When in a period of rising tensions, in some future crisis now unforeseen, a cyber warrior of some nation is ordered to “send a message” to the potential adversary by using one of the logic bombs already in place, will it forestall or will it trigger a broader shooting war? Perhaps because the opponent is misled about who started the war, other nations will be drawn in. Possibly, the cyber warrior in one of the score of nations with capability will act without authority, initiating a conflict. Alternatively, it may be a hacker who uses a cyber weapon for destruction rather than crime, or discovers and sets off a logic bomb left behind by someone else. The cyber war that ensues could be incredibly rapid and global.
When an American President sends U.S. forces to bomb a rogue state’s nuclear weapons factory or terrorist camp, that nation may not be able to respond against our impressive conventional military forces. And yet, for a small investment in a cyber war capability, it may respond by destroying the international financial system, in which it has very little stake. The asymmetry of what it costs to counter our conventional military versus the minimal investment required for a cyber war capability will tempt other nations, and perhaps criminal cartels and terrorist groups as well.
Because the U.S. invented the Internet and has perhaps led in cyber espionage and the creation of cyber war tools, it may have developed an implicit arrogance, causing us to assume that no one could humble America in a cyber war. Our cyber warriors and, to the extent that they think of cyber war, our national security leaders in general, may take comfort in the fact that we could perhaps see a cyber attack coming. They may think that we could block some of it, and they may believe we could respond in kind, and then some. The reality is that a major cyber attack from another nation is likely to originate in the U.S., so we will not be able to see it coming and block it with the systems we have now or those that are planned. Yes, we may be able to respond in kind, but our nation will still be devastated by a massive cyber attack on civilian infrastructure that smacks down power grids for weeks, halts trains, grounds aircraft, explodes pipelines, and sets fires to refineries.
The reality may also be that when the U.S. President wants to retaliate further, he will be the one who will have to escalate. He will be the one who will have to cross the cyber/kinetic boundary. And he may find, when he does, that even our conventional forces are cyber dependent. The U.S. military’s reliance upon cyber systems exceeds the extensive dependence of the commercial infrastructure. The contractors required for America to fight a war may be immobilized by cyber attack. The allegedly hermetically sealed computer networks upon which the Department of Defense relies may prove porous and unavailable. Highly advanced technology in the conventional weapons and systems that give U.S. forces dominance (for example, the F-35 fighter and the Global Positioning System) may suddenly not work. We are not the only nation that can install a logic bomb.
With a nation in the dark, shivering in the cold, unable to get food at the market or cash at the ATM, with parts of our military suddenly impotent, and with the regional flashpoint that started it all going badly, what will the Commander-in-Chief do? Perhaps he will appoint a commission to investigate what went wrong. That commission will read the work of another commission, one appointed by Bill Clinton in 1996, and be astonished to learn that this disaster was foreseen back then. They will note the advice of a non-government commission written in 2008 advising the next President to take cyber war seriously. They may, if they are diligent, find a National Academy of Sciences study on Offensive Information Warfare from 2009 that warned that cyber war policy was “ill-formed, undeveloped, and highly uncertain.”
The post-disaster commission, a special committee of the Congress, or the next President would likely recommend a plan so that “this sort of thing can never happen again.” Since we know now what has been recommended already, what hasn’t worked, and why, perhaps we should not wait for a disaster to embark on a plan to deal with cyber war. If we strip away the luxuries and the things that would be nice to have, there are six simple steps that we need to take simultaneously and now to avert a cyber war disaster.
1. THINKING ABOUT THE UNSEEABLE
First, we must initiate a broad public dialogue about cyber war. A student looking to choose a graduate school asked me recently to recommend a university where she could take courses on cyber war. We scoured course catalogues and found none at any of the major security-policy schools, such as Harvard’s Kennedy School, Princeton’s Woodrow Wilson School, or Texas’s Lyndon Johnson School. She asked what books she should read and we found some interesting titles, but few that really delved into the policy and technology of cyber war. Many that seemed promising turned out to use the phrase “information war” to mean psychological warfare or public diplomacy.
Perhaps there are few books on cyber war because so much of the subject matter is secret. Maybe there should be public discussion precisely because so much of the work has been stamped secret. In the 1950s and 1960s, people like Herman Kahn, Bill Kaufmann, and Albert Wohlstetter were told that nuclear war was something that could not really be discussed publicly. One of Kahn’s responses was a book called Thinking About the Unthinkable (1962), which contributed to a robust public dialogue about the moral, ethical, and strategic dimensions of nuclear war. Open research and writing done at MIT, Harvard, Prince ton, Chicago, and Stanford also contributed. Bill Kaufmann’s classes at MIT, Harvard, and the Brookings Institution taught two generations how to think about nuclear strategy and how to ask analytical questions, so that they could think on their own. Today at Harvard and MIT, the aptly named Project Minerva, an open research program on cyber war funded by the Defense Department, has begun. (I am reminded of Hegel’s dictum that “the owl of Minerva always flies at dusk,” meaning that wisdom comes too late.)
The mainstream media’s treatment of cyber war has improved. Reporters at the Wall Street Journal and the New York Times have written on it since 2008. Public television’s highly respected Front-line series did an hourlong examination in 2003, Cyber War. Television has focused much more on identity theft by cyber criminals because so many readers and viewers have already been victimized by cyber crime. Movies, however, have been filled with cyber war. In Live Free or Die Hard, a former government cyber security official who wasn’t listened to (whom the New York Times reviewer said was reminiscent of me. Nonsense!) cripples national systems. In Eagle Eye, hacking causes high-tension lines to melt and general havoc to erupt. In The Italian Job, the hacking is limited to traffic lights, but in Ocean’s Eleven there is a power blackout in Las Vegas. There are so many more that much of the moviegoing public has little trouble understanding what cyber war can do. High-level policy officials apparently seldom make it to the movies. Or maybe they think it’s all just fantasy. To make them understand that such scenarios can really happen, we need an exercise program to drive home the point. General Ken Minihan has been promoting the idea of an Eligible Receiver–type war game for the private sector. “We could scare the pants off them, the way we did for the President in ’97.”
Congress, surprisingly, has held numerous hearings on cyber security and has tasked its Government Accountability Office to investigate. One GAO report asked whether the warnings that hackers could attack a power grid were true. GAO investigated one of the few power grids owned and operated by the federal government, the Tennessee Valley Authority’s system. GAO reported back in 2008 that there were significant cyber security vulnerabilities on the TVA grid that left it open to attack. On cyber war, however, as distinct from cyber security in general, Congress has done little in the way of oversight, hearings, or legislation.
Congress is a federation of fiefdoms, subject to the vicissitudes of constant fund raising and the lobbying of those who have donated the funds. That situation has two adverse consequences with regard to congressional involvement in cyber war oversight. First, everyone wants his or her own fiefdom. Congress has resisted any suggestion, such as was made by Senator Bob Bennett (Re
publican of Utah), that there be one committee authorized to examine cyber security. As a result there are approximately twenty-eight committees and subcommittees involved in the issue and none with jurisdiction to think holistically. Second, Congress “eschews regulation” and spits it out. The influential donors from the information technology, electric power, pipeline, and telecommunications industries have made the idea of serious cyber security regulations as remote as public financing of congressional campaigns or meaningful limits on campaign contributions.
The dialogue we need will require meaningful academic research and teaching, a shelf of new books, in-depth journalism, and serious congressional oversight.
2. THE DEFENSIVE TRIAD
The next item on the agenda to prevent cyber war is the creation of the Defensive Triad. As proposed earlier in this book, the Triad stops malware on the Internet at the backbone ISPs, hardens the controls of the electric grid, and increases the security of the Defense Department’s networks and the integrity of its weapons. Much of the work in DoD has already begun as a result of President Bush’s decision in his last year in office. The Defensive Triad is not an attempt, as my National Strategy for Cybersecurity was, to defend everything. The Triad is, however, designed to defend enough so as to cause another nation to think twice before launching a cyber war against us. A potential attacker needs to believe that much of his attack will fail and that its greatest effect will be retaliation of various sorts. Without the Defensive Triad, the U.S. should itself be deterred from acting in any way (not just in cyber war) that could provoke someone into a cyber war attack on America. Today we are so vulnerable to a devastating cyber war attack that U.S. leaders should walk cautiously.
We cannot build two of the three prongs of the Defensive Triad (the defense of the Tier 1 ISPs and of the electric power) without additional regulation. The argument I have made in the past about homeland security in general is that without using regulation the federal government is trying to achieve security with one of its arms tied behind its back. There was an era when federal regulations were overly intrusive and ineffective, but that is not inherent in the idea of the government asking industries to avoid doing some things and defining desired end states. At the Black Hat conference in 2009 (discussed earlier), the cyber security expert and author Bruce Schneier made the same point, arguing that “smart regulation” that specifies the goal and does not dictate the path is needed to improve cyber security.
Our cyber war agenda must include regulation that requires the Tier 1 ISPs to engage in deep-packet inspection for malware and to do so with the highest standards of privacy protection and oversight. The ISPs must be given the legal protection necessary so that they do not have to fear being sued for stopping viruses, worms, DDOS attacks, phishing, and other forms of malware. Indeed, they must be required to do so by new regulations.
In order for the Department of Homeland Security to fulfill its role in the Defensive Triad, we must create a reliable and highly qualified component, perhaps a Cyber Defense Administration. The Cyber Defense Administration should be responsible for overseeing the deep-packet inspection system that the ISPs will run. It should also be responsible for monitoring the health of the Internet in real time, take over responsibility for regulating cyber security of the power sector from the Federal Energy Regulatory Commission (FERC), and provide a focal point for law enforcement activities related to cyber crime. The Cyber Defense Administration’s most important role, however, would be to manage the defense of both the dot-gov domain and critical infrastructure during an attack.
The administration could provide the ISPs with known signatures of malware in real time, in addition to being a vehicle for the ISPs sharing what they themselves discover. The existing National Communications System, a four-decade-old office that worked on telephone availability in emergencies, and which was recently merged into the new National Cybersecurity and Communications Integration Center (NCCIC, but pronounced “en-kick”), could provide the ISPs with an out-of-band communications system that could pass these malware signatures. The Cyber Defense Administration could draw on the expertise of the Pentagon and intelligence agencies, but the National Security Agency must not be given the mission of protecting domestic U.S. cyber networks. As uniquely skilled as NSA’s experts are, they and their agency suffer from a public distrust exacerbated by the warrantless wiretapping ordered by Bush and Cheney.
Beyond regulating the ISPs, the other area of regulation needed is the electric power grid. The only way to secure the grid is to require encryption of commands to the devices running the system, along with authentication of the sender, and a series of completely out-of-band channels that are not connected to the companies’ intranets or the public Internet. The FERC has not required that, but it did finally issue some regulations in 2008. It has not yet started to enforce them. When it does, do not expect much. That commission completely lacks the skills and personnel needed to ensure that electric power companies disconnect their controls from any pathway that a hacker could use. The mission of auditing the electric companies’ compliance should also be given to the Cyber Defense Administration, where the expertise could be built and where the overly chummy relationship with the industry exhibited by the FERC would not get in the way of security.
The Cyber Defense Administration should also assume the cyber security responsibility for the myriad civilian federal departments and agencies, all of which are now forced to try to do cyber security on their networks. Also, consolidating in the proposed Cyber Defense Administration what is now done on cyber security by the Office of Management and Budget and the General Services Administration would increase the probability of achieving a center of excellence that could manage security on the government’s own civilian (not Defense) networks.
3. CYBER CRIME
Because cyber criminals can become rental cyber warriors, we need as the third agenda item to reduce the level of cyber criminality that is plaguing the Internet. Cyber criminals have begun to penetrate the supply chains for both computer hardware and software manufacturers to inject malicious code. Instead of just using widely available hacking tools, cyber criminals are now starting to write their own specially designed code to beat security systems, as was the case in the theft of millions of credit card numbers from T.J. Maxx in 2003. These trends point to the growing sophistication of cyber criminals, and may indicate that the criminal threat could grow to become as sophisticated as the state-level threat. That suggests we need to increase our efforts to combat cyber crime.
Today both the FBI and the Secret Service investigate cyber crime, with help from Customs (now called Immigration and Customs Enforcement, or ICE) and the Federal Trade Commission. Yet companies and citizens across the country complain that their reports of cyber crime go unanswered. The Justice Department’s ninety independent prosecutors scattered around the nation often ignore cyber crime because individual cyber thefts usually fall below the $100,000 minimum necessary for a federal case to be authorized. The U.S. attorneys are also often computer illiterate and do not want to investigate a crime where the culprit is in some other city or, worse yet, another country.
The President could assign the FBI and Secret Service agents who cover cyber crime to the proposed Cyber Defense Administration, along with attorneys to prepare cases for the Justice Department. A single national investigatory center within the Cyber Defense Administration, coordinating the work of regional teams, could develop the expertise, detect patterns, and engage in the international liaison needed to increase the probability of arrest to the point where it might begin to be a deterrent. Today law enforcement in the U.S. does not begin to deter the world’s cyber criminals. Today cyber crime does pay. To make it stop paying, the U.S. would need to make a substantially greater investment in federal law enforcement agencies’ cyber crime capability. We will also have to do something about cyber crime sanctuaries.
In the late 1990s, international criminal cartels were laundering hundreds
of billions of dollars through “banks” in a variety of mini-nations, usually island states, as well as several larger sanctuary nations. The major financial powers got together, agreed on a model law criminalizing money laundering, and told the sanctuary states to pass the law and enforce it. If they didn’t, the countries were told that the major international financial nations would all stop clearing their local currencies and halt financial transactions with their banks. I had the pleasure of conveying that message to the Prime Minister of the Bahamas, where the law was promptly passed. Money laundering did not disappear, but it got a lot harder because there were fewer reliable sanctuaries. The signatories of the Council of Europe Convention on Cyber Crime should do the same kind of thing to cyber crime sanctuaries. Together they need to tell Russia, Belarus, and the other scofflaws that they either have to start enforcing laws against cyber crime or there will be consequences. One of the consequences would be to limit and inspect all Internet traffic entering nations from the scofflaw sanctuaries. It’s worth a try.
4. CWLT
The fourth component of the agenda to address cyber war should be the equivalent of the Strategic Arms Limitation Treaty (SALT) for cyber war, a Cyber War Limitation Treaty, or CWLT (pronounced “see-walt”). The U.S. should coordinate the proposal with its key allies in advance of suggesting it at the United Nations. As the name implies, it should limit cyber war, not seek some global ban on hacking or intelligence gathering. SALT and its follow-on Strategic Arms Reduction Treaty (START) not only accepted intelligence collection as an inevitability, they relied upon it and called for “noninterference” with it. Those treaties explicitly protected what they called “national technical means.”
When arms control worked well, it had begun somewhat modestly and then expanded its scope in subsequent agreements as confidence and experience had grown. CWLT should begin by doing the following in an initial agreement:
Cyber War: The Next Threat to National Security and What to Do About It Page 27