In the current issue of Foreign Affairs, Deputy Defense Secretary William J. Lynn III, has one of the more sober arguments for government involvement in cybersecurity. Naturally, his focus is on military security and the Pentagon’s efforts to protect the .mil domain and military networks. He does, however, raise the question of whether and how much the military should be involved in protecting civilian networks.
One thing that struck me about Lynn’s article is the wholesale rejection of a Cold War metaphor for cybersecurity. “[The United States] must also recognize that traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult and time consuming to identify an attack’s perpetrator,” he writes. Given the fact that attribution is nearly impossible on the internet, he suggests that the better strategy would be “denying any benefits to attackers [rather] than imposing costs through retaliation.”
What’s interesting about this is that it is in utter contrast to the recommendations of cybersecurity enthusiasts like former NSA chief Michael McConnell, who wrote earlier this year in a 1,400-word op-ed in the Washington Post:
We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options—and we must be able to do this in milliseconds. More specifically, we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment—who did it, from where, why and what was the result—more manageable.
It’s good to see that DoD is facing the fact that “reengineering the internet” in the name of attribution is not a practical possibility. Lynn seems to be saying that what the military needs to focus on is better security hygiene and network resiliency. It’s therefore interesting that the two data points he provides as evidence of a threat are
The oft-cited factoid that “Every day, U.S. military and civilian networks are probed thousands of times and scanned millions of times.”
A now declassified episode in 2008 in which classified military networks were severely compromised by a foreign intelligence agency. How? “[A]n infected flash drive was inserted into a U.S. military laptop at a base in the Middle East.”
Probing and scanning networks are the digital equivalent of trying doorknobs to see if they are unlocked—a maneuver available to even the most unsophisticated hackers. And since the days of War Games, the Pentagon has been a favorite target. That a major attack must rely on social engineering—that is, tricking an insider into connecting an infected USB thumb drive–gives me some reassurance about the military’s ability to protect against “probes and scans.” (Note also that the attack vector of the recently discovered Stuxnet worm was also flash drive.) It also tells me that the best defense against any kind of security breach is still an educated computer user.
Lynn also writes that,
The U.S. government has only just begun to broach the larger question of whether it is necessary and appropriate to use national resources, such as the defenses that now guard military networks, to protect civilian infrastructure. Policymakers need to consider, among other things, applying the National Security Agency’s defense capabilities beyond the “.gov” domain, such as to domains that undergird the commercial defense industry. U.S. defense contractors have already been targeted for intrusion, and sensitive weapons systems have been compromised. The Pentagon is therefore working with the Department of Homeland Security and the private sector to look for innovative ways to use the military’s cyberdefense capabilities to protect the defense industry.
For folks like McConnell, the answer is obvious. “[T]he reality is that while the lion’s share of cybersecurity expertise lies in the federal government, more than 90 percent of the physical infrastructure of the Web is owned by private industry,” he wrote in the Post. As a result, intermingling is inevitable.
First, I’m not sure I’m willing to stipulate that the federal government is the technical leader in network security. What is the evidence for that claim? (Jim Harper has previously pointed this out.) Second, if DoD is concerned about the network security of defense contractors, it can rely on them less or it can contractually require more stringent practices. As the ACLU recently warned, a partnership between DHS and DoD (read NSA) could pose a threat to civil liberties. Let’s never forget this is the agency that made warrantless domestic surveillance possible. Finally, while it may start with defense contractors, regulation and “public-private partnerships” tend to have a ratcheting effect that grow bureaucracies and crowd out innovation. It’s time to slow down this cybersecurity train before it loses control.