacy, though
the principle of immediacy is very broad under international law and would permit a response
to occur days or weeks after the initial attack.34
Clearly, as this snapshot indicates, there are major issues within the international legal
landscape affecting states' decisions and willingness to engage in any sort of active cyber
defense strategy. While the U.S. has probably gone further than any nation in stipulating the
scope of potential responses to a cyber attack, there remains much work to be done in terms of
policy development.
The attribution problem has been a major hurdle in the development of standards of behavior
and operational norms within cyberspace. The ability to attribute responsibility for any given
cyber action to a specific actor with a relative degree of immediacy truly is a precursor for any
type of defensive or retaliatory action, and most certainly any sort of overarching defense
policy. From the perspective of building a cyber deterrence policy to protect our larger national
33 The Corfu Channel case was filed by the United Kingdom against Albania shortly after WWII ended in an effort to seek
compensation for damages when a British warship struck two sea mines in Albanian waters. The case was heard by the International Court of Justice in October of 1946. The court ordered Albania to pay the UK £843,947 in compensation. The significance of the case in a cyberspace
sense was that it established a minimum threshold for assigning culpability for actions taking place within the borders/territorial waters of any
given state. The court ruled that if the preponderance of evidence suggests that a nation was aware its land/waters were used in the course of conducting an attack against another nation, it is accountable for providing compensation to the aggrieved. Thus, it is germane to the attribution
problem discussion.
34 Jay P. Kegan, Carol M. Hayes, “Mitigative Counterstriking: Self-Defense and Deterrence in Cyberspace”, Illinois Program in Law,
Behavior and Social Science Research Paper No. LBSS11-18, Illinois Public Law and Legal Theory Research Paper No. 10-35
security interests, the attribution problem presents some distinct challenges but, just as it offers
opportunities to aggressors, it offers the same for defenders who are willing to act aggressively.
Who's In Charge Around Here? The question of responsibility for administering cyber security in the U.S. to date has been
grounded principally along the lines of traditional governmental stovepipes. From an
administrative perspective, this makes perfect sense and works relatively well within the
confines of an organized government where the lines of responsibility are clear and functionally
distinct.
Thus from a U.S. government perspective, if there is a criminal matter to be dealt with, the
Department of Justice has lead, if it's a defense issue, the Department of Defense has primacy,
and so on. The problem, as noted previously, is that cyberspace is ubiquitous. Consequently, it
cuts across organizational, jurisdictional, and functional lines of government, industry, and the
private sector.
Even if it was possible to assign responsibility for administering the security of U.S. cyberspace
to a single agency or department, there would still be significant cultural, organizational, legal,
and privacy impediments to being able to operationalize that responsibility. Aside from the lack
of standardized hardware, software, data standards, and storage protocols, each entity uses
cyberspace in unique ways and has different requirements.
They all use different data for different things and they each develop their own policies,
standards, and best practices in order to ensure they are getting the most out of their cyberspace
presence. Consequently, any effort to place all these issues under one umbrella is doomed from
the onset. If it ever was attainable, the proverbial genie has surely escaped from the bottle by
now and barring a radical reinterpretation of the Constitution, that is unlikely to change.
As figure 1-1 shows, cyber security in the U.S. is currently a federated effort of psuedo-
connected and marginally collaborative efforts to secure specific parts of cyberspace. As
configured, it is rife with potential holes, competing interests, and often divergent agendas.
Figure 1-1. This graphic depicts the
various stake-holders just within US cyberspace. Given this, one can
only begin to imagine the
complexities involved with attempting to develop global cyber-
security standards of behavior and
rules of governance.35
35 National Cybersecurity Policy Capture, http://www.whitehouse.gov/files/documents/cyber/CybersecurityCentersGraphic.pdf
Many feel the Department of Homeland Security (DHS) should ultimately be responsible for
U.S. cyber-security efforts and should serve as the overarching, strategic coordinator and
policy-making entity. Unfortunately, DHS is not well-equipped to do that from either
manpower or an authorities perspective.
DHS still suffers from the impact of its formation in the wake of the 9/11 attacks in which
dozens of previously distinct agencies and cultures were haphazardly thrown together under the
DHS umbrella and tasked to become one uniform department. Needless to say, there were a
multitude of impediments to achieving that end state.
While progress has been made since its formation, DHS still struggles with its identity and its
mandate. Thus, an agency that was formed to meet challenges stemming from an entirely
different threat (e.g. terrorism) and consisting of disparate parts, none of which included
expertise in cyber-security, finds itself today with a broad swath of responsibilities, including
cyber-security oversight of non-DOD government networks and systems. While portions of the
department have a legacy of capability (e.g. FEMA, Immigration and Customs, etc.) others like
the U.S. Computer Emergency Response Team (aka U.S. CERT), find themselves lacking
enough skilled cyber experts to meet their mandate.
Moreover, DHS is a government agency and is not currently responsible for maintaining a
cyber-security program to protect private companies. Private industry in the U.S. is responsible
for protecting themselves. This is another manifestation of an ongoing argument whereby
private industry calls for government protections but is not willing to allow the sort of
transparency needed for the government to be involved, citing concerns over their intellectual
property and civil liberties.
In cyberspace, a resolution on this matter is required before effective, coordinated cyber
security efforts can be implemented. This does not mean that one party or the other must be
given sole authority for cyber security, but it does mean that effective cooperative efforts and
rules must be developed and implemented.
Some think the military should be responsible for being the lead coordinating agency over U.S.
cyber efforts, often citing the fact that DOD, compared to other Federal departments, has the
most resources and expertise within the domain. While that may be true, here too there are a
number of problems, not the least of which is the legal prohibition on Federal military personnel
engaging in law enforcement activities not subordinate to the Department of Justice as defined
in the Posse Comitatus Act in Title 18 of the U.S. code.36
That of course begs the question as to whether these cyber attacks, be they active or passive in
nature, constitute criminal acts or not. This necessarily leads us back to the problems associated
with defining which specific cyber acts constitute criminal acts, espionage, acts of war, or any
other specified type of action, and under what specific circumstances and criteria do these
characterizations then apply.
36 The Posse Comitatus Act, as reflected under Title 18 of the US code expressly prohibits Federal US military personnel from serving in any way to enforce State laws. The National Guard is exempt from this while serving in a State capacity as is the US Coast Guard who has a
dual mandate to enforce US maritime law.
Under the current legal paradigm, a cyber act deemed a criminal act would fall under the
purview of the Department of Justice. But what if that criminal act involves hacking the
Industrial Control System of a private utility sub-station which provides power to a nearby
military installation resulting in rendering that installation incapable of conducting its mission?
All legal issues aside, there is another reason the military is not a good choice to oversee our
collective national cyber presence. The military tends to tackle problems using a very “inside-
the-box” approach. It is extremely risk-averse, particularly in today's fiscally constrained
environment, and it tends to move very cautiously and deliberately in almost everything it does.
The combination of being risk-averse and slow to react simply does not work in cyberspace.
Cyberspace evolves rapidly, in unpredictable ways, and does not lend itself to this approach.
Cyberspace requires a sea change in how the military fundamentally approaches its business
and sea changes are not what define the military.
Worse still, cyber education and more importantly, educated cyber leaders, are practically non-
existent in the military. Most senior military leaders have no formal instruction as to the
capabilities, traits, or operational nuances of cyberspace. Furthermore, they don't understand
the doctrine and how cyber capabilities should work in an integrated fashion across all domains
as both a force multiplier and as an enabler. They approach these critical leadership posts by
applying their existing knowledge and frames of reference to this decidedly foreign domain—
knowledge and experience that are at best obsolete, and at worst, counterproductive.
Most military leaders can quickly assess and understand critical information when they see it on
a battlefield map. They can observe the disposition of various facets of a battlefield, from
troops and weapons, to terrain features, lines of communication, and supply and distribution
networks. They can almost instantly draw conclusions and make corresponding operational
decisions based on that information. They are able to do this based on their years of training,
their personal knowledge of the things they see on the battlefield, and how those things relate to
the battlefield environment. Those intuitive capabilities however, are not in their repertoire
when it comes to cyberspace.
Today's military leaders didn't grow up with cyberspace as an operational domain, they weren't
trained in it, they can't tell you what the significance of any given cyber asset is to an impending
operational action, nor can they tell you how one cyber asset might affect another, or how
it/they might affect the larger operational environment.
Most military leaders lack the fundamental understanding that cyberspace is inherently different
than the physical world in ways that can have a profound impact on traditional decision cycles,
military doctrines, planning methodologies, and force employment models. The rules of battle
our senior military leaders grew up with simply don't apply anymore and they are not at this
point being adequately prepared to fight wars in this domain.
This not to say that none of the current military cyberspace leadership understand the problems
the domain presents. In a recent public forum in Colorado Springs, CO, General William
Shelton, the Commander of Air Force Space Command, the functional command which owns
Air Force Cyberspace efforts, commented that, “First and foremost, we are still grappling with
defining cyberspace in a way that's effective and promotes understanding across the Air Force,"
said General Shelton. "Our actual working definition is still evolving as we gain more
operational experience and understanding".37
His comments reflect the understanding that cyberspace is fundamentally different and that
there is a delta when it comes to achieving an understanding within military circles as to what
those differences portend in a number of areas. While it is disturbing that the Air Force, and
truthfully all of DOD, is still grappling with something as seemingly simple as defining the
domain, in terms of developing any sort of useful capability within the domain, this is a
necessary first step.
For any organization intent upon presenting an operational capability, it is essential that
objectives, scope, and core capabilities be identified and defined so that corresponding training,
career paths, operational standards, and execution doctrines can be developed and sustained
over the long term. Unfortunately, the idea of building a capability around a known and
enduring “given” like an operational domain, is problematic because as noted previously, while
the physical domains don't inherently change, cyberspace does. Thus, as we are seeing
regularly play out, military cyber doctrine is being developed and found to be obsolete by the
time it reaches the implementation phase.
General Shelton clearly has a better understanding of the enormity and complexity of the
challenges facing the nation in cyberspace than do most military leaders. He has on a number
of occasions spoken to the various facets of cyberspace that present challenges to the Air Force.
These include, the scope of our focus in cyberspace, the implications on Title 10/50 authorities,
and the need to provide cyberspace mission assurance. According to Shelton, "Cyber capability has developed over the past 40 to 50 years in a
relatively benign, permissive environment, but it's no longer a very benign operating domain.
Now we face a continuously changing landscape of threats, adversaries, and technologies. The
cost of entry is low, anonymity is high, and attribution is difficult at best."38 So while it is good that a few key military leaders like General Shelton and General Alexander
seem to appreciate the nuances the cyber domain presents, they SHOULD understand it, they're
in command of the cyber forces. The real problem is educating those who are not cyber
commanders and that is a challenge that at present is not being taken seriously, at least not via
formal military professional development curriculums.
As of 2014, none of the major U.S. war colleges offered a significant block of instruction on
cyber warfare. The National Defense University in Washington D.C. attempted to get a cyber
education program off the ground in the early 2000s but it was subsequently downsized and
currently only consists of a few elective courses. The remaining service schools offered a
similar smattering of elective courses addressing cyber warfare but not expressly focused on it.
Thus, for many reasons, the military would not seem to be an appropriate choice. In truth, there
37 Dillon, AFSPC Commander Speaks Out, Air Force Print News Today,
http://www.afspc.af.mil/news1/story_print.asp?id=123321958, 10/12/2012
38 Ibid, Dillon.
very likely is not any single organization or agency that should lead our national cyber efforts.
It is a federated community of highly diverse users each of whom have unique requirements and
equities in how cyberspace is administered.
Subsequently, recent efforts in the U.S. have focused on attempting to gather the disparate
stakeholders into a unified, mutually supportive and broadly collaborative collective in an effort
to better secure the domain from the many vulnerabilities and threats affecting them all. This
approach, while it may be highly inefficient and painstakingly slow to act in any meaningful
way, is likely the best approach, and the only approach short of critical Constitutional revisions,
that is likely to move the process forward in any way.
THE CURRENT CYBER SECURITY PARADIGM The current cyber security paradigm is an interesting composite of largely enterprise responses
developed and disseminated in response to known cyber incursions. Companies like Symantec,
Norton, Avast, and Kapersky, along with Microsoft and Android specialize in identifying
malicious code and building anti-virus, firewall, intrusion protection, and a host of other
defensive software applications to try and minimize their customers' exposure to cyber threats
and to help repair the damage should they be exposed.
The problem is, as discussed earlier, the threats are evolving at an incredible rate. A rate far too
fast for companies to keep up with, assuming they are even able to identify that a particular
threat exists. While most viruses and malware are relatively simple in design and are often
easily detected and blocked, the fact remains, it only takes one to get through the vast array of
defenses that have been designed to stop them in order for catastrophic damage to occur to the
target. The more complex and sophisticated scripts have a much higher chance of success, can
often cause much more damage, or may go undetected on a target system for years all the while
reporting personal or otherwise sensitive information back to its creator.
A 2011 study entitled, Analyzing the Effectiveness of Web-based Firewalls39, showed that when
tested essentially out of the box but configured by an expert, firewalls on the whole were only
successful at detecting and defending against a web-based attack 62% of the time. The test
further revealed that on their own and tested out of the box, “IPS solutions...were not very
effective at defending them during this test.”
A second test in the study was conducted using WAFs and IPS solutions paired with Dynamic
Application Security Testing (DAST) generated filters. DAST tools perform automated web
application vulnerability scans thus improving the sensitivity and effectiveness of WAFs and
IPS solutions. When tested with DAST filters, “the IPS solutions improved by an average of
60% bringing up their performance at-par or better than the trained/configured WAFs; with their
overall blocking effectiveness averaging 82%...supported WAF’s that were tuned with DAST
solution improved an average of 19% from their baseline tuned state.
Clearly, even this relatively advanced use of common cybersecurity applications yielded some
unsettling results. The results to be expected from an average user who doesn't really have the
39 Suto, Larry, Analyzing the Effectiveness of Web Application Firewalls, November 2011.
http://www.ntobjectives.com/files/Analyzing-the-Effectiveness-of-Web-Application-Firewalls.pdf
technical expertise to properly tune these systems would no doubt be substantially less effective
still. If nothing else, the results are representative of the many studies yielding similar results.
On the whole, these kinds of tests validate the now pervasive idea that firewalls and IPS' alone
are not good enough, particularly when it comes to national security, intellectual property
protection, and personally sensitive information like medical and banking records.
The current patch-and-respond mentality inherently cedes the advantage to the attacker by
allowing him to choose the time, place, means, and specific avenue of attack. Even if defensive
suites were effective 99.9% of the time, which as has been noted, they emphatically are not,
thousands of threats would still be successful in infiltrating their respective targets. Worse yet,
this paradigm presents no inherent risk to an attacker other than potential attribution of their
actions, but even then, there are no meaningful consequences tied to those actions.
The almost exclusively defensive strategy currently employed within the cyber security
landscape is often limited in depth, breadth and/or complexity and is all too often, only
employed in piecemeal fashion, using antiquated or outdated countermeasures. The results, as
we see almost daily in the press, are self-evident.
Defense-In-Depth To compensate, modern security practitioners have evolved to employ two broader security
concepts in tandem in the hope they can minimize both their vulnerability to, and the impact of,
cyber attacks. The first concept is defense-in-depth.
Defense-in-depth is a military principle developed during the Cold War. The central idea
involved the coordinated use of multiple layers of defense in order to make it more difficult for
an enemy to breach a central barrier or target, in this case, Western Europe. Its ultimate
objective was to buy time enough for vastly outnumbered allied forces to reposition themselves
in order to counterattack against a Soviet incursion into Western Europe.
In a cyber security context, defense-in-depth essentially means the coordinated use of multiple
unique security measures (e.g. firewalls, information security protocols, intrusion protection
systems, common access cards, etc.) employed in a mutually supportive manner to protect the
integrity of the data, network, or system components.
Again, the intent is to require an enemy to develop a means to penetrate each layer of defense
thus making it more labor and time intensive, and ultimately more expensive, rendering the
potential rewards not worth the risk. It is however, in the area of risk, that cyber security
practitioners have strayed from the original defense-in-depth formula, omitting a very important
facet: the counter-attack.
In the original construct, defense-in-depth was designed to slow the enemy advance, buying
additional time for friendly forces to arrive and position themselves for an all-important
counter-attack. In the cyber-security context, there is no counter-attack and consequently, there
is little to no risk for the attacker. All the additional time buys a defender is a better chance of
being able to thwart any given attack. It does nothing to dissuade further attacks. Thus, in the
long run, in cyberspace, so long as an aggressor is willing to be patient, he will eventually
breach his target.
Defense-in-depth may be more effective in combating cyber-crime as opposed to attacks on
national security interests. Typically, criminals will eschew a more difficult or heavily defended
target for an easier, less well defended target simply because there are so many alternative, less
risky targets. In other words, why break into a house with a security system, guard dogs, and a
gun owner, if they can just break into an adjacent house that has nothing more than window and
door locks?
However, when it comes to highly professional criminals and more significantly, national
security concerns, the adversaries tend to be more dedicated and deliberate in their efforts to
breach a specific objective. They are willing to spend as long as it takes. This is known as the
advanced persistent threat (APT) and it is one of the primary reasons why defense-in-depth
fails.
Prescott Small, in a 2012 SANS Institute white paper, drew an interesting and poignant
conclusion regarding defense-in-depth stating,
“Considering the decades of implementation of Defense in Depth in Information Security and
how the 'strategy' has evolved in Information Technology the evidence should show a steady
decrease in the number of successful attacks around the globe as Defense-in-Depth matures.
The simple fact is that even though Defense-in-Depth is the predominant practice, those
successful attacks are increasing. The ability to stop all network penetrations is essentially
impossible. No matter what actions are taken an attacker will penetrate every network at some
point.”40
According to Small, “Defense-in Depth was adopted as the strategy long before the current
risks were understood.” He suggests that today's cyber attackers have access to the same
information and tools, in truth even more, than net defenders. This is a consequence in part of
the very lucrative black market that exists for developing these cyber tools and in part, of the
inherently slow pace at which industry and/or government adopts new tools compliant with
existing standards. In some cases, new tools require development of entirely new protocols thus
further delaying implementation. Advantage, attackers.
Graceful Degradation The second security practice that pervades the cyber security world is graceful degradation.
Graceful degradation has been around since the early 1960s and has been engineered into most
electronic networks since that time. It acknowledges the limitations of a defensive approach to
cyber security by admitting to the inability of current security measures to prevent attacks. It
essentially calls for the ability of a computer, system, or network, to maintain some degree of
functionality even when under attack or in the case of damage to the system.
The ultimate objective of graceful degradation is to avoid a catastrophic failure of the system
along with any capabilities that may have been dependent upon that system. Obviously, there is
great utility in having this feature built into systems which may become engaged in high-risk
activities or become the targets of nefarious actors, like those employed by the military or in
critical infrastructures and industries.
40 Small, Prescott. Defense-in-Depth: An Impractical Strategy for A Sustained Cyber Siege, SANS Institute, pg. 7, 2012.
In the end however, the coupling of defense-in-depth with graceful degradation does not
fundamentally change the calculus of cyber security. It remains almost exclusively a passive
defensive approach and thus, it is inherently ineffective. Moreover, from a military perspective,
it is entirely inconsistent with historically effective dogma and doctrine.
Frederick the Great, the legendary Prussian General of the 19th Century, is often credited with
saying, “He who defends everything, defends nothing.” While the attribution of this comment is
arguable, (some attribute it to Sun Tzu), the truth of it certainly is not. Cyberspace is huge and
growing at an incomprehensible rate. There are a limited number of people, agencies, or
entities with enough technical prowess to navigate it with impunity, and the rest of us are left to
navigate an increasingly vast cyber jungle which we are ill-equipped to survive.
From the perspective of an attacker, cyberspace represents opportunity. They can carefully
probe, test, and collect against potential targets at their leisure, on their terms. When they
decide the time is right, they can launch their attack(s). Nowhere in the equation is there a
consideration of what might happen to them if their attack(s) fail. Why?
Because they don't need to worry about it. The attribution problem coupled with existing law
provides bad actors with a safe haven from which to operate. Generally speaking, skilled cyber
criminals and/or state actors, are smart enough and careful enough to cover their tracks and not
get caught by an agency with the authority to put them out of business.
No nation today sanctions an active cyber defense policy fearing it may open up a Pandora's
Box of cyber chaos. The community of nations concedes that the cyber threat landscape today
is ugly but they fear how much more ugly it could get if nations or private actors decide to
strike back at attackers, or worse, to launch pre-emptive attacks. Moreover, they fear they will
become alienated from the global community if they take unilateral actions to respond to a
cyber attack by striking back at an innocent third-party whose network may have unwittingly
been used in the course of an attack.
Consequently, attackers can do their bidding repeatedly and without concern of punitive
measures that might make the costs of this behavior exceed the potential value to be gained
from engaging in it. To succeed, they just need to be patient and persistent and generally
speaking, they only need to out-smart the defender once to succeed in attaining their objective.
Defenders, on the other hand, must defend billions of internet access points and millions of
attack methods and vectors with 100% accuracy, for 365 days of the year, 24 hours a day, seven
days a week, in order to prevent a successful attack. This is of course, an unsustainable
defensive posture even under ideal circumstances, and current circumstances are anything but
ideal.
In order for the existing defense paradigm to be even theoretically possible, defenders would
need to have access to defensive tools that are at least as advanced, if not more so, than the
attackers. They would also need to have perfect knowledge of the exact timing, means of
attack, and targets of an attacker in order to thwart 100% of all attacks.
Suffice to say, perfect knowledge in cyberspace does not exist. We have yet to even achieve
perfect knowledge of the physical battlespace, and cyberspace is an infinitely more complex
challenge than the physical world. There are too many threats and too many vulnerabilities for
anyone or anything to track and defeat them all. Even something as ostensibly simple as a
common operational picture (COP) of the physical battlespace has been problematic to date.
A COP is simply a map or graphical depiction of the relevant factors and assets affecting any
given organization’s mission. It’s intended to provide awareness of key variables in the
battlespace thereby potentially improving the owning agency’s ability to operate successfully
within that space. It allows commanders to make more informed decisions because they can
literally see the battlespace in a comprehensive fashion. Commanders can then leverage their
training and experience to better understand the operational implications of what they see on the
COP. Theoretically, this enables them to better manage their forces and their mission. In very
simple terms, a COP operated by an army might depict its own forces’ location, strength, and
movements, as well as enemy forces and key infrastructures and objectives. Conversely, they
might choose not to depict the location of prisons and baby-food factories, deeming them
irrelevant to their mission and ability to operate.
The military services each have unique requirements for what they prefer to depict on their
respective COPs. They have unique preferences for how often data is collected and refreshed,
what symbology is employed, and what specific data are displayed. Similarly, other agencies
like DHS, FEMA, or the FBI each have their own COPs, each with unique requirements. The
fact that there are so many different COPs inherently belies the name. Thus, achieving a
common operational picture of the much more ambiguous cyber battlespace is quite likely a
challenge that is, at best, something that will only be achieved in the distant future, if ever.
The only real hope for a defender is that the attacker will choose not to attack him at all or will
break-off initial attack efforts in favor of a less heavily defended target, which is why defense-
in-depth is so prevalent. Still, if an attacker is committed to hacking a specific target, and they
are suitably patient, they will succeed—it's just a matter of when.
The multitude of stakeholders within cyberspace generally employ their own cyber-security
professionals, have their own threat databases, and have gleaned their own unique knowledge
on a vast array of threats. Most importantly, they do not always believe it to be in their best
interest to disclose that information to the rest of the world. Sometimes it belies a vulnerability
within their networks, sometimes it reveals some other sort of information or a capability they'd
rather not make available to the general public. In some cases, they don’t necessarily think it’s
a bad thing if their competitors get hacked and their intellectual property is stolen.
Consequently, certain attack vectors or scripts may be used repeatedly around the world without
anyone sharing the information on the attack specifics. Thus, those attacks will work repeatedly
against different targets until discovered by one of the larger cyber-security companies and a
broadly distributed defensive patch is developed. Imagine this scenario playing out time and
time again, around the world, over the course of decades.
In a general sense, agencies like the Department of Defense, who maintain a massive cyber-
security apparatus, could potentially go years without gaining knowledge of multiple specific
threats and subsequently, they would remain vulnerable to those threats. Worse, most, if not all,
federal agencies today maintain such a diverse cyber landscape internal to their own
organizations, that they find it difficult, if not impossible, to achieve perfect knowledge of even
their own cyber architectures. Many systems are older, legacy systems which may or may not
communicate with more modern systems, or they exist in a vacuum, not connected to any
broader architectures, thus requiring their own defensive apparatus which may not share any
data at all with the rest of the agency.
According to Lieutenant General Keith Alexander, former Commander of U.S. Cyber
Command and the NSA, DOD maintains over 15,000 distinct computing enclaves and over 7
million computing devices in installations around the world.41 Many of these enclaves are not
networked such that they can depict their current operational status in real-time as a portion of
common operational picture. The point being, it's pretty hard to defend yourself if you don't
have the ability to see yourself in your entirety.
This exact phenomenon is occurring to varying degrees in the U.S. and around the world today.
Although there are ongoing initiatives to encourage and facilitate a more comprehensive
information sharing environment, most notably the Joint Information Environment (JIE), a U.S.
government and private-sector collaboration aimed at sharing threat data and standardizing
many of the information standards across the public and private sectors, the reality is that JIE is
not mandatory. Consequently, like any good chain, it's only as strong as its weakest link.
The same could be true when arguing the merits of global cyber security standards. Even if the
U.S. were to successfully build a collaborative, robust, and thriving data sharing environment,
U.S. stakeholders do not exist in a vacuum. Many U.S. companies are global enterprises who
routinely share data around the world with foreign subsidiaries, partners, and nations who do
would not operate under the same standards. Those interactions represent an obvious weak link
in the chain.
What is needed is a game-changer, at least from a U.S. cyber security perspective. Something
that will at least give defenders a fair chance to turn the tables on the attackers and increase
their costs of doing business. Fortunately, that game-changer already exists. What is required
now is the willingness to use it. It's called deterrence and it has a long history in the United
States.
Are You MAD? A Quick Review of U.S. Deterrence Policy in the 20th Century U.S. deterrence policy, principally grounded in the idea of assured destruction, was developed
in the wake of World War II and the rise of the nuclear age. Two competing super powers, the
United States and the Soviet Union, emerged at the end of the war and became engaged in a
nuclear arms race that would become a decades-long Cold War in which proxy wars and
political maneuvering became the order of the day.
One of the earliest examples of U.S. deterrence took shape in the form of 1947's Berlin Airlift.
The operation, which challenged Soviet aggression aimed at cutting off Berlin from the western
41 Strategic Defence Intelligence, Pentagon Developing Cyber Rules of Engagement, Insight. March 22, 2012.
http://www.strategicdefenceintelligence.com/article/QV1XW73rSrs/2012/03/22/insight_pentagon_developing_cyber_rules_of_engagement/
allies and buttressed by the U.S. nuclear monopoly at the time, was one of the first overt uses of
a nuclear deterrent tactic employed by the U.S. The relative nuclear advantage the U.S. enjoyed
at that time quickly dissipated as the Soviets developed their own nuclear weapon by 1949,
leveling the playing field to an extent and forcing both nations to enter into a race for nuclear
supremacy.
It wasn't until the Kennedy administration in the early 1960s that we saw the first notion of a
national security policy grounded in the ideas of deterrence and assured destruction. First
articulated by the RAND Corporation's John Von Neumann in a defense study commissioned by
Secretary of Defense Robert McNamara, the idea von Neumann proposed was called Mutual
Assured Destruction or MAD. MAD essentially posited that so long as a nuclear balance exists
and each superpower is capable of completely annihilating the other, along with the rest of the
world, neither nation would be likely to engage in a direct conflict with the other. The risks
were simply too great.
Although the idea was first developed under President Kennedy, it could certainly be argued
that President Eisenhower really set the stage in the late 1950s as he attempted to divest the
U.S. of the vast military machine it had built up during WWII. Eisenhower wanted to cut
defense spending, making it more commensurate with a post-war world, while maintaining a
cost-effective defense posture and he saw nuclear weapons as the way to do it.
As Charles Fairbanks, a former policy advisor to Presidents Reagan and Bush, pointed out in a
2004 work for the Strategic Studies Institute, “With Eisenhower’s New Look defense posture,
there was an almost exclusive reliance on nuclear weapons...America’s strategic doctrine had to
catch up with these rapid changes...and, it was only after President Kennedy entered office that
the implications of RAND’s thinking adequately worked out.”42
Although many inside the Defense Department were enthusiastic about building a new strategic
arsenal of nuclear weapons, and a defense policy that rested heavily upon it, not everyone was
sold on the idea. Several high-ranking members of the military services and the Office of the
Secretary of Defense, to include Robert McNamara himself, were not convinced of the efficacy
of MAD. They still held to the a more conventional approach to defense and saw a need to
build a new conventional weapons arsenal grounded in a traditional, conventional defense
policy allowing for a more flexible response model allowing for a broader continuum of
defensive response mechanisms rather than the all-or-nothing model represented by MAD.
McNamara had voiced his concerns about the emerging predilection for a MAD-based deterrent
policy having advocated a more “graduated response” alternative. His speeches in 1962, first to
the NATO Ministerial and then later that year to his Alma Mater at the University of Michigan,
called for a unified nuclear force between the NATO allies and for a substantially increased
conventional force to be provided largely by the Europeans. This approach was met with
resistance, primarily from the Europeans who feared, a) the costs associated with building up
their conventional forces such that they could effectively deter the Soviets, and b) the U.S.
42 Sokolski, Henry, “Getting MAD: Nuclear Mutual Assured Destruction, Its Origins And Practice”, Chapter 4, MAD and U.S.
Strategy, Fairbanks, Charles H., Jr, Strategic Studies Institute and the Nonproliferation Policy Education Center, November 2004 pg. 146
commitment to using nuclear weapons to defend against a Soviet conventional incursion into
Europe. Moreover, they were concerned that the preponderance of damage, should such an
incursion occur, would once again manifest themselves on the European continent yet again.
According to Fairbanks, “Throughout this period, from the late 1950s through the early 1960s,
ideas about nuclear deterrents were very much in flux. The idea of minimum deterrence or finite
deterrence, by which nations would need only develop a small invulnerable nuclear force aimed
at an opponent’s population centers, was put into circulation by the French and the U.S.
Navy.”43 Ultimately, the immense costs associated with building the conventional forces
necessary to execute a flexible response defense posture caused the Defense Department to
adopt MAD as more of a defacto position rather than a formal policy. Interestingly, according
to Fairbanks, “Through the 1960s, the Defense Department and successive presidential
administrations allowed mutually assured destruction (MAD) to be perceived as strategic
doctrine...However, MAD never became, in practice, America’s strategic doctrine.”44
It could be argued that it was exactly that sort of ambiguity regarding the precise nature of U.S.
defense policy that helped add just the right measure of uncertainty into Soviet foreign policy
and security calculations. Although the Soviets understood American defense leaders and
defense policy, MAD left just enough to the imagination that it prevented the Soviets from
every undertaking action that might elicit in a nuclear response from the U.S. In that sense, it
cannot be overstated how significant President Kennedy's handling of the Cuban Missile Crisis
turned out to be.
His stalwart position and apparent willingness to stare down the Soviets, up to the point of
potentially using nuclear weapons to stop them from delivering any further materials to the
island nation, bought the U.S. a tremendous amount of credibility. It was this perception of
commitment to MAD, that won the day for Kennedy and which subsequent administrations
parlayed into victory in the Cold War.
Whether MAD was ever formally adopted or not, by 1967, McNamara and the U.S. had clearly
committed to a nuclear deterrence policy based on the tenets of MAD as these comments from a
1967 speech unambiguously reflected...
“The cornerstone of our strategic policy continues to be to deter nuclear attack upon the United
States or its allies. We do this by maintaining a highly reliable ability to inflict unacceptable damage
upon any single aggressor or combination of aggressors at any time during the course of a strategic
nuclear exchange, even after absorbing a surprise first strike.”
“It is important to understand that assured destruction is the very essence of the whole deterrence
concept. We must possess an actual assured-destruction capability, and that capability also must be
credible. The point is that a potential aggressor must believe that our assured-destruction capability
is in fact actual, and that our will to use it in retaliation to an attack is in fact unwavering.”45
For all its associated baggage, MAD ultimately worked. It worked because there was a mutual
43 Ibid, pg. 138
44 Sokolski, pg. 137
45 Mutual Deterrence Speech by SecDEF McNamara, Sept 18 1967, San Francisco, CA,
http://www.atomicarchive.com/Docs/Deterrence/Deterrence.shtml
understanding that neither side could hope to survive a full-scale nuclear exchange. The abject
fear of total annihilation had a regulating effect on relations between the Superpowers, all but
ensuring that while there would be political brinksmanship, espionage, and proxy wars, there
would never be full-scale nuclear war. Over time, it became apparent that unless there was a
major technological breakthrough that could upset the balance of the nuclear equation, nothing
was going to change.
In 1983 such a breakthrough occurred in the form of the Strategic Defense Initiative (SDI) a.k.a.
the Star Wars missile defense system. Star Wars was a game-changer in that it ostensibly
allowed the U.S. to intercept a Soviet nuclear first-strike using space-based lasers. The system
was never fielded and was never even close to meeting its advertised capabilities but the Soviets
believed otherwise, and in the world of deterrence, perceptions are everything.
The enemy MUST believe in your ability and willingness to strike with overwhelming force to
meet security threats, be they physical or virtual. Failure on either count means deterrence will
not work. Henry Kissinger uttered similar thoughts in his masterpiece, Diplomacy, stating, “As
long as deterrence was equated with mutual destruction, the psychological inhibitions against
nuclear war would be overwhelming.”46
While many in defense and government have moved on from deterrence-based policies in favor
of a globalist approach, perhaps they are being short-sighted. Fairbanks alluded to that when he
wrote of MAD in 2004 implying it was no more than a product of its day and that it would
never be heard from again. “Like the superiority of the offensive learned from Napoleon, or the
superiority of the defensive, which lasted from about 1915 until sometime in the 1930s, MAD
was the product of a passing moment in history, one that will never again appear.”47
Perhaps it is too soon to simply dismiss deterrence as a policy mainstay. After all, in the final
analysis, deterrence really only needs to meet two conditions to succeed. First, one must have
the capability to deliver a crippling blow to one's enemies (or at the very least, one's enemies
must believe you have that capability). Second, one's enemies must believe in your unswerving
intent to use that capability when red lines are crossed. Currently, in cyberspace, the U.S. does
not meet either criteria.
In their 2011 book entitled, The Sovereignty Solution: A Common Sense Approach to Global
Security, authors Anna Simmons, Joe McGraw, and Duane Lauchengco, propose a number of
compelling ideas regarding how the U.S. should reinvent its national security policy. Foremost
among these is the notion that the future is unknowable and the U.S. should take a more pro-
active and unambiguous position when it comes to its national security policy.
They advocate a return to the emphasis on national sovereignty and accountability suggesting
that this is the best way to re-define the global security landscape, with the U.S. leading the way
and setting the example for other nations to follow. They suggest that the U.S. and other
nations who want to continue to have a mutually beneficial relationship with the U.S., should
say what they mean and mean what they say, and most importantly, act in accordance with both.
46 Kissinger, Diplomacy, pg. 750
47 Fairbanks, Getting MAD, Chapter 4, pg. 147
They further suggest that the political vagaries of U.S. foreign and security policy since WWII
have done nothing but generate animosity and confusion within the global security landscape
and within the U.S. as well. One could argue with good affect that this unfortunate trend has
continued and even intensified since the 9-11 attacks on the U.S. by Al-Qa’ida resulting in the
most tumultuous global security landscape since the pre-World War I period.
If true, cyberspace represents an excellent stepping-off point in an effort to begin building this
new national security model because there is no legacy model hanging over it. Cyberspace is
essentially a blank canvass in terms of governance and the U.S. has compelling reasons to take
the lead in developing a template the rest of the world could adopt, not the least of which is the
fact that cyberspace represents the most likely battlefield of the future.
Cyberspace and the ability to conduct cyber attacks is an asymmetry that lesser powers and
third-party actors can easily exploit to act against U.S. interests. In a cyber-security sense, if the
U.S. wanted to build a cyber deterrent model grounded inside a larger deterrence based national
security strategy, it would be necessary to meet the two criteria cited earlier; clearly developed
capability and unambiguous intent.
Meeting the first criteria requires a sea change in how the U.S. approaches security policy. It
entails a course correction away from a complete investment in globalist security policy to a
more deliberate and unambiguous central doctrine where national sovereignty and
accountability are valued above all else. Such a doctrine could work in concert with certain
global security concepts (e.g. mutual responsibilities to govern the global commons, to operate
within the confines of certain internationally agreed upon economic policies, etc.) but would not
be so beholden to them that it values global security interests, or those of other nations, over
U.S. national security interests.
To meet the second criteria would also require a dramatic change to current U.S. operational
cyber policy and law. It would mean that the U.S. must first, convince the global community of
her ability to achieve very specific affects through both conventional and cyber capabilities.
Second, the U.S. must clearly articulate its national security policy in unambiguous terms, to
include very clearly articulated red lines. Third, the U.S. must state to the world what its
intentions are in very specific terms when and if the red lines are breached.
Finally, and perhaps most importantly, the U.S. must publicly and very overtly respond to cyber
attacks directly, immediately, and without remorse, in accordance with the stated policy and
using the best available intelligence in attributing responsibility for the attack(s). It must hold
any nation that commits a cyber attack (however we choose to define it) against the U.S. or a
U.S. entity, or who harbors those who do, accountable for their actions (or inactions as the case
may be).
We must do our best to strike back without inflicting collateral damage but we must also be
willing to accept that there may be instances where we mistakenly attribute responsibility for an
attack and we do strike back at the wrong target. If we are unable to specifically strike back
against a defender, we will then strike back at the nation from whose networks the attack(s)
occurred. In that sense, the community of nations needs to understand that if they don’t want
that to happen, it’s in their collective best interest to cooperate with the U.S. in helping to assign
attribution for attacks, for strictly patrolling and enforcing cyber security standards within their
own borders, and in adopting the same cyber defense posture, predicated on the concept of
national sovereignty.
This simplifies the global security landscape by placing the nation-state back at the heart of the
discussion as the accountable entity. It forces nations to respond to non-state actors operating
within their borders or thru their networks. It provides incentive to those nations to either 1) ask
for help in enforcing their cyber borders, 2) take unilateral action to stop those non-state actors,
or 3) to suffer the consequences of having provided safe haven or of having done nothing to
impede the nefarious activities/actors.
This policy necessarily requires adequate attention to the tactical details and Simmons and
company address these concerns in their work in suitable detail. Suffice to say, these sorts of
issues can be addressed, the trick is to ensure that it is clear to all how we've defined these
matters.
Protecting the Global Commons It cannot be overstated how important the existing paradigm associated with the administration
of the global commons is to the development of an effective cyber deterrence policy if for no
other reason than the precedent it sets for the U.S. to assume the lead in this newest global
common.
Political Science expert Professor Barry Posen of the Massachusetts Institute of Technology
suggests that U.S. command of the global commons is in fact, one of the singularly important
facets of the current global security environment.
“Command of the commons is the key military enabler of the U.S. global power
position. It allows the United States to exploit more fully other sources of power,
including its own economic and military might as well as the economic and military
might of its allies. Command of the commons also helps the United States to weaken its
adversaries, by restricting their access to economic, military, and political assistance.
Command of the commons provides the United States with more useful military
potential for a hegemonic foreign policy than any other offshore power has ever had.”48
If what Posen says is true, and the evidence would seem to support his assertions, then the U.S.
must never fail to lose that control. It is truly the core of U.S. foreign and security policy and
without it, the U.S. will have to make serious changes and several concessions to competing
interests.
Raja Mohan, Strategic Affairs editor of the Indian Express, stated in a 2010 paper for the Center
for New American Security states,
“Ensuring order in the commons has always been a main function of the hegemonic
powers in the international system, a function that two Anglo-Saxon powers – Great
48 Posen, Barry. "Command of the Commons: The Military Foundation of U.S. Hegemony", Journal Article, International Security, volume
28, issue 1, pages 5-46. Summer 2003. Available at http://belfercenter.ksg.harvard.edu/files/posen_summer_2003.pdf
Britain and the United States – have performed with considerable aplomb for more than
two centuries...Addressing instability in the global commons, it has been argued in
Washington, should be at the top of America’s list of national security priorities.49
Clearly, Mohan agrees with Posen and with contemporary U.S. leadership in noting the critical
significance of maintaining command over the commons. Yet, he too sees what many in
Washington, Beijing, and others in the various contested areas of the world have seen. U.S.
power and control within the commons is growing increasingly contested. Mohan states
further,
“Despite their rising importance, the commons have never looked as vulnerable as they
do today. Whether it is terrorists targeting civilian air traffic, pirates threatening vital
sea-lanes, or cyber militias attacking computer networks, the capacity of small but well-
organized groups to disrupt vital common spaces has increased significantly. These
threats are not limited to non-state actors. Rising powers and regional actors that fear the
United States and its power have adopted asymmetric strategies to probe American
vulnerabilities in the global commons.”50
American policy-makers are very aware of the rising importance of the commons to U.S.
interests. The current U.S. National Security Strategy (NSS) states that U.S. military forces
must continue to “preserve access” to the global commons in order to strengthen national
capacity.51 It also cites maintenance and governance of the commons as a “key global
challenge” requiring “broad cooperation”.52 Clearly, the NSS reflects the U.S. position that the
global commons represent a national security imperative. Interestingly, the one common
receiving the most specific attention in the NSS is cyberspace, clearly stating that it is America's
intent to lead a global effort to establish cyberspace norms.
“While cyberspace relies on the digital infrastructure of individual countries, such
infrastructure is globally connected, and securing it requires global cooperation. We will
push for the recognition of norms of behavior in cyberspace, and otherwise work with
global partners to ensure the protection of the free flow of information and our continued
access. At all times, we will continue to defend our digital networks from intrusion and
harmful disruption.”53
An often cited concern of Americans is that the U.S. has been saddled with the role of global
police. Whether it is accurate to say “saddled” is debatable. In part, the U.S. has borne a
disproportionate amount of the burden in the administration and governance of the global
commons, because it is one of the few nations (in some cases, the only nation) able to provide
49 Mohan, C. Raja, U.S.-India Initiative Series, India, the United States and the Global Commons, pg. 6. Center for New American
Security, December 2010.
50 Mohan, Raja C., India, the United States, and the Global Commons, Center for New American Security, U.S.-India Initiative Series,
October 2010. http://www.cnas.org/files/documents/publications/CNAS_IndiatheUnitedStatesandtheGlobalCommons_Mohan.pdf
51 National Security Strategy of the United States, pg. 14
52 Ibid, pg. 49
53 Ibid, pg. 50
the essential capabilities required to do so. It could also be argued that the U.S. has assumed a
large portion of that responsibility because it is in its own best interest to do so.
Whatever the reasons, for the foreseeable future, it is clear the U.S. sees maintenance of the
commons, and specifically, the development of cyberspace norms with a heavy dose of U.S.
input on the topic as a very high priority going forward. In an increasingly networked world, it
is fast becoming apparent the U.S. can no longer ensure the same degree of freedom and
security in the global commons.
As technology brings all nations closer together in terms of capabilities and the economies of
large, ascending nations like China and India continue to expand and mature, they too will
become increasingly interested in the administration of a safe and secure set of global commons
ensuring a permissive environment for their business and national security interests, some of
which may not be consistent with those of the U.S. They may decide they'd like to take the lead
in developing the new rules in cyberspace, such that they can best further their respective
interests.
History has shown that the nation who leads in any given technology or capability, by default
has assumed the mantle of the arbiter of governance over any respective global common. The
U.S., initially a naval power, inheriting that mantle from the British at the end of WWII,
assumed a leading role in the UN Conventions on the Laws of the Sea, the global governance
doctrine that served as the agreed upon baseline standard of naval conduct. Similarly, as the
U.S. has led the way in development of aviation, space, and now cyberspace technologies, it has
had virtually carte-blanche authority to dictate to the world how these domains are
administered.
Cyberspace however, is somewhat different. The U.S. does not enjoy the same kind of
technological advantages in cyberspace that it did in the other domains. The U.S. is still a
leader in many of the technologies that serve as the foundation of advancements in cyberspace
but it is by no means the sole player in that arena. As a consequence of globalization, when
compared to the U.S., the rest of the world is much more capable in cyberspace than they were
in the physical domains in the past. Furthermore, the U.S. is no longer the undisputed economic
superpower on the planet and that has a debilitating effect on its ability to continue to
administer the conduct of the commons almost unilaterally.
In her recent article entitled, “Security Challenges in the 21st Century Global Commons”, Tara
Murphy points out that,
“The strategic importance of the global commons to U.S. national defense and
international security warrants this high level of attention. As challenges within these
domains continue to emerge, they will demand creative solutions—particularly in the
relatively new, man-made domain of cyberspace—and will require international
engagement to implement these solutions. The United States has the capacity to lead in
this regard and should prioritize developing technology and policy countermeasures to
the challenges emerging in the sea, air, space, and cyberspace domains.”
While this could easily portend more multi-national, collaborative efforts involving existing
international institutions, it could also portend room for more conflict between nations
competing for an advantage in cyberspace. Worse, it almost certainly represents potential
opportunities for third-party actors to take advantage of the gaps and discrepancies in global
cyber governance.
Solutions The time has come for the U.S. to take the gloves off in cyberspace. The APT, the growing
number of threat actors, and the declining ability of the U.S. to ubiquitously enforce the global
commons, are a recipe for disaster. Moreover, the current cyber security paradigm has proven
ineffective time and time again as larger, more advanced, and more dangerous cyber threats are
discovered with increasing frequency.
Billions of dollars are lost by U.S. corporations and citizens every year in both real dollars
and/or intellectual property. Often, the targeted information is key to national security interests,
and it's still not entirely clear what the long-term ramifications of the theft of multitudes of
private citizens’ information will be. Meanwhile, the debate over the legal nuances of what is
permissible in terms of a response to cyber attacks and cyber crimes is so laden with
controversy that by the time an effective solution is finally agreed upon by the international
community, it may well be too late.
We can argue all we want about what's acceptable and proper in cyberspace but in the end,
Americans, and American interests will continue to be victimized. We need to start shooting
back via Active Cyber Defenses in an effort to stem the tide while we continue to have the
dialogue regarding cyberspace standards of behavior. At least then, threat actors will run the
risk of incurring some sort of punitive damage. The world today is truly a Wild West in many
respects and nowhere is this more true than in cyberspace. It is time for the U.S., the keeper of
the commons and still preeminent superpower, to clean things up, if not for the world, then at
least for herself. The price of inaction in cyberspace may well be as devastating as any nuclear
strike.
There are a number of necessary actions required if America is to secure her cyber footprint and
re-set her national security paradigm. Here are just a few ideas I had but there are many more
and I'm sure there are much smarter people out there who could find the best ways to implement
some of these fixes.
Intensive and persistent collaboration between Government and the Private Sector.
I'm not talking about the half-hearted efforts of the past two decades. Rather, I'm talking
about collaboration on a level not seen in this country since WWII. I'm talking about a
seamless integration of resources, agendas, and methodologies that are mutually
supportive and politically and commercially agnostic. It's worth reiterating that in
cyberspace, one is only as safe as the weakest link. America can no longer relent to
private-sector overtures to secure their proprietary information pertaining to cyberspace
threats and cyber defenses. Nor can the nation afford to let private-industry stonewall
progress in this area because it may reveal some of the illicit activities they may have
been involved with as well, particularly in the form of corporate espionage.
While as Benjamin Franklin asserted, ‘the business of America is business’, if we've
learned nothing else from the collapse of the housing bubble, the ENRON fiasco, and the
stock-market crashes of 1987 and 2008, business cannot always be trusted even to act in
its own best interest. If industry is allowed to pursue an unfettered agenda aimed at
nothing but profit, sometimes at the expense of the nation that allows it to do so, then we
deserve what we get. Sometimes, it's necessary for the government to intervene,
particularly in areas that affect us all, like cyberspace does, and impose some operational
guidelines and standards. Information sharing on cyber threats is a great place to start.
The data needs to be shared across the collective of cyberspace to include private
citizens, government, and industry. This could be done in any number of ways but one
idea is to employ a third-party broker who wouldn't care about the private information
being handled. Rather, they would seek only to identify and share information
pertaining to hostile cyber actions and threat data.
This could be done by either allowing a government watchdog like U.S. CERT perhaps,
to have unfettered access to corporate data once certain thresholds are met or by
development of a more robust and all-inclusive national cyber-security watch center
which would field threat information, assess it, share it, perhaps even hand it off to
companies like Symantec and McAffee to begin work on developing and disseminating
a patch. The forensics on these attacks would need to be done quickly and reports would
then need to be elevated to the appropriate command authorities for responsive actions
as needed.
Acquisition and fielding of new cyber technologies and tools must be increased
significantly. Leverage information sharing initiatives to become an active participant
in the same information marketplace where new tools and technologies are being
developed daily. This is an existing world where hackers and programmers live and are
constantly developing new tools, tactics, and technologies. Sure, as new tools and
technologies are developed, we'd want a means to test them and ensure a seamless
integration into existing architectures, but we can no longer afford to endure the 2-yr tail
from ‘big idea’ to ‘fielded system’. It places the U.S. at extreme risk. Becoming a more
active participant in the cyber underground is a great way to streamline the process.
Furthermore, we should integrate our acquisition and fielding process into that of
private-industry. Companies actively helping develop new capabilities could be
compensated in the form of tax breaks or other government benefits.
Attribution of attacks must improve. The real attribution problem is not that we can't
figure out who conducted an attack. Admittedly, depending upon the sophistication and
capabilities of the perpetrator(s), that can be difficult, but it is almost never impossible.
Rather, the real attribution problem lies in determining the ‘who’ and the ‘how’ in a
significantly shorter period of time, such that we can tie a response action directly to the
act. As noted earlier, timeliness in retaliation is a major factor in terms of legal
acceptability on the global stage.
We must become a more agile target. Following the wisdom of the great Confederate
General, Thomas “Stonewall” Jackson, we must find ways to “...mystify, mislead, and
surprise the enemy if possible.” This too can be done through continued development of
cloud technologies coupled with some of the frequency hopping technologies originally
developed for voice communications in the military.
The cloud can't be static. Rather, it must drift thru the sky and the faster the better.
Moreover, it must employ a host of constantly changing security protocols for which
only authorized users would have the appropriate keys to successfully navigate.
We must develop the ability to keep would-be attackers guessing as to where the target
actually resides by employing an agile server model that regularly and randomly
relocates itself, changing the entry points, and which is laden with honey-pots and other
security tools. We must also employ deception techniques that spoof attackers into
launching attacks against false targets or even non-existent targets in the hope of
revealing the attackers location and/or identity thereby enabling a prompt retaliatory
strike.
Seize the Offensive. It is a long accepted fact that he who seizes the offensive, dictates
the time, place, and means of his attack and places the defender at a distinct
disadvantage. This does not mean that the U.S. should arbitrarily attack suspected cyber
threat actors but it does mean we should clearly stipulate what our actions may be if
attacked and then we must follow-thru on those actions. I'm not advocating pre-emptive
strikes based solely on an enemy's capabilities, but I am advocating attacks against
confirmed threat actors with a track-record of hostile intent on the U.S., her citizens, or
her interests, before they attack us. Of course, this presupposes we've succeeded in
attributing blame for attacks in the past or you've got solid intelligence (not necessarily
incontrovertible intelligence) that a given threat actor is intent upon attacking you.
Thus, it is in the best interest of non-threat actors to be very clear about their actions and
intentions so as not to run the risk of being characterized as a threat actor. Again, this
makes the political dialogue between states much clearer. According to Jarno Limnell,
Director of Cyber-security for Stonesoft Corporation, a Finland-based network security
solutions vendor owned by McAfee,
“Preventing attacks against corporate networks is increasingly difficult, and
attackers currently have a strategic and tactical advantage. This is causing
companies to become more aggressive and fight back against cybercriminals and
cyber espionage attempts. Companies are frustrated by their inability to stop
sophisticated hacking attacks, so some companies have started to take retaliatory
action.”54
One of the reasons why companies conduct active defense is to create a deterrent. Companies
54 Limnell, Jarno. Controversial Active Cyber Defense, http://infosecisland.com/blogview/22757-Controversial-Active-
Cyber-Defense.html, December 1, 2012.
want to show attackers that they are both capable and willing to fight back if they are attacked.55
The answer is not to spend more resources in developing offensive capabilities as opposed to
defensive capabilities, the answer is in ensuring that those defensive capabilities are offensive
capabilities. It's the same policy that governed the Cold War and the policies of Mutually
Assured Destruction.
Eliminate the operational stovepipes. The current DOD insistence on distinguishing
offensive capabilities from those of defensive or exploitive capabilities is misguided.
The tactics, techniques, and procedures (TTPs) vary to some extent but they are all
inherently linked and governed by the technological boundaries of the domain itself. As
the technology advances, so too will the capabilities and thus, the TTPs as well, in a
never-ending cyber arms race. U.S. cyber doctrine employs separate entities to conduct
different tasks in cyberspace much like we did for years in the physical domains by
developing specialized weapons systems. We built fighters to achieve air superiority,
bombers to deliver devastating strategic effects, tanks to rapidly outmaneuver enemy
ground forces, etc. In recent years, we've gone a decidedly different direction by
building multi-functional weapons that can do a little bit of everything, like the F-22.
The speed of the cyber domain requires a functionally integrated capability to conduct
Computer Network Defense, Computer Network Attack, or Computer Network
Exploitation operations. The skill-sets for all are very similar as is the training.
Moreover, how good is a CND operator who doesn't have a CNA operator sitting next to
him providing him with likely enemy courses of action based on the attacker's
perspective?
How much time do we want to waste in pushing tactically useful data from a CNE
operator over to a CNA operator in a combat environment where seconds can be an
eternity? Wouldn't it make more sense to build cyber units that are capable of executing
a full-spectrum mission set rather than specializing in just one area? These concepts
should not be limited just to DOD but rather, to the whole of government and private
industry as well. Again using U.S. CERT as a notional coordinator of the overarching
cyber efforts in the U.S., perhaps they could develop a cyber academy which teaches
how to build a cyber defense team. They could teach all the best practices, and anything
and everything that it's determined are necessary and vital to protect our cyber footprint.
Form an agency responsible for U.S. Cyber-security. It seems obvious we need a
single, over-arching agency responsible for and capable of administering the nation's
cyber security. Give them the teeth to act in establishing required baselines for data
storage and retrieval, information protocols and data standards, network construction,
reporting standards, etc. They should work in concert with DOD, DHS, DOJ and other
mission partners and they should have the power to impose standards on U.S. cyber
practitioners such that there could ultimately be a cyber common operational picture that
would allow us to monitor the status of all systems and networks and ensure their safety
and security for government, personal, and industry use. They would also be
responsible for reporting on threats and threat actors, coordinating patches and
55 Ibid.
mitigative tactics, and ensuring the nation's cyber landscape is safe for all the vital
functions our nation depends on them to provide. This would be a massive undertaking
that would likely cost billions of dollars and would be full of legal issues requiring
adjudication but once we figured it out, we'd be so much better for it.
CONCLUSION
The United States is under siege in cyberspace. While there are a number of reasons for this,
the sad fact is that nobody has really been able to do anything to stop it. Legal interpretations,
flagging development of international cyber standards, civil liberties concerns, and the vastly
divergent agendas of the various stakeholders in cyberspace have all colluded to effectively
hamstring the U.S. from developing a clear policy for our conduct in cyberspace.
Consequently, bad actors including nation-states, criminal enterprises, corporate entities,
terrorist organizations, and even individuals, from all over the world, have seized upon the
relatively inexpensive and potentially devastatingly effective capabilities resident in cyberspace
to exploit U.S. deficiencies in that realm.
There have been countless attacks against the U.S. conducted via cyberspace in recent years and
despite an increasingly robust public discourse on the topic, the U.S. has continued to be
vulnerable and to be exploited by her enemies. The time has come for the U.S. to get serious
about combatting the threat.
While there are certainly civil liberties issues affecting the pace of cyber policy development
and effective operational response in this country, at the end of the day it is apparent that
defending the civil liberties of U.S. citizens and U.S. persons must be viewed as the singular
purpose of our government. The Declaration of Independence states,
“We hold these truths to be self-evident, that all men are created equal, that they are
endowed by their Creator with certain unalienable Rights, that among these are Life,
Liberty and the pursuit of Happiness.--That to secure these rights [emphasis added],
Governments are instituted…to effect their Safety and Happiness [emphasis added].”
If the government is on the hook for protecting American interests, including those in
cyberspace, then the time has come for action. We have delayed far too long and we cannot
afford to continue to let bad actors assault our interests, steal our intellectual properties, our
money, and to compromise our personal medical and financial information.
While not full-proof, the advantage of an Active Cyber Defense posture is that at the very least,
it imposes the potential for crippling repercussions on attackers where currently there are no
repercussions at all. Further, it reinvigorates the notion of national sovereignty, thus offering a
more stable and predictable global security landscape for the world going forward.