On December 2nd in 1823, the US introduced the Monroe Doctrine. This article declared that the US would view further European interference in the Americas (the Western Hemisphere) as acts of aggression and reserved the right to an armed response.
On march 10th, 2009 it was argued in front of a Homeland Security Subcommittee on "Emerging Threats, Cybersecurity and Science and Technology" by Mary Ann Davidson that this same piece of US doctrine would be a suitable candidate for application in cyberspace.
You can find more information at Whitehouse.gov about this testimony, from where it has recently resurfaced on various discussion boards such as the Dutch Cyber Warfare Community group on LinkedIn (thank you Matthijs).
Not unlike other testimonies on the subject of Cyber Warfare and Cyber Doctrine coming from the US, we see a very 'red-blooded American' attitude seeping through, and quite frankly that's not helping matters.
I'm generally a big fan of 're-using' existing laws and policies when they apply well enough to Cyber, but Davidson demonstrates a lack of true understanding of the situation. It is possible that her testimony was misunderstood or misquoted by the person who wrote the testimony excerpt, but nevertheless I would like to address a few key issues I have with the testimony.
"We are in a conflict - some would say a war. Let's call it what it is."
In the very first segment of the testimony, Davidson asserts a number of things that are simply incorrect. The title of the paragraph is a clear giveaway, and sets the tone for the rest of the testimony. Davidson observes that the US is under constant attack in cyberspace, and that this amounts to war.
What she does here is lump together all the cyber attacks that are recorded, and make it seem like this is all part of one big cyber war. But this is not the case. I would argue that 80% (if not more) of these attacks are merely ill-advised scriptkiddie attacks, maybe not even really aimed at government resources specifically.
This is so common that many security people have come to call these attacks 'internet white noise'. The remainder of the attacks might be more targeted, but their origins are at least as diverse as of the earlier 80%. They are perpetrated by cyber criminals, stalkers, curious college students putting their class material into practice, security pentesters who overstep their bounds, bored high school drop-outs, disgruntled administrators and many more potential attackers.
You just don't know. You can't know. There are just too many attacks from too many sources to make it feasible to chase every one of them to find out. To lump all these attacks together and paint them as a constant barrage by one enemy is not just incorrect, its also dangerous and foolish. If anything, you're not in one conflict, you're in thousands.
Even if you consider all these attacks by all these different enemies conflicts, which implicates that there is some underlying plan or strategy to said attacks, its still a big leap in logic to call it a War. America's habit of declaring war on abstract notions (the War on Drugs, War on Terror et cetera) may sometimes be necessary to get people to act, but in case of Cyberspace it just doesn't work. The Internet is everywhere and, considering the earlier clarification on the attacks, you're attacked by thousands of enemies.
What are they going to call it? "The War Against Everyone"? Actually, given the tone of the testimony I should probably refrain from giving Davidson any ideas. It is exactly this attitude that gives credence to people who claim that the war drums are being beaten unnecessarily to militarize the Internet and to reduce the rights and freedoms of netizens.
Language matters. Talk of war incites thoughts of war, and it should be used sparingly.
Given the diversity of potentially hostile entities building cadres of cyberwarriors, probing our systems including our defense systems for weaknesses, infiltrating U.S. government networks and making similar attempts against American businesses and critical industries, is there any other conclusion to be reached? Whatever term we use, there are three obvious outgrowths from the above statement. One is that you do can’t win a "conflict" – or war if you don’t admit you are in one. The second is that nobody wins on defense. And the third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the offline world.
Emphasis is mine. As previously stated, there are a multitude of conclusions you could draw from what is happening on your networks. The three points mentioned thereafter make even less sense, because she speaks about 'winning' the 'war'. But what does that mean?
The Monroe Doctrine referred to Military/Political consequences to Military/Political interference by foreign nations on US soil. Or rather the entire Western Hemisphere but I digress. I mention this with emphasis because the Internet and/or Cyberspace is a different animal altogether. The majority of the cyber equivalent of 'US soil' isn't actually 'US soil', but is actually owned and operated completely and totally by third parties.
To further complicate matters, a large portion of that is owned and operated by third parties who are distinctly not American such as foreign-owned corporations. Imposing a Cyber Monroe Doctrine would effectively militarize the entire US portion of cyberspace. That is, if they can ever decide on what parts of that cyberspace they could and could not call American. Davidson acknowledges this problem with the use of the term 'turf' but fails to grasp the severity of the problems it causes with her theory.
So that covers the underlying theory by Mary Ann Davidson, but the three 'outgrowths' don't even make sense on their own. "You can't win a war if you don't admit that you're in one." Aside from the whole War statement...I mean...Really? This is a complete non-sequitur if you ask me.
You could argue the exact reverse and it would be equally true (or untrue, of course). I might be piling on here, but someone should probably have told the US Senate this before the Vietnam war, which the US never formally admitted as being a War. Had they used Davidson's logic, they would have known this was a war they could not win.
"The second is that nobody wins on defense." This is another argument that doesn't stand up to closer scrutiny. The Monroe Doctrine revolved mostly around defense. It was enacted to work as a deterrent to protect (not project) US interests in the Western Hemisphere.
So what does Davidson envision with this statement? It seems to me that she's calling for offensive cyber operations, which is something that isn't covered by the Monroe Doctrine. Monroe wanted to defend his Home, while Davidson seems to want to cross the pond and kick some butt. She's calling for a Sword to match the Shield, but doesn't take into account that they are two entirely separate entities with entirely different properties, capabilities and logistics.
"And the third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the offline world."
So if I read this correctly, Davidson argues the US needs a doctrine because....well, because! This last argument isn't actually an argument. Its a possible answer to her first two statements and probably only included because she needed a third argument. Three arguments makes it sound nice and official.
And why would the US need one doctrine to cover everything? It has been my understanding that the US Government has published various doctrinal documents that cover a variety of issues, such as the International Strategy for Cyberspace. The US Department of Defense has also published a number of documents on Cyberspace over the last few years, and these map to a number of existing legal and societal principles in the offline world. These can be easily found online.
So is Mary Ann Davidson correct in her assertion that the Monroe Doctrine would be a handy fit in Cyberspace? To be honest, I don't know. Im not a politician and im not a military strategist. But her arguments are flawed and they didn't sway me. Im usually a big fan of a common-sense approach to Cyber-anything, and in most cases we can apply existing legal and societal frameworks just fine.
But in this particular case we simply cannot forget that the US already has an potentially undue influence over the proper functioning of the Internet, and any kind of overly aggressive stance will foster more animosity between the US and the rest of the world. The Internet is, and should remain, an active demonstration of global cooperation. We would all be better off if we strived to make things safer for everyone.
About the author: Don Eijndhoven has a BA in Informatics (System & Network Engineering) with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands. Among a long list of professional certifications he obtained are the titles CISSP, Certified Ethical Hacker, MCITPro and MCSE. He has over a decade of professional experience in designing and securing IT infrastructures. He is the CEO of Argent Consulting and often works as a management consultant or Infrastructure/Security architect. In his spare time he is a public speaker, works as a Project Manager for CSFI and acts as its Director of Educational Affairs in the EU region. He also blogs for several tech-focused websites about the state of Cyber Security and is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine.
Cross-posted from ArgentConsulting.nl