The extensive press coverage regarding alleged Chinese involvement in cyber espionage, as well as Beijing’s high-profile Internet censorship efforts, have underscored a worrying reality for U.S. officials – U.S. cyberspace policies are still at an embryonic stage. Worse – this comes as the U.S. is faced with a dire threat to its own security.
A highly publicized report to Congress by the U.S.-China Economic and Security Review Commission earlier this month observed that China’s “professional state sponsored intelligence collection not only targets a nation’s sensitive national security and policymaking information, it increasingly is being used to collect economic and competitive data to aid foreign businesses competing for market share with their U.S. peers.”
The report also noted that China is aware of gaps in U.S. cyber strategies, and may be exploiting gray areas in “U.S. policymaking and legal frameworks to create delays in U.S. command decision making.” Yet despite the magnitude of the challenge at hand being clear, the next president – whether it’s Barack Obama or Republican frontrunner Mitt Romney who wins the White House in November – will be faced with a frustrating but necessary challenge in tackling U.S.-Chinese cybersecurity engagement.
After the White House published Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure in June 2009, several initiatives were launched or announced by elements of the U.S. defense community.In 2010, declassification of the Comprehensive National Cybersecurity Initiative (CNCI), enabled the timely development of a framework for international partnerships consistent with a common cybersecurity policy. In 2011, the White House released the U.S. International Strategy for Cyberspace. Subtitled, Prosperity, Security, and Openness in a Networked World,the document falls short of providing the solutions necessary to live up to its name. The simple fact is, without security there can be no prosperity or openness. This is where the new strategy is woefully inadequate – it lacks security strategies informed by technology rather than private sector lobbyists.
The sole purpose of cyberspace is to create effects in the real world. The United States’ high-tech sector leads the world in the innovation and development of computers, software and Internet services. These technologies are the backbone of the global information society. U.S. companies provide technologies that allow more and better digital information to flow across borders, thereby enhancing socioeconomic and human development worldwide. When markets and Internet connections are open, U.S. IT companies shape the world and prosper.
But leveraging the benefits of the Internet can’t occur if confidence in networked digital information and communications technologies is lacking. In cyberspace, security is the cornerstone of openness and prosperity. Cyber policies and strategies must therefore focus on promoting trust, network security, authentication, privacy and consumer protection.
In addition to benefits of free flowing communications, utility companies and industry rely on cyberspace to control critical systems. Electricity, water treatment, public health and financial services are at risk from operating specialized industrial control and embedded systems without appropriate security controls.
Today’s White House strategy prevents the federal government and the U.S. military from utilizing its expertise to protect private sector networks over which critical services flow – those that are often responsible for our prosperity.
To date, there hasn’t been a cyber event that has caused the destruction of critical infrastructure, but it would be poor strategy to do so right now anyway. Why? Because once such an attack is launched, defenders will learn from it, fixing weaknesses and preventing the same attack in the future. Thus, an American adversary is wise to avoid such an attack until a broader conflict between the United States and an adversarial nation is imminent.
For this reason, the majority of attacks against American networks have focused on exfiltrating intellectual property.
The skill required to assure confidentiality, availability, and integrity in our information systems requires a Ph.D. in applied mathematics with a minor in computer science – quite literally. Yet producing such highly educated and skilled experts is an area where the United States is falling behind China at a rapid rate. While meeting this threshold is too high for the majority of users, the nation can’t afford to allow the private sector and its critical infrastructure to fend for itself.
With profit margins guiding decisions on investments in cybersecurity, it may be time for the federal government and the Defense Department to work with the private sector to defend the cyber domain – just as it defends the space, air, land, and sea domains. Even when the private sector purchases cyber security software, it’s more than likely to be bypassed by hackers who may be supported by adversary governments with the time and resources to penetrate the networks of companies operating on thin profit margins.
Policies uninformed by technology seem to rule the day. This must change. Mitt Romney, as the presumptive Republican nominee, should focus on reviewing the technical realities on which cyber policy decisions are made. Not doing so will perpetuate strategies that are putting the United States at increasing risk of cyberattacks from China and Russia, among others.
Romney has promised to conduct a review of U.S. cyber policy within his first 100 days in office. This is a good start if the end objective is to revise the National Strategy to Secure Cyberspace.
Improving interagency dialogue and creating a structure in which intergovernmental “deconfliction” of roles and responsibilities within the cyber domain will prove critical to this effort. Without implementing such a structure in a revised National Security Strategy for Cyberspace, any review of policy won’t be successful.
However, attackers won’t wait for the next president to complete a policy review and implement a strategy, which is why time is of the essence. Whoever wins in November, therefore, should on his first day as president issue an executive order authorizing the following changes in U.S. cyber policy and governance structures. These will be bold but necessary decisions that can’t wait for legislative wrangling.
First, it’s time to review cyber concepts that aren’t grounded in technical reality. This includes concepts such as cyber weapons, global cascading effects, and attribution theory. In these cases, policy wonks dabbled in a field about which they knew far too little, were guided by political ideology, or were subjected to a hodgepodge of consultant speak of which they didn’t have the expertise to debate.
Second, and related to attribution, we should diverge from law enforcement paradigms in the diplomatic and military contexts of response. Current strategies focus on knowing who an individual hacker was with absolute certainty. This is misapplied in the strategic context. Nation states should be held responsible for the behavior of malicious actors within their borders. International cooperation is key to stemming the tide of hackers. For countries that lack adequate technologies and policies, the U.S. should lead the international community in providing development aid. For uncooperative countries, diplomacy with teeth should ensue. For countries that harbor cyber-attackers, escalating sanctions and offensive countermeasures may prove necessary. Doing so would certainly remedy the Chinese ability to exploit the policy gap the USCES report noted.
Third, the National Security Agency (NSA) and U.S. Cyber Command should be given the authority to monitor the networks that operate the nation’s critical infrastructure. The programmable logic controllers and the SCADA interfaces that many utility companies and industrial plants operate on don’t take security into consideration for profit motivated reasons as well as the technical complexities of critical systems. Today, the administration has prevented a greater role for the Defense Department on ideological grounds. Further, waiting on Congress to pass a law that imposes fines on critical infrastructure providers only provides attackers more time to penetrate our networks and develop a better understanding of how to take them down. Given the power of private sector lobbyists in Washington, it’s also unlikely that regulation of critical infrastructure cybersecurity will ever come to pass as long as a hodgepodge of consultant speak rules the day on Capitol Hill, rather than technical realities.
Fourth, the NSA should come under the command of U.S. Cyber Command. Information assurance and cryptography are the NSA’s two main functions. Both are components of cyber operations. Reshaping the organizational culture and structure of a signals intelligence, cryptographic and information assurance organization established in an era of telephone, radio and facsimile, will allow it to leverage its cyber expertise, and permit the interagency to function with greater efficiency and effectiveness.
As more than one former director of the NSA has publicly stated, it’s the culture of unnecessary secrecy that impedes our capabilities in fighting our cyber-adversaries.
Fifth, make internet service providers (ISP) responsible for monitoring their clients’ Internet activity – looking for malicious behavior and infected machines. Contrary to conventional wisdom, it’s possible to do this without infringing upon user privacy. This is an important point.
The United States is the number one point of origin for spam and malicious cyber events worldwide. This reality diminishes our moral authority to lead the world and effectively combat state-sponsored attacks against government and private sector networks.
U.S. companies, such as Comcast, have technologies being considered by the Internet Engineering Task Force (IETF) that allow for the monitoring of malicious traffic and customer notification of infections on their computer without controversial deep packet inspection (DPI). Upon identifying an infected machine, the user would be put behind a safety zone. ISP personnel would then remotely assist the user in curing their machine. Teliasonera, a Swedish company, has had great success in implementing such a system without experiencing a backlash from one of the most privacy-sensitive populaces in the world. The results were impressive. Sweden has experienced a significant decrease in malware, infected machines, and now has a cleaner cyber ecosystem.
Monitoring, when ethically conducted, can significantly decrease the opportunity for hackers to threaten our critical infrastructure.
Sixth, refocusing diplomatic and developmental efforts toward existing global bodies – where norms of cyber behavior have already been articulated and accepted institutionally – will give the United States greater influence in shaping the future. Also, while unpopular, a reexamination of American strategy within the International Telecommunications Union (ITU) is needed. Indeed, there are dark forces aiming to use institutions of diplomacy to extend political control over the Internet. However, our current strategy is only deepening suspicion and resentment on the part of those who we would like to partner with us on global cyber cooperation.
Instead of fighting the ITU, we need to work with our likeminded partners to shape the discussions within it.
While each of these points requires further discussion, failing to secure American cyberspace poses a threat the United States can’t afford. As China, Russia, and other real or potential adversaries look for asymmetric means for attacking the United States, cyberspace is increasingly becoming a domain of choice for stealing our sensitive corporate information, attacking critical infrastructures, and undermining the free flow of information. In the process, the global information society itself is seeing its very foundations undermined.
Panayotis A. Yannakogeorgos is a cyber defense analyst at the U.S. Air Force Research Institute. Adam B. Lowther is a research professor at the U.S. Air Force Research Institute. The views expressed are their own and do not necessarily reflect the views of the U.S. military or the U.S. Air Force Research Institute.