Here’s something that passes for “news” that I submit even though it is repeated almost daily we could have read it any day in the last decade: Cyber networks are insecure, the Russians – Chinese, French, Israelis, Iranians – are coming, and, here’s the punch line, we have to spend more!
First of all, let me say that I’m not questioning the “threat.” When DNI James Clapper says, as he did in his January 31 testimony before the Senate Intelligence Committee that China and Russia and even an increasingly aggressive Iran are improving their cyber capabilities and increasingly penetrating U.S. networks, I believe the intelligence.
“Iran’s intelligence operations against the United States, including cyber capabilities, have dramatically increased in recent years in depth and complexity,” Clappers said.
But point one, and Clapper said it, this is spying. And as spying, we should remind ourselves that the United States has the most extensive – and I would say most capable – cyber intelligence capability in the world; and the U.S. is itself “increasingly aggressive” in its efforts to penetrate, manipulate, and even figure out how to electronically disable foreign networks.
Hence the creation of the U.S. Cyber Command lodged at the NSA in 2009. Hence a provision of the fiscal 2012 national defense authorization act authorizes the military to conduct offensive cyberspace operations subject to the same provisions of the law of armed conflict. That would be the principles of military necessity, proportionality, and discrimination.
So not only do we live in a glass house, but if we want to continue to call it war, that is, an act of aggression justifying military response, war is what we’ll get.
If it is intelligence operations, on the other hand, and is thus a tacitly recognized international activity with its own conventions, then we should stop acting both surprised and indignant.
Which brings us to the mega-business of cyber security, whether it is the home purveyors of personal computer firewalls and malware detection and removal; or the multi-billion dollar federal efforts (a veritable hidden Platinum Valley for the contractors) to achieve what appears to be the impossible: securing American networks.
Anyone hear the anthem of the war on drugs or airport security playing in the background? It is a never-ending, never enough gift that keeps on giving. Failure to produce the result will be rewarded: It always is.
There are a number of inter-locking reasons why the cyber threat has been very very good to defense industry and the threat mongers:
– Everything is moving to public networks whether on land or in the cloud, from the mundane of billing to drone killings and even nuclear weapons command and control. Networked data grows at rates that can’t even be quantified. Net vulnerabilities – here I mean the number remaining after a deduction taking into consideration growth — may or may not be increasing. No one seems to know and no one seems to have an incentive to counsel calm.
– There is a double dis-incentive to actually locking down cyber communications: intelligence and commerce. On the intelligence side, secure networks impede spying, destroyed networks eliminate sources of information. Hence the tensions that do exist in the classified world, for instance, between the existences of thousands of radical Islamic websites which the intelligence agencies monitor but logic might tell you should just be destroyed. It is a perpetual conundrum. Which leaves commerce, not just the business of supporting the pro-longed war against terrorism, but also the riches available in the private sector’s protection; the cyber threat is a Godsend.
At what point does all of this morph into an act of war? At what point will we wake up some morning to the news that some digital Gary Francis Powers has been shot down inside Russia?
If my answer is “soon,” then I’m just falling for the same B.S. and have to remind myself that this same question was being asked a decade or longer ago. And just like the WMD “threat,” I need to remind myself that there is a subtle devil’s alliance between those who truly believe that the threat is out there and hostile and demands (military) response and those who equally build up the threat in their efforts to agitate for non-military solutions but just end up inadvertently affirming the existence and importance of the threat, thus creating an environment that seems to affirm military action.
So there might be some cyber incident soon, but given that there are all sorts of incidents – penetrations, spies getting caught, screw-ups — all the time, I guess I’ll say, well that’s what happens when you play with fire; big deal.
What I can’t say is that this will all sort itself out. There are subtle short-term developments afoot and long term implications that demand greater brain power and less throwing of money. For those who don’t follow this too closely, we’ve seen just in the past two weeks bold announcements by the Secretary of Defense that cyber threats are his main worry and that security won’t be short-changed in budget reductions; arguments over whether all of this should be a Pentagon or Department of Homeland Security responsibility; the FBI calling for more control; a scuffle over whether the government should take control of protection of private networks such as the electrical grid. Meanwhile, NASA’s network isn’t secure, its IG says; DARPA will provide increased funding for offensive cyber warfare research.
“In the not too distant future we anticipate that the cyber threat will pose the number one threat to our country,” FBI director Robert Mueller told delegates at the RSA 2012 conference in San Francisco last week. “We need to take lessons learned from terrorism and apply them to cybercrime.”
Some wag observed long ago that the information security schnorers reminded them of the three stooges 1936 “Ants in the Pantry” episode. There, employees of the Lightning Exterminating Co., they were directed to drum up business. They did nicely, releasing ants and mice and snakes at a fancy party and then arriving to save the day. They were so entertaining and effective, they ended up being invited to the Fox Hunt!
So beware the warnings of those who profit from the threat. More important though, wording is really essential to get right, and my hats off to Clapper for calling it spying, but then he’s the Director of National Intelligence and that’s his portfolio. So I couldn’t help notice that Leon Panetta minces no words in calling it attacks: “We are literally getting hundreds or thousands of attacks every day that try to exploit information in various [U.S.] agencies or departments,” he told an audience at the McConnell Center at the University of Louisville.
Does it make a difference which it is? Hell yes, and the promiscuous wordings and flabby rhetoric of top government officials aren’t helping. When the DNI yells spying, the Secretary of Defense yells attack, the FBI head yells crime, and the Department of Homeland Security yells help, the debate is more than just whether Certs is a breath mint or a candy mint. This is the true sign of an ongoing and unresolved government food fight.
Meanwhile, while the heads of intelligence and defense are braying loudly about cyber security, the Federal Chief Information Officer Steven VanRoekel, while speaking at a February 24 conference, announced that security was one of the Obama Administration’s top five priorities! Top five? What the hell could the other four be?