Hacking
the Next WarCHRIS C.
DEMCHAK
Today we live in a
world linked by “cyberspace”, a word created in the 1980s but only ten
years in common use. It stands for the completely man-made substrate we all
share intimately on our smart phones, tablets and desktops, and that pervades
the operations of banks, airlines, electrical grids and even manufacturing
plants. It
stretches under and into all the relatively instantaneous (and profitable)
communication, cooperation and coordination that sustain our modern quality of
life. So much
modern wealth now relies on cyberspace that, increasingly, groups and nations
are beginning to fight in it and over it as well.
A new variant of warfare has emerged through cyberspace, one that is formally undeclared, long-term and widely variable in its tempo and day-to-day effects. Who wins, loses or merely stays the course will be determined more by the effectiveness of the means of disruption and resilience of critical national systems than by the outright “kinetic” destruction of discrete targets by military forces.
This environment advantages those who have best prepared their systems to gain surreptitious control of everything from access points to knowledge stocks, to economic or other resource flows in their opponents’ critical civilian and military systems, while simultaneously denying the same control to their known or unknown adversaries. This form of human struggle is “cybered conflict”, meaning the struggles inside cyber systems that routinely spill out of deeply embedded, globally connected networks to harm the rest of the society.
Cybered threats are now so penetrating of heretofore well-defined and defended borders and strategic buffers (such as oceans) that we may have to look far back through history—well past the Peace of Westphalia—to the highly uncertain times of vulnerable ancient or medieval city-states to find appropriate analogies for what we face today.
Globalization and
cyberspace are deeply intertwined. Cybered conflict
has emerged in large part because successive waves of globalization gradually
transformed classic independent, territorially buffered, autarkic states into
openness-dependent, wealth-obsessed and war-averse digitized democratic
commercial trading states.
Nations from the European Union to South America to the democratic Asian tigers act more like the city-states of long past than early modern autarkic states capable of going to war to defend their interests. Their political leaders focus on facilitating aggressive trading benefits and forging international rules of exchange, not on preparing for destructive conflicts. Since World War II, they have built, institutionalized and lived by openness—to global commerce, finance and knowledge flows. These states now internally and legally enforce shared, relatively compatible rules on their subordinate groups and citizens. Even when international members violate the rules, no one threatens war to recoup material damages. Globalization has domesticated, as well as made more porous, the warring nation-state into a relatively defanged modern city-state dependent on the civil behaviors of other states and their citizens in the international system.
Nations from the European Union to South America to the democratic Asian tigers act more like the city-states of long past than early modern autarkic states capable of going to war to defend their interests. Their political leaders focus on facilitating aggressive trading benefits and forging international rules of exchange, not on preparing for destructive conflicts. Since World War II, they have built, institutionalized and lived by openness—to global commerce, finance and knowledge flows. These states now internally and legally enforce shared, relatively compatible rules on their subordinate groups and citizens. Even when international members violate the rules, no one threatens war to recoup material damages. Globalization has domesticated, as well as made more porous, the warring nation-state into a relatively defanged modern city-state dependent on the civil behaviors of other states and their citizens in the international system.
In this relatively
stable, economics-led international system, these modern, usually democratic
trading states followed the lead of the United States to deeply embrace its
internet within their own critical national economic systems. As the web extended
across the globe, it traveled along economic paths to gain enormous value widely
seen at first to be unrelated to conflicts or militaries. With the rise of the
global web during mid-1990s, it seemed natural to cyber-prophets, e-commerce
promoters and the intellectual elite of the international trading states that
trading states would use the new technology to simply enhance wealth without
incurring national conflicts, and that new participants would automatically
adapt to established rules of the road. These rules
supported social trust, the security of property and the primacy of states as
the ultimate arbiters of differences between parties. The rules were taken as so
immutable that the largely ungoverned cyberspace communications were not seen as
a threat to the international system of stable economic
exchanges. In a 1996
“Declaration of Independence of Cyberspace”, an anonymous author (later revealed
to be John Perry Barlow) suggested that cyberspace was somehow a new
human/machine space beyond any government’s control and hence immune from the
social corruptions that had led to crime and war in the past.
What was forgotten,
however, is that where great value in goods, knowledge and funds flows without
societal protection, so grows great potential for conflict, even in cyberspace.
The new globally open, deeply digitized traders, epitomized by the post-politics
EU elite, did not deny that many states did not fit, or did not yet fit, the
description of a post-nationalist, debellicized trading state. Rather,
what
mattered was that the center of the international order was increasingly
composed of such creative, wealthy, powerful actors such that the disruptive or
corrupt laggards and reprobates were contained in the relatively feckless
periphery.
This periphery could stage occasionally spectacular acts of protest against the center, such as 9/11, but it could not muster an existential threat to it. What this thinking neglected, of course, is that this periphery, in its state and non-state incarnations, could master the new “atmosphere” of cyberspace on the cheap, in mass scale and around the clock where the international trading rules did not work.
This periphery could stage occasionally spectacular acts of protest against the center, such as 9/11, but it could not muster an existential threat to it. What this thinking neglected, of course, is that this periphery, in its state and non-state incarnations, could master the new “atmosphere” of cyberspace on the cheap, in mass scale and around the clock where the international trading rules did not work.
This mastery is
growing exponentially now. The modernized democratic trading states now find
themselves with massively undermined geographic borders and stable, law-abiding
economic and social systems now face uncertainties unimaginable just thirty
years ago. The relatively organized and civil landscape of independent states
has become more like a surprise-prone medieval muddle. Like-minded civil and
peaceful trading societies are now deeply penetrable by masses of uncontrolled
predatory “bad actors” operating from semi-governed or autocratic regions
(“badlands”), able to inflict harm at the deepest levels of digital societies.
The world’s major trading states have been caught off-guard by the free-for-all,
frontier nature of cyberspace. They have not prepared their societies,
strategies or home institutions, much less their heretofore well-ordered
international economic system, for the emerging diversity, frequency and scale
of threats from a globally shared open web.
The fundamental
misperception was that nothing in the initial design of the cyberspace substrate
actually intrinsically forces adherence to any of the civil society rules
fashioned by the dominant trading states. The basic
stabilizing layer of the original internet, now extended around the globe, is
profoundly insecure. Core commands at the heart of key systems are open to
anyone who can winnow in to access them; they require no external vetting
process to be changed. The basic network
structures and software
designs built to ensure the reliability of email delivery and data exchanges do not secure the contents nor ensure resilience of the overall systems linking critical societal functions. Control-program designers did not even consider who might want to deliberately harm their huge critical system machines or distort the software when they hardwired simple passwords now obtainable over the internet.
designs built to ensure the reliability of email delivery and data exchanges do not secure the contents nor ensure resilience of the overall systems linking critical societal functions. Control-program designers did not even consider who might want to deliberately harm their huge critical system machines or distort the software when they hardwired simple passwords now obtainable over the internet.
Today national
leaders realize that their naive city-state trust in the internet is misplaced,
and that the basic designs underpinning the web are built on presumptions of
good intentions natural to small communities of well-intentioned colleagues but
unwise beyond them. The original
internet inventors, developers and planners feared only the puzzling surprises
normal for complex systems and accidents, not malevolent sabotage. They included
passwords, if any, only to keep the poorly trained from making casual mistakes.
Developers typically added unprotected networked backdoors to make remote
assistance easy. Even simple programs that run many large-scale nuclear power or
other manufacturing plants still have simple passwords designed for ease of
maintenance.
This situation has
already produced unnerving surprises. The Stuxnet malware that disrupted Iranian
nuclear plants in 2010 was able to do so largely because it took advantage of
the simplicity and trust embedded in basic designs. Indeed, most malicious
behavior in cyberspace rests on finding and then accessing deeply hidden but
simple code manipulations, or on default or neglected but non-obvious remote
access exploits.
The backbone big junctions of the global internet have critical junctures—called border gateway protocol sites, or BPGs—that rely on trust and contracts to send along traffic as intended. Several times in recent years, virtual strangers or unexpectedly distorting software has violated this trust by diverting whole swathes of internet traffic for short periods into such places as China or Pakistan.
The backbone big junctions of the global internet have critical junctures—called border gateway protocol sites, or BPGs—that rely on trust and contracts to send along traffic as intended. Several times in recent years, virtual strangers or unexpectedly distorting software has violated this trust by diverting whole swathes of internet traffic for short periods into such places as China or Pakistan.
Because of the global
pervasiveness of cyberspace and the avenues for malicious harm it offers,
all serious societal
conflicts will now be “cybered” from their outset and in any major
state-level struggle significant critical events will occur solely thanks to the
availability of underlying cyber mechanisms.
Rule-oriented trading states will find it particularly difficult to recognize or easily prevail in this kind of conflict because their rules of war require identifying opponents, their locations, goals, tools, motivations or propensities to act before, during or even after major cybered events. The globally open web makes this critical distinction between combatant and innocent civilian extremely hard. From persistent proxy warriors-of-state to transnational criminal gangs to opportunistic hacking activists in small groups, conflicts now occur along whatever pathways and actors are enabled by cyberspace.
Across the remarkably level playing field of cyberspace, exploiting or harming remote strangers in the digitized democracies requires only a reliable internet connection to a foreign, open-bordered state and time to roam freely and maliciously at will. The globally open web freely provides the kinds of signals intelligence and cheap tools previously available only to superpowers. The variety of possible malicious actions across a globally open web is staggering, and bad actors need only keep trying until one or another attack succeeds somewhere.
Rule-oriented trading states will find it particularly difficult to recognize or easily prevail in this kind of conflict because their rules of war require identifying opponents, their locations, goals, tools, motivations or propensities to act before, during or even after major cybered events. The globally open web makes this critical distinction between combatant and innocent civilian extremely hard. From persistent proxy warriors-of-state to transnational criminal gangs to opportunistic hacking activists in small groups, conflicts now occur along whatever pathways and actors are enabled by cyberspace.
Across the remarkably level playing field of cyberspace, exploiting or harming remote strangers in the digitized democracies requires only a reliable internet connection to a foreign, open-bordered state and time to roam freely and maliciously at will. The globally open web freely provides the kinds of signals intelligence and cheap tools previously available only to superpowers. The variety of possible malicious actions across a globally open web is staggering, and bad actors need only keep trying until one or another attack succeeds somewhere.
Complicating the
problem for law-abiding civil societies is the variety of potential bad actors
who could be acting at any given moment. From the single
individual, group or state, or a combination of all three, they can be proxy
actors for autocratic states such as North Korea, or a dispersed group of
malcontents such as “Anonymous.” They can be religious extremists, international
criminal gangs, bored but technologically savvy teenagers, or some opportunistic
collaborative venture among them all.
They can use the same tools as legitimate users, but they can also access a hidden cybercrime market to find upgrades and like-minded associates. They can insert their logic bombs, engage disruptive access tools or succeed in massive, enfeebling thefts of knowledge for a long time undetected. They can operate sporadically or continuously, remotely burrowing into a wide array of targeted critical systems in government, corporations, infrastructure and even homes.
They can use the same tools as legitimate users, but they can also access a hidden cybercrime market to find upgrades and like-minded associates. They can insert their logic bombs, engage disruptive access tools or succeed in massive, enfeebling thefts of knowledge for a long time undetected. They can operate sporadically or continuously, remotely burrowing into a wide array of targeted critical systems in government, corporations, infrastructure and even homes.
The
result is unprecedented levels of insecurity, but often without the traditional
means of response like force or criminal prosecutions. The “noise” of anonymous traffic across
the global web is so vast that attackers remain anonymous and victims often do
not even realize they are being attacked. In a matter of
moments, firms, government agencies and military units can see years of R&D
stolen, data altered, or essential operations stalled or stopped by hidden
triggers laid months before by malicious applications or through hidden
backdoors to the web.
Many governments
and companies will not publicly admit that their systems have been breached, and
with no shared announcement about a threat, similar attacks go undetected as
well.
In some cases, an
institution has become so critical to many other systems that security breaches
directly result in a cascade of malicious access to a multitude of its partners,
as happened in 2010 to Google China and in 2011 to the cyber security firm RSA.
More
frequently, security breaches are recognized only after stolen data or products
undercut the owner’s markets, income, reputation or even its ability to use its
own internal systems or data to recover or trace losses.
A National Strategy for Cyber Power and
Protection
Under these
circumstances, the modern digital state has much to learn from its city-state
forebears about how to protect societal well-being in a world full of such
uncertainties. The leaders of 6th-century BCE Athens or medieval
Venice prepared their cities for nasty surprises like invaders suddenly
appearing at the gates. Yet they also managed to keep their markets and people
open to and engaged with the wider world. They built resilience into their daily
lives: cisterns for water, granaries for food, and stout gates and walls behind
which to take refuge. They learned that
resilience could solve most threats, especially if they developed ways to surge
their resilience capacities when needed. But they learned that they also needed
to disrupt some threats before they arrived at the city gates. Successful
leaders developed troops to police their highways and roving navy patrols to
ensure that their lifeblood in commerce was not stolen just outside their
walls.
We have reasonably
good records of these efforts. Athens had its spies, its protected trading “long
wall” to the port of Piraeus and its navy; Venice had its mercenary captains,
spies and an experienced navy. City-states that did not observe these rules
survived only by luck, or not at all. Florence only intermittently observed
these rules when under threat. Before the rise of the Medicis and the loss of
Florentine democracy, only serendipitous outbreaks of plague removed invading
forces on a number of occasions. The key lesson we
should take from these ancient and medieval trading states is “resilience
always, disruption as needed.” The modern digital trading states need similar
strategies to protect their national well-being in a deeply cybered and
uncertain world.
The challenge to
American leaders is to ensure national well-being by integrating resilience and
disruption across national security strategies and institutions. This goal is
complicated by current attitudes toward security. We typically think
of security in terms of the regulated destruction of adversaries by militaries,
with resilience being only a low-level operational concern of single
institutions or units. We need instead a strategy of “security resilience” for
the nation as a whole.1 The term combines security in its more modern
sense of disruption with the ancient city-state’s need for resilience—a quality
now in short supply in the digitized nations.
Resilience must be
the basis of strategy because the cybered systems on which we now depend are all
large, complex and connected to the global web. Even if bad actors do not harm
them, large complex critical systems could face routine surprise, some of which
will inevitably be cascading and disabling events. In 2006, Hurricane Katrina
destroyed infrastructure ranging from electricity to cell phone towers to
transport lanes to ATMs. Despite four decades of empirical research on the need
to prepare for situations precisely like Katrina, key vulnerabilities remained
unredressed.
It is entirely
possible to avoid or minimize routine nasty surprises like Katrina if key
institutions continuously and collectively develop redundancy in stocks and
forms of knowledge. That means routinely practicing inter-organizational
collaboration in order to be able to respond quickly and creatively in an
emergency, and to learn from mistakes and oversights in order to be prepared for
the next disaster, whether from cyberspace or from
hurricanes.
Above-A great lesson
for India
Cybered resilience
is a critical national security concern today. Bad actors residing
anywhere in the world can anonymously strike through cyberspace and start or
make much worse any “normal” surprise, like a hurricane or an earthquake, by
disrupting key systems at such vulnerable times. Modern trading states
already face millions of efforts each day to harm key institutions via
cyberspace. Any one of these could constitute the lucky or exceptionally
malicious success that produces a major systems failure cascade. Since no nation
can respond to every single such assault, only raising the general level of
cybered resilience along all critical pathways can prevent major attacks from
cascading by accident or intention.
Where premodern
city-states had cisterns, granaries and stout palisades, modern trading states
will need nationwide programs of cybered resilience. These measures must
range from the simple such as detecting, cleaning and protecting individual
computers to the more complex task of researching a more secure basic internet
technology. Resilience must be
built into the security standards required for any commercial cloud of any size
or critical system significance. Commercial firms cannot just bolt on layers of
new encryptions without repairing the underlying design flaws and abiding by
privacy and legal surveillance laws as well.
Furthermore, security
means re-establishing strategic buffers in cyberspace in order to
provide some breathing space to slow down or deflect the disabling effects of a
cybered conflict campaign or accidental cascade. As the older city-state
experiences suggest, these digitized buffers must include key points of national
regulatory protection that in effect form virtual borders in a cyber Westphalian
world to defend critical systems or their connected systems.
Pericles built the
long wall to protect Athens’s portal to the sea so that he would have time to
decide, with plenty of food and water at hand, whether to do anything but watch
from the walls when the attacking Spartans arrived.
All these efforts
need be part of an integrated national resilience strategy. Some efforts are
already underway in many states, albeit in a highly fragmented fashion.
From
rising state control of ISPs in Europe to a massive reduction of open portals to
the global web being undertaken by individual institutions, enterprises and
agencies are trying both to
deflect incoming threats and to give themselves more time to react to those
threats that get through anyway.
Resilience
serves to reduce the
chances of success by “everyday” sorts of attackers; it works for the mass of
opportunistic, low-skilled bad actors in cyberspace. The hacker community,
so called, is especially vulnerable to being physically located and arrested,
for example. Thus, to the extent
that states mutually enact and enforce comprehensive, standardized
jurisdictional societal policing of malicious actors, resilience increases among
the modernized democratic nations. The takedown of one major
illegal botnet purveyor in the past few years reduced malware on U.S. and EU
sites by a third for months.
Resilience
alone, however, is
insufficient cybered protection for the modern trading state; its cybersecurity
strategy must include capacities for legally guided forward disruption of
national cyberspace.
The massive global
bad actor community also includes a smaller group of exceptionally skilled
”wicked actors” who cannot be
deterred or foiled by hygiene, redesigned base technologies or rising cybered
borders. Security thus requires the capacity for targeted, highly selective
operations beyond national jurisdictions to preempt wicked actor operations
before they are at the periphery of or inside targeted systems. Ancient city-state
leaders would have understood the need to disrupt
such actors as a means of augmenting security resilience. If there were pirates
lurking outside the harbor, then those pirates should be attacked at times and
places of the city-state’s choosing.
Disruption is just as essential a
part of a modern digital state’s security resilience strategy
today.
Like resilience in
the cybered conflict age, the strategic and operational demands of disruption as
a component of survival strategy are more complex than those of the past.
Such
operations require comprehensive, precise, continuous and near-real time data
about the attackers, defenders and their shared systems. Targeting itself is
an intensive challenge because it requires narrowing the masses of bad actors
down to a much smaller, clearly identifiable set of particularly dangerous
entities. This and any subsequent information has to be gathered legally,
processed collectively and systemically, and acted upon intelligently and
adaptively. It takes time, much
human and technological skill and tools, and clear
oversight.
Disruption must
remain a complement to general national resilience because it cannot be
scaled up to deal with the masses of routine bad actors. Its techniques differ
from those of resilience, which limit the opportunistic, low-skilled attacks of
the mass of bad actors by large-scale standardized responses. Truly skilled
wicked actors are not sensitive to mass calls for delegitimization and they
cannot be easily frustrated by modestly higher costs of internet access or
tools. Most operate in some organizational framework that pays them well to just
keep trying. For example, skilled folks that work during the day for the
transnational cyber mafia called the RBN (Russian Business Network) and
moonlight in cybercrime on their own at night are undoubtedly paid well. Some
wicked actors work for ideological reasons, making their persistence a product
of income and personal legitimacy. Disrupting these actors and their campaigns
requires fairly specific knowledge of why and how they operate, which cannot be
scaled up easily into general cyber security protocols necessary for
resilience.
A national security
resilience strategy must blend the complementary aspects of resilience and
disruption for the variety of threats facing the whole society. Resilience, for
instance, would not have stopped the insertion of Stuxnet into Iran’s nuclear
reactors, and only the disruption of wicked actors with demonstrated behaviors
of that skill can stop future Stuxnet-type viruses aimed at modern democracies.
Conversely, disruption could not have helped lower the estimated $130 billion
lost to cybercrime by six major U.S. corporations in 2010, since these threats
were so wide-ranging and diverse that no reasonable means of disruption could
have been made available to stop them. However, more resilience in national
systems could have reduced the flood of assaults and eased the pressure on these
firms. Without such a balanced strategy, it is easy for human operators in
large-scale systems to be surprised and to make mistakes. Of the five major
undersea cables that broke in 2010, cutting the internet in Iran and India, the
fifth occurred because an overeager but also possibly undertrained technician
inadvertently brought down his cable while trying to prevent just such an
eventuality.
Institutional Adaptations for Security
Resilience
Strategies need
institutions that support their implementation, and new strategies often need
new or redesigned institutions to accommodate them. We need three
institutional adaptations in particular to institutionalize security resilience
as a strategy: the “knowledge nexus”, behavior-based privacy, and the “Atrium”
organizational model for accommodating surprise. No mere essay can
explain these adaptations in full, but a brief discussion can highlight the
differences between where things stand and where they need to stand.
Resilience and
disruption require better collective mechanisms across authorities and knowledge
sets in order to accommodate surprise across essential large-scale integrated
systems.
We are
organizationally balkanized, and if we cannot eliminate stovepiped arrays of
organizational domains, then we need at least to create and exercise a
continuous “knowledge nexus” among them, especially across intelligence,
military, police, private critical infrastructure, the ISP and IT capital goods
industries, and local community structures. Continuous collaborative
interactions are necessary to build consensus before any surprises emerge. This
nexus cannot operate intermittently, as its barebones equivalents are today. If
cyberspace is not bounded by time or domain, and if malicious actors are
similarly unbounded, then response capabilities need to be as well.
Second, the
whole-of-nation aspect of blending resilience and disruption capabilities
requires an ability to cull, preserve and focus comprehensive data on
threatening behaviors inside as well as outside national borders. We need a way
to view behaviors comprehensively to determine bad actors’ behavior patterns
even as we keep everyday citizens’ personal information secure. One way to do this is
to harness the power of the technology to devise a “behavior-based privacy”
system, complete with an integrated legal regime for validation and appeal in
cases of error. Such a system could
allow authorities to distinguish dangerous behaviors while maintaining anonymity
enforced by shared encryption. Individuals would be traceable only with a
warrant and probable cause, and robustly protected with easy validation and
appeals processes.
Third, an effective security
resilience strategy demands that security organizations responsible for
protecting against systemic surprise (and for carefully tailored disruption)
achieve a higher standard of learning and operating collectively. It would not be
wise to overcentralize the U.S. capacity to deal with cyberspace by shoving
various military and intelligence organizations together with the FBI, the DEA
and elements of the Department of Homeland Security, but all such organizations
must learn how to bring their assets into concert and to trust each other long
before urgent major surprises emerge. One way to advance that learning is by
using advanced game-like simulations, shared and continuously available across
all the critical organizations likely to be involved in a cybered nationally
critical crisis. The technology is currently largely available from today’s
massively multiplayer online gaming industry. The tools thus need more to be
gathered than invented. They can be embedded in an “Atrium” organizational model
that would guide preparations for the rapid, accurate actions necessary to
derail, mitigate and innovate around devastating surprises in critical
systems.
Unfortunately, few of
the strategic or institutional support elements of a security resilience
strategy are in place today, either within or across the various democratic
trading states. The U.S. model of a
national “cyber command” is narrowly focused on state-level bad actors, on the
protection of domain-centric military networks, and on matching adversary
advanced use of cybered attacks during a (highly unlikely) formally declared
war.
Furthermore, despite
the laudable knowledge-sharing and rapid-action innovation encouraged by the
dual-hatting of the Director of the NSA and Commander of the U.S. Cyber Command,
the overall model is tied to the dot-mil domain. Unless national command
authorities request the direct help of this small knowledge nexus, NSA/U.S.
Cyber is not authorized to routinely and proactively help the rest of the U.S.
government or the nation’s privately owned critical systems. This model
separates by law and inclination the most skilled of public entities from
developing national resilience more broadly among the private corporations whose
vulnerable systems can affect the homeland, and who are not amenable to paying
in advance for security.
This strict separation
of domestic from national security by policy and institutions worked tolerably
well during the Cold War. Today, however, bad actors tunnel into the nation
around NSA or Cyber Command and weaken the resilience resources of the entire
national system through cybercrime or deliberate theft and other control
exploits. Today, in a world
of connected cross-border easy access, this military-versus-civilian separation
ensures that both domestic and national institutions will lack the consensus,
shared data analysis and collective learning needed to avoid being paralyzed or
panicked after a surprise.
Also unlikely to
adequately implement an effective security resilience strategy is the purely
resilience-focused “key firm” model emerging largely in Europe. This strategy is
built on national concerns for economic or privacy losses due to massive
onslaughts of cybercrime. The European model of national cyber defense rests on
using internet service providers as the key firms whose technological skills can
be called upon to derail cybered bad actors as they enter home systems or once
they are identified within the ISPs’ networks. While the key firm model provides
more systemic national resilience than the U.S. cyber command model, it leaves
these deeply digitized nations with few legal ways to disrupt persistent bad
actors. Disrupting bad actors outside of these jurisdictions is not publicly
endorsed or discussed as legally acceptable.
Beyond organizational
and legal deficiencies, we face a range of attitudes that hinder appropriate
responses to cyber threats. Nine seem most germane.
•
We focus on unlikely interstate war while neglecting the society-wide enfeebling
effects from waves of non-wartime cyber attacks inside the homeland’s critical
socio-technical-economic systems.
•
We separate resilience from disruption, which causes imbalances and incoherence
when we allocate strategic resources to deal with sources of cybered
surprise.
•
We focus on protecting
only military or governmental systems in cyber command, or equivalent structures
in the private sector, while leaving critical systems that enable our economy to
function wide open to attack. This imbalance encourages bad actors to target our
weaker points.
•
We neglect the crucial role played by the vast global and opaque cybercrime
community in threatening the entire nation by innovating new techniques and
access points, new methods of attracting and training opportunist or full-time
cyber criminals, and new “noise” and cover for criminal or state-run
operations.
•
We avoid investments in fundamentally redesigning the insecure base layers of
the global internet out of deference to private industry, instead pouring
investment funds into layer upon layer of technological fixes easily defeated by
thousands of underemployed bad actors with time to tinker.
•
We approach securing the national well-being as a purely technological
challenge. We fail to grasp the interaction of the social with the technological
aspects of critical national systems, ignoring how human cognitive function can
cause surprise to leap to technical system failures or erratic behaviors and
back again.
•
We calculate resilience and disruption costs in short-term budgets and ignore
the long-term, episodic and systemic threats of the cybered conflict campaigns
likely to be conducted by major adversaries and opportunistic allies. This
encourages systemic national and global weaknesses that can be exploited in
future international crises.
•
We use the insurance model of risk calculations and its presumptions of one-off
disabling events, thus relying on allies to provide aid in a crisis and
encouraging adversaries to target many states at once.
•
We underinvest nationally in basic research, leaving the technological redesign
of a more secure web to the narrow, near-term perspectives in corporate
investments and ensuring public institutions will lag in appropriate human
capital when new threats emerge from the convergence of cyberspace and new
technologies like nanotechnology, genetics or robotics. Corporate interests
infrequently take a whole-of-society or long-term perspective, and tend to
ignore new knowledge related to cyber threats if it seems to challenge near-term
returns on investment or to promise expensive proprietary uncertainties. Right
now, a key large and growing peer competitor to the United States in cyberspace
and science in general is massively subsidizing and outstripping U.S. public
research investments in wide-ranging basic nanotechnology research,
supercomputing and other cutting-edge scientific and engineering
fields.
The resources needed
by the trading states to maintain their well being are at stake. Modern trading
democracies now face increasing and broadening levels of insecurity through a
massively complex cybered international system that is no longer stabilized by
one or two superpowers’ rules and their power to punish. The frontier
free-for-all that marked the two early decades of cyberspace is ending, but the
fight over how it will change the international system developed by the trading
states has just begun. Amid the inevitable uncertainties of the future, those
nations that most effectively develop careful long-term internal resilience and
external targeted disruption capacities will be the most powerful, sustainable
and materially healthy in the long run. As things stand now, the United States
may not be among them.
1I
detail this argument in Wars of Disruption and Resilience (University of
Georgia Press, 2011).
Chris C. Demchak is a professor at the U.S. Naval War
College. She is the author of Wars of Disruption and Resilience:
Cybered Conflict, Power, and National Security(University of Georgia Press, 2011). All
statements here are those of the author and do not reflect the views of the U.S.
government, the U.S. Navy, or the U.S. Naval War College.
No comments:
Post a Comment