We are under attack.
The cybersecurity challenge today has moved past merely presenting a grave national security threat to the precipice of disaster. The Nation is presently in a modern equivalent of the Cold War; except rather than two Superpowers daring the other toward a global apocalypse, today all of Western society is suffering death by a thousand cuts from stealthy Internet saboteurs. The West, and particularly the United States, is having its wealth sliced away. The enemies are many, but the root cause is our inability to fashion an Internet era defense strategy that is responsive to an asymmetric threat.
For some time now, we have known about cybercrime, hacktivists, state actors in cyberspace, and a variety of other attackers. The news has informed us about Advanced Persistent Threat (APT), Stuxnet, Flame, Duqu, Gauss and other malware and the tremendous risk they pose to national security. Yet, despite headlines and alarms of increasingly dire threats, it has been largely business as usual online. That is, the Government warns of an impending disaster; businesses deal with threats as best they can, rarely sharing information about incidents; Congress cannot agree on any legislation for cybersecurity… And, online criminals, state actors, and hacktivists continue their assaults on the West with near-impunity.
Today, however, a change seems to be afoot. It may be that attention is being drawn from the sheer accumulation of instances demonstrating that America is under attack from all corners. For example, we have recently learned of the persistent attack on key institutions and industries of America. Banking industry leaders have been under DDOS attack for some time. The Financial Services Information Sharing and Analysis Center (FS-ISAC) just raised its Cyber Threat Level from Elevated to High. The oil and gas industry has similarly been under persistent attack. Utilities are being targeted for attack. Telecommunications, defense contractors, the aerospace industry, the nuclear industry, the list of targets continues to spiral. The difference from the Cold War era is that today the target is often commercial. That’s an important distinction. Today, Corporate America is on the front lines in this war. Perhaps the breadth and depth of these attacks on so many sectors, particularly Wall Street, is raising alarms.
The other catalyst that seems to be creating greater awareness and vigilance is the emergence of Iran’s cyberwar intentions and capabilities. The Qud Force, according to some accounts, is actively targeting the United States. A strategy of attacking the United States through cyberspace may be an asymmetric response to the ongoing killings and sabotage of Iranian nuclear scientists and their power infrastructure. And, of course, the Administration has acknowledged executing the Stuxnet attack on Iran. If the Iran connection is the source to increased cybersecurity vigilance in this country, that would make sense. A threat from a country of maniacal leadership like Iran, especially a determined attack on Wall Street and key American industries, is indeed a new dynamic to the national security picture. This would truly put American industry on the front lines.
The drumbeat gets louder.
In response to these attacks on America’s industrial strength, many are now saying – a more public way than ever before – that the times call for the government to unleash the private sector to track, identify, and neutralize this virulent threat. “Proactive defense”, “offensive operations”, “cyber-militia” … These are the phrases we have started to hear. It’s a call for a Cyber-Blackwater force.
It is apparent that the catalyst for change is upon us. A new strategy to address the asymmetric threat is needed. Yet, this challenge involves the Internet, an interconnection of technology and society that remains in relative infancy. How we proceed in designing a suitable counter-strategy to the asymmetric threat carries monumental importance. Will a readiness and distributed situational awareness strategy emerge? Will centralized government control ensue which threatens civil liberties and forces high costs upon users and businesses? Or will the Wild West approach continue, yielding an age of online vigilantism and instability that could undermine online trust?
Dealing with change.
Malcolm Gladwell, in The Tipping Point, wrote about the dynamics of human events when an idea passes a threshold and change sweeps in. Thomas Kuhn, in The Structure of Scientific Revolutions, wrote of acceptance of new principles that lead to a new disciplinary construct, a new paradigm. And, the concept of “creative destruction”, a term first coined by Joseph Schumpeter in "Capitalism, Socialism and Democracy", posits that economic or technological advances bring about a new economic order. Creative Destruction has also been used in the context of “disruptive technology” and bringing about market and human behavioral changes.
These descriptions of revolutionary change are apt for the present predicament in cyberspace. Critical mass about the new threat is indeed upon us. It is a threat that causes disruption and harm to America. Though cyberspace carries a virtual connotation, harm occurs at a physical location. Business is disrupted at the business center, critical infrastructure suffers damage or loss of integrity in a community somewhere, and intellectual capital loss harms a business and extends into the community in the form of lost jobs and lost wealth. In short, communities are harmed by cyberattacks. Why then doesn’t the national strategy focus inward toward protection, resilience, and improved cyber-readiness? Why is there no cyber-emergency preparedness capability in every community in the country? Have we not learned the lessons of the asymmetric adversary that were documented in the 9/11 Commission Report?
As presently configured, the national security institutions of the U.S. government are still the institutions constructed to win the Cold War. United States confronts a very different world today. Instead of facing a few very dangerous adversaries, the United States confronts a number of less visible challenges that surpass the boundaries of traditional nation-states and call for quick, imaginative, and agile responses.
* * *
We recommend significant changes in the organization of the government. We know that the quality of the people is more important than the quality of the wiring diagrams.
* * *
The importance of integrated, allsource analysis cannot be overstated. Without it, it is not possible to "connect the dots." No one component holds all the relevant information.
* * *
We propose that information be shared horizontally, across new networks that transcend individual agencies.
The approach the Nation takes in response to this critical threat landscape must start with internal resilience. Situational awareness must be improved at local levels so that the cyber-hygiene level rises, at least to withstand simple attacks. Beyond that, local capability centers must be integrated within a national framework. Intelligence must flow in all directions. With greater intelligence, modeling and simulation, and other decision aids can be fashioned to enable a more predictive and ready posture. But, this framework must be deployed and integrated across the Nation’s footprint. These cannot be stand-alone, community preparedness initiatives. And to foster trust and collaboration between government and industry, the capability center may need to be a nonprofit – to function as a clearinghouse that filters sensitive information that cannot be shared, while also sharing all that can be shared.
The Wild West could get wilder.
A Cyber-Blackwater model may also have a place in a new strategy, as some are urging. However, the first step in the national model has to be protection, out of necessity. Moreover, once the local capability center is operational, it may provide the perfect synergistic environment for other operations.
Additionally, the offensive approach is not without significant risk. Licensing “digital bondsmen” opens a Pandora’s box. While the US might implement a controlled approach, the rest of the world would not see the controls. They would see official approval for vigilantism. In turn, a global free-for-all would ensue. The US would suffer the greatest in such an environment.
An offensive approach cannot become THE national strategy to combat and deter the current proliferation of hacking and attacks. If it is a suitable component, it must be complementary to a resilience strategy that starts with defending communities in the homeland. We must focus first on where harm from an attack will be felt – in the community.
Where do we go from here?
A cybersecurity Executive Order is reportedly due out soon. It will endeavor to involve critical infrastructure in a methodology to improve security processes. This approach would begin to touch communities – local utilities, gas pipelines, telecommunications, and others. This presents an opportunity to implement, in parallel, mechanisms in local communities to execute the strategy. Many of these community cybersecurity initiatives already exist: Western Cyber Exchange, CyberCityUSA, Cyber Huntsville, and others.
The Nation needs to recognize that entire communities are at risk. When we show concern for hacking brigades in Iran, China, Russia, and other locations (including terrorists and organized crime), and further point to the risk to critical infrastructure, the next logical step needs to occur: critical infrastructure resides in a community. Cybersecurity has become an emergency preparedness issue! Where’s the community cybersecurity capability?
Doug DePeppe is a cybersecurity attorney and consultant with i2 Information Security. He is a Cofounder of the Western Cyber Exchange.