The Marshall Institute hosted a panel discussion Tuesday afternoon addressing the role of government in private sector cybersecurity. The panelists were Dan Gallington, Senior Policy & Program Advisor at the Marshall Institute; Dr. Lani Kass, CEO of Drywit LLC; and Dmitri Alperovitch, President of Asymmetric Cyber Operations LLC. The discussion was moderated by Dr. John Sheldon, Professor at the School of Advanced Air and Space Studies, Air University, Maxwell AFB.
Sheldon provided some context before the discussion began, observing that 85-90% of the cyber structure used is held in private hands; that cyberattacks (or the reporting of them) are on the rise; and that the federal government is carefully evaluating its role in protecting in cybersecurity, with proposals from the White House and various legislators under consideration in Congress.
Gallington spoke first, and started off with noting that “cybersecurity” encompasses many subjects and thus any discussion of it needs to clarify the precise topic at issue. For the purposes of his talk he was focused on defense. An interesting point he raised was the dichotomy between how China and Middle Eastern countries are focused on content-based defense (i.e., stemming anti-government rhetoric and other “inflammatory” material) whereas the United States is focused on technical defense (i.e., anticipating and mitigating threats to critical networks, infrastructure, etc.). He suggested the experience with CALEA is evidence that indirect government control or regulation does not ensure implementation of what he called “cyber requirements,” presumably referencing cybersecurity standards and other measures.
These factors, along with our reliance on the massive privately held cyber infrastructure and the fact that this infrastructure was not designed with 21st century threats in mind, have resulted in our adversaries having “huge cyber leverages” over the US. As part of this conclusion he notes how the US stands alone as far as having some semblance of privacy – whereas in most other countries when you pick up the phone you know that that state’s intelligence authorities are listening in, the US has many laws on the books to make this task relatively difficult. This is a virtue, but it also presents challenges in how the US responds to the myriad threats it faces.
Responding to the concern that the US could be subjected to a “Cyber-9/11″ or “Digital Pearl Harbor,” Gallington asserted that although the US is vulnerable to “shutdown attacks,” US systems represents too much of a “fat” or valuable target for such an attack – collectively they are a golden goose that is worth more alive than dead. Gallington’s theme seemed to be that the US is living in the past , between the stovepipe treatment of cyber, in terms of both technical aspects (offense / defense / counterattacks) and bureaucracy (law enforcement / national security agencies / other federal agencies), as well as a general lack of experience and knowledge in all things cyber in positions of power.
As an example of the right approach to cyber, Gallington recommended the DHS Privacy Impact Statement that was published earlier this year. I’m working on finding the precise document to which he was referring, and will update this post when I have.
Dr. Kass spoke next, and began by recalling how she was asked by the US Air Force in late 2006 to help define cyber. She then gave the definition of cyber as an “operational domain characterized by the use of electronics and the electronic spectrum to create, store, modify, and exchange information via networked and interconnected information systems and telematic infrastructures.” Kass said the law of armed conflict (LOAC) should apply in cyberspace as it does in other domains, but noted that we have yet to develop rules of the road for this domain, and that the law lags behind technology.
She gave a strong statement about the importance of cyberspace as a domain, claiming “if you lose the domain, you lose the war.” Kass went on to note how cyberspace is the US’s center of gravity, and its Achilles Heel. The opposition knows this, she continued, and knows that the US is uniquely vulnerable in this regard.
Another key distinction in cyber is that the damage one inflicts is disproportionate to one’s level of investment – that is to say, given the asymmetries of cyber conflict and the relatively low entry costs, it is easy for the proverbial David to slay Goliath. She called the photon (or electron) the ultimate “precision guided munition,” observing that an adversary need not match the US jet for jet or tank to tank to engage us. In fact, she noted, cyber tools are the “ultimate bargain hunters’ way” of destroying the West.
Kass continued on this path, declaring that the first battle of any war is the battle for control of air, space, and cyber space, and that freedom of action in those domains is absolutely crucial. Victory can only be achieved, she noted in conclusion, through control of the electromagnetic spectrum.
Finally, Dmitri Alperovitch took to the podium. He began by discussing major cyber breaches, with targets including governments (Japanese Parliament as a recent example), private sector (Sony, Epsilon), and military (US DoD). He briefly discussed his work in uncovering major cyberespionage operations this year. This is only the tip of the iceberg, he cautioned. To make his point clearer, he suggested that there are two types of companies in the Fortune 1000 – those who know they’ve been compromised and those that do not. The threat is that pervasive, he observed, and cyber is an “indefensible domain.”
He disagreed with characterizations of a “Cyber-9/11″ or “Cyber Pearl Harbor,” saying the reality is more akin to “death by a thousand cuts.” This is the most unprecedented transfer of wealth from the US to China, and is de facto pillaging. Alperovich challenged the claim that attribution is an insurmountable obstacle, and while admitting that challenges do exist, asserted that it can be done.
As far as solutions or remedies for this rampant theft, he suggested we need to develop a deterrent value to block attacks. We must explore all types of influence to halt Russia and China’s efforts in this area. To do so, he continued, we need to figure out what they care about. Alperovitch concurred with Gallington that those countries are concerned with regime preservation and the ever-vexing “Facebook rumors” web content. Instigating these types of rumors might be one avenue for response, along with trade sanctions and WTO measures.
Upon Alperovitch’s conclusion, a fairly robust Q&A session began. The first topic up for consideration was the role of government in protecting “dot com” domains. According to Sheldon, DHS is responsible for “dot gov,” DoD for “dot mil,” and “dot com” sites are left to fend for themselves. This jives with remarks made by Secretary Lynn back in 2009. One panelist claimed DHS has the authority to protect “dot com,” while the rest of the panel disagreed. My cursory review of the Homeland seems to support the panel’s conclusion that DHS is not vested with any authority to protect commercial networks, though I’d welcome any comments that can clarify this matter.
Another area briefly considered was the liability of companies for data breaches. Alperovitch seemed amenable to the idea, though he indicated liability ought to depend on who the attacker is. He suggested if a company’s system is penetrated by a 14-year-old living in his mom’s basement, the robustness of that network is questionable and that company should probably be on the hook. Alternatively, if the network is instead penetrated by a nation state with vast cyber capabilities, that company doesn’t really stand a chance of defending against such an attack. The only remedy, he joked, was not to have anything worth stealing.
With that, the panel concluded. In all it was a valuable discussion and the Marshall Institute should be commended for bringing placing these issues up for debate in the public sphere. I highly recommend attending future events if you’re in the DC area. You can find out more about them at the Institute’s website, http://www.marshall.org.