Last week I mentioned
Seymour Hersh's New Yorker article entitled "The Online Threat." I finally got around to finishing it.
My initial impression is that the article is all over the map, largely because the topic is also all over the map. What some in the military, and some who stand to benefit financially, call "cyber war" encompasses the vulnerability to remote computer-based attack of domestic online infrastructure and specific resources dependent on that infrastructure. Like everything else, the vulnerability is magnified by the interconnectedness that makes the modern world such an interesting place in which to live. Isolationism simply is not possible in a world where the Internet allows a fifteen-year-old Ukrainian to knock at the electronic door of a computer in Montana.
The military, according to Hersh, is worried about the capabilities of China and Russia -- specifically, their governments -- to conduct "cyber warfare." What exactly that means is not clear. Some of the experts Hersh interviewed, not all of whom wanted to be identified, don't think it's in China's interests to conduct destructive actions against U.S. military or even civilian online assets. They further believe China knows that:
James Lewis, a senior fellow at the Center for Strategic and International Studies, who worked for the Departments of State and Commerce in the Clinton Administration, has written extensively on the huge economic costs due to cyber espionage from China and other countries, like Russia, whose hackers are closely linked to organized crime. Lewis, too, made a distinction between this and cyber war: “Current Chinese officials have told me that we’re not going to attack Wall Street, because we basically own it”—a reference to China’s holdings of nearly a trillion dollars in American securities—“and a cyber-war attack would do as much economic harm to us as to you.”
These experts say that people like Richard Clarke and J. Michael McConnell, formerly Bush 43's director of national intelligence, are stirring up fears of "cyber warfare" because they have financial incentives to do so, much in the way antivirus software makers have an incentive to keep us fearful of malware. The real risk, many claim, is not overt damage to our networks or end systems, but covert surveillance -- in other words, espionage. And the espionage would not be, and is not, directed exclusively against the military or the government, but would and does include corporate trade secrets.
Hersh is clearly on the side of those who think Clarke, McConnell and their ilk are distorting the terms of the debate for their own interests, but not even their critics deny that the potential exists for serious damage, especially to the electrical grid, if someone wants to hurt us. The question then turns to how to mitigate or to prevent such an attack. There's no consensus, or rather, there's great consensus within each of two camps that cannot find a middle ground: those who desire much greater intrusion and surveillance capabilities in today's Internet, and those who want to introduce much greater end-to-end security in online communications. The latter want to see strong encryption used over most if not all online sessions, but truly strong encryption schemes would thwart the ability of the intrusion/surveillance camp to find attackers. The intrusion/surveillance camp would permit encryption schemes, but only those that would allow the military (and presumably law enforcement) to decrypt communications without alerting the communicating parties, in the same way wiretaps operate on phone calls today.
Further complicating any attempt to mitigate whatever "online threats" are out there is the political tug-of-war between the Department of Homeland Security, which "has nominal responsibility for the safety of America’s civilian and private infrastructure," and the National Security Agency, which " is formally part of the Department of Defense." Hersh writes, "[T]he military leadership believes that the D.H.S. does not have the resources to protect the electrical grids and other networks."
This dispute became public when, in March, 2009, Rodney Beckstrom, the director of the D.H.S.’s National Cybersecurity Center, abruptly resigned. In a letter to Secretary Janet Napolitano, Beckstrom warned that the N.S.A. was effectively controlling her department’s cyber operations: “While acknowledging the critical importance of N.S.A. to our intelligence efforts . . . the threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization.” Beckstrom added that he had argued for civilian control of cyber security, “which interfaces with, but is not controlled by, the N.S.A.”
Underlying this power struggle between the military and civilian leadership is the fact that the playing field is unlike any the United States has ever known.
William J. Lynn III, the Deputy Secretary of Defense, published an essay this fall in Foreign Affairs in which he wrote of applying the N.S.A.’s “defense capabilities beyond the ‘.gov’ domain,” and asserted, “As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare.” This definition raises questions about where the battlefield begins and where it ends. If the military is operating in “cyberspace,” does that include civilian computers in American homes?
World War II marked the last time the nation was concerned about an imminent military threat to the home front. (While the Soviet Union posed an ever-present threat during the Cold War, its missiles and troops could not be countered by any means that involved restricting civilian activities on U.S. soil.) As a nation, we are unused to the idea that we could be on the front lines of a war, the "wars" on drugs, poverty, etc., notwithstanding. Yet our computers and our networks, being linked at a fundamental level with those around the world via the Internet,
are very much on the front lines, and have been since the World Wide Web became available to the masses. (The World Wide Web and the Internet are not synonmyous, but as a practical matter most home computers got "on the Internet" in order to use the Web.)
Lynn also alluded to a previously classified incident, in 2008, in which some N.S.A. unit commanders, facing penetration of their bases’ secure networks, concluded that the break-in was caused by a disabling thumb drive; Lynn said that it had been corrupted by “a foreign intelligence agency.” (According to press reports, the program was just as likely to be the product of hackers as that of a government.) Lynn termed it a “wakeup call” and a “turning point in U.S. cyber defense strategy.” He compared the present moment to the day in 1939 when President Franklin D. Roosevelt got a letter from Albert Einstein about the possibility of atomic warfare.
You get enormous credit for prescience if you make a comparison like Lynn's and you're right, but such comparisons are mostly wrong. We need to be level-headed and respond to Bad Stuff in a way that neither bankrupts us nor sends us into national hysteria.
"A senior official in the Department of Homeland Security" made the same point to Hersh in terms that should make us all cautious:
This official, like many I spoke to, portrayed the talk about cyber war as a bureaucratic effort “to raise the alarm” and garner support for an increased Defense Department role in the protection of private infrastructure. He said, “You hear about cyber war all over town. This”—he mentioned statements by Clarke and others—“is being done to mobilize a political effort. We always turn to war analogies to mobilize the people.”
"We always turn to war analogies to mobilize the people."
Hersh goes back and forth, alternating true believers with skeptics. The impression I got was that we don't know very much about whether there is a genuine threat, or from where it might strike, or against what. That the capability exists to do us damage is unquestionable, but whether the identified suspects combine both that capability and the motivation is not nearly as clear.
Hersh's piece quotes a lot of insiders talking a good game, but if you want to boil down what it all means into a cant-free exploration, I recommend
Bruce Schneier's 7 July 2010 essay for CNN entitled "Threat of 'Cyberwar' has been hugely hyped." (I didn't say it lacked a definite point of view, just that it was free of cant.)
In my opinion, trying to defend against network-based attacks by increasing domestic surveillance capabilities is a losing strategy. The thinking behind it assumes that attackers either are going to use the technologies that are known to be susceptible to eavesdropping -- i.e., that the attackers are stupid -- or that the attackers will use alternate technologies that aren't vulnerable -- i.e., that the attackers are smarter. The communications of the latter will stick out like sore thumbs in the vast sea of packets, making them susceptible to traffic analysis (determining who's talking to whom, how often, for how long, etc.). Traffic analysis is much less informative than actual decryption of content, but it's better than nothing.
So why not mandate weakened, surveillance-friendly encryption protocols?
Here's why: the vulnerabilities built into these protocols that allow the Nominally Good Guys to peek at the traffic are going to be prize targets for the Bad Guys, and defending crown jewels is a lot of work. Single points of failure, as these would be, are never a good idea.
I was going to consider the implications for privacy and the kind of nation in which we want to live, but (a) those aren't "hard security" issues so much as public policy issues, and (b) Schneier, as usual,
does a better job of discussing them. He, too, comes down heavily against so-called security measures that facilitate surveillance, though his conjuring of the specter of a police state may not resonate with you if you are willing to trade privacy for security.
Even if the United States put surveillance-friendly technologies in place, what on earth would induce the rest of the world to follow suit? And if the rest of the world is doing something else, or more likely a lot of something elses, how useful is the ability to conduct domestic surveillance? The targets of interest aren't domestic, remember?
I'm not convinced Hersh conveyed, or even realized, what the bigger picture is. We know what we want to protect: "lights going out,
bad." Yet we don't know exactly what the myriad vulnerabilities are, or where they lie. For instance, do you think only a "cyberattack" could cause a widespread power outage? You should take a look at
the final report on the 2003 Northeast power outage. The blackout affected eight states plus the Canadian province of Ontario; power wasn't restored in some areas for four days, and Ontario experienced rolling blackouts for more than a week. The disruption wasn't due to attack by a terrorist group or hostile nation. It was a localized power outage that cascaded out of control due to faulty systems, procedures, and training.
Oh, and it's not just the electrical grid at risk. As is clear from the Clinton-era
President's Commission on Critical Infrastructure Protection, "systems whose incapacity or destruction would have a debilitating impact on the defense or economic security of the nation" include "telecommunications, electrical power systems, gas and oil, banking and finance, transportation, water supply systems, government services and emergency services." (The PCCIP's
final report made few if any specific recommendations for hardening our infrastructure: its main thrust is to outline a set of new government agencies and public-private cooperation initiatives that would do the hard work of making actual recommendations and taking specific actions.)
Before we start throwing time and money at relatively exotic "solutions" to notional problems like a "cyberattack," shouldn't we ensure that the critical systems that might be compromised by such an attack are robust enough to stand up to ordinary crises? And shouldn't we be looking very, very hard at whether we're doing all we can to prevent such attacks using the infrastructure -- the computers and routers -- that we
have?
The idea is what information system architects (and military strategists, I think) call
defense in depth. You keep your enemies at bay by implementing multiple layers and types of defensive preparations. The trick here is to recognize that simple, old-fashioned hardening of our infrastructure, the kind of maintenance and upgrading and training that have been neglected for decades, is an integral part of a national-security strategy to mitigate even such exotic threats as "cyber warfare" (whatever that turns out to be).
I'm not saying we should ignore the possibility that our networks could be subverted by an attacker. I'm saying that we should be working harder to mitigate the problems we already
know we have that would make any such attack much worse. At the same time, we can and should be defining the "cyber warfare" problem better, because if Hersh's article does nothing else, it makes clear that those who think it's their job to guard against it don't know what the hell it is they're guarding against.