US Cybersecurity Woes
By Jody Ray Bennett for ISN
In an era of information technology ubiquity, cyberwarfare and cybersecurity have become inevitable components of the changing nature of combat. It is indeed one of the newest fronts to engage the nation-state both as a threat and defense against real and developing adversaries.
The battlefield takes place on a virtual network and anyone with internet access - from guerilla to government - can fight. In this context, the political economy of cyberwarfare dictates that there is some degree of equality between opponents. To speculate, the combat advantage in cyberwarfare might ultimately be decided by whoever obtains and effectively utilizes superior technologies. Since its post-WWII position, the political and military establishment in the US has subscribed to such logic in terms of physical warfare. In cyberspace, however, it has been relatively slow or simply unprepared to effectively respond to vulnerabilities to its national security.
In 1999, two Chinese colonels of the People’s Liberation Army wrote external pageWarfare beyond Bounds, a 228-page analysis of the transformation of modern warfare. More specifically, the book critiques how the US military apparatus has conducted battle in the past and suggests various means of exploiting the weaknesses of a “technologically superior opponent” that “views revolution in military thought solely in terms of technology.”
Of several areas that could potentially be exploited, “information warfare” is mentioned as a “semi-warfare, quasi-warfare, and sub-warfare, […] the embryonic form of another kind of warfare.” The book states that network attacks and infiltration are more cost and labor efficient in comparison to traditional means of warfare, potentially having the ability to affect not only electronic government systems, but utility grids, bank transfers and civilian communications. In the same year the book was published, NATO computers were attacked during the Kosovo conflict, and after the Chinese Embassy in Belgrade had been bombed, it was external pagereported that Chinese hackers posted threats such as ‘We won't stop attacking until the war stops!’ on US government sites.
While the US military refers to cyber- and information warfare as specifically dealing with the online exploitation of critical military and state infrastructure assets, it is distinguished from what senior analysts at NATO have dubbed “iWar,” which consists of “attacks carried out over the internet that target the consumer internet infrastructure.” The definition explains, “While nation states can engage in ‘cyber’ and ‘informationalized’ warfare, iWar can be waged by individuals, corporations, and communities.”
Essentially this type of warfare comes in the form of distributed denial of service attacks (DDOS) which “clogs up” network access and often makes vital websites and other data inaccessible. The cyberattacks on external pageEstonia in May 2007 and external pageGeorgia and Azerbaijan in the 2008 South Ossetia conflict are often used as examples of cyberwarfare posing serious threats to both state and commercial institutions.
Challenges for The US
On 10 March, external pageMary Davidson, chief security officer at software company Oracle, explained during a congressional hearing that, “[The Department of Defense] continues to invest in network centric operations, which is all about getting the right information to the right warrior at the right time in the right battlespace […] Therefore, the network is the battlefield because the network is what our enemies will attack if they want to deny us the ability to use our own technology.”
In February 2008, then-director of national intelligence J Michael McConnell, the, external pagetold to the US Senate that “Our information infrastructure - including the internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries - increasingly is being targeted for exploitation and potentially for disruption or destruction, by a growing array of state and non-state adversaries.”
The Chinese government has been external pageaccused of orchestrating the external pagelatest attacks on US government and military networks, reportedly to be the “single biggest military and intelligence threat the U.S. faces.” The perception of an emergency has paved the way for many former and current top US officials to analyze and critique the way the US government handles cyberattacks from external sources. According to recent external pageessay by a senior advisor to the director of national intelligence, the US is currently in a cybersecurity crisis.”
To combat the number of cyberattacks from abroad, a newly formed office called the external pageNational Cybersecurity Center (NCSC) under the Department of Homeland Security (DHS) was formed by the Bush Administration with a vague mandate to “[protect] the U.S. Government’s communications networks […] to monitor, collect and share information on systems belonging to NSA, FBI, DoD, and DHS.”
The DHS chose Rod Beckstrom, a management theorist and successful entrepreneur who external pageadvocates the power of decentralized organizations, to head the new office. After serving almost a year, Beckstrom external pagecomplained that the NCSC had been appropriated only five weeks worth of funding for the entire year, and while the office did manage to provide some critical services for the US government, the external pageNSA was simply uncooperative in efforts to prevent or respond to cyberattacks. The large, centralized bureaucratic behavior of the NSA confirmed Beckstrom’s thesis, which ultimately drove him to external pageresign from the NCSC on 13 March.
It had long been external pagereported that the Bush administration’s draft for a US$17 billion cybersecurity initiative contained more spending for domestic spying than actually preventing and protecting US government networks. The highly classified proposal that outlined the administration’s desire to become the “firewall for all Americans on the net” caused further alarm for those in the IT security community.
Three days before Beckstrom’s resignation, the external pageSubcommittee on Emerging Threats, Cybersecurity, and Science and Technology held a hearing in which experts external pagewarned lawmakers that “The Department of Homeland Security is not up to the task of protecting the nation's cybersecurity, and a comprehensive, coordinated strategy for cybersecurity should instead be run out of the White House.”
Mary Davidson external pagesuggested to lawmakers that, “Congress should consider developing a 21st century application of the [1823] Monroe Doctrine [which] said that further efforts by European governments to interfere with states in the Americas – the Western [H]emisphere – would be viewed by the US as acts of aggression and the US would intervene.”
In a summation that bridged the worlds of cybersecurity and foreign policy together, Davidson concluded that, “The advantages of invoking a Monroe-like Doctrine in cyberspace would be to put the world on notice that the US has cyber “turf,” (properly scoped – we should not claim all cyberspace as our turf – there is plenty to go around). And the second is that we will defend our turf. We need to do both. Now.”
Cyberchange We Can All Believe In?
In his first term’s budget proposal for cybersecurity, the Obama administration stated that “The threat to federal information technology networks is real, serious and growing." So far, external pagePresident Barack Obama has external pagepledged to allocate “$355 million to support the base operations of the National Cyber Security Division and the efforts of the Comprehensive National Cybersecurity Initiative [to] secure the nation's public and private information networks.” Just over a month ago however, Obama appointed Melissa Hathaway, a high-ranking cyber security adviser to the Bush administration, to conduct the ongoing review of the US government cybersecurity policies and strategies.
It is not clear who Obama will appoint to spearhead any sort of renovation to America’s cybersecurity infrastructure; nor is it clear that the administration will take the issue any more seriously than its shameful predecessors. Obama must be careful to continue digging Bush’s old tunnels in the same direction.
If the threat of cyberwarfare and cybersecurity are not taken seriously, it will reveal yet another instance of the US political and military establishment’s inability to adapt to the changing nature of combat fast enough for effective responses. Indeed, as a senior official of the National Criminal Intelligence Service recently external pagestated, “Strategists must be aware that part of every political and military conflict will take place on the internet, whose ubiquitous and unpredictable characteristics mean that the battles fought there can be just as important, if not more so, than events taking place on the ground.”