Defense panelists discussed the thorny issues surrounding national cybersecurity at a defense conference in May. The panel’s moderator, the Honorable Franklin Kramer, former Assistant Secretary of Defense for International Security Affairs and board director for the Atlantic Council, reframed the question to ask how the Defense Department should work with U.S. agencies, private organizations and international partners to stabilize the cyber realm and to increase understanding and cooperation and lay ground rules for operating in cyberspace.
Kramer observed that cyber promises to be the only protected capability in the current budget crisis due to its substantial importance to U.S. security, critical infrastructure and economic growth. He cited the insidious cyber espionage threats to the U.S. industrial base, and asked whether companies should have the right of self-defense. Kramer said that trade-offs will be needed to determine where the U.S. should invest its resources, and in how to evaluate and mitigate cyber risk. He also pointed to the relative newness yet incredible power of the cyber domain, its continuing evolution and unknown potential.
Since its emergence in the 1990s, the cyber domain has become an incredible economic driver and social media phenomenon worldwide. Cyber enables the free flow of information and commerce; it belongs to no individual or country and has been called the “global commons.” Whether through email, tweeting, blogging, social networking, or retail and business transactions, military organizations, government agencies, non-governmental organizations, and private and public users travel the same information highway.
But cyber also has a shady side. On any given day, users may fall prey to hackers and identity thieves. Government, industry and personal computers are bombarded by probes, malware, botnets and viruses. Criminals, hacktivists and state and non-state entities conduct criminal activities, industrial espionage and spying. Politically motivated and extremist groups hijack newspaper websites and Twitter accounts, as well as other legitimate websites and accounts, to garner public support. Some use the Internet and social media sites to incite criminal activities and violence.
Retired U.S. Navy Vice Adm. Herb Brown, former Deputy Commander U.S. Space Command, said it would be a mistake to militarize cyber. The admiral divided the dimensions of cyber into six areas and said that five of them were under the purview of some combination of the Administration, Congress, the departments of Homeland Security and Justice, and the FBI. They are: governance, standards, cybersecurity, cybercrime, and privacy and civil liberties, the sixth area, the free flow of information, he said is best left to the management of the public sector. Brown said U.S. citizens have the expectation of the free flow of information, and individual privacy in cyberspace, which is required by law. The retired admiral said that the DoD is better at protecting its own networks and ensuring its flow of information and should continue to assist the Homeland Security Department in a supporting role.
U.S. Coast Guard Weighs In
U.S. Coast Guard Vice Adm. Robert C. Parker, Commander, Atlantic Area, and Commander, Defense Force East, said the Coast Guard views protection of the Internet as fundamentally an operational problem complicated by the fact that one organization is not in charge. “There is no central bellybutton to poke,” he said. Many see cyber security as the “CIO’s responsibility” but protection actually crosses agencies and responsibilities. Parker said one of the things that the Coast Guard and DHS do very well is to work across the public sector and interagency, including the energy and transportation sectors, to bring organizations together before a crisis occurs. He said there are standing committees, like the Harbor Safety Committees and Area Maritime Security Committees, across the country that have gotten very good at responding to a need, but they tend to concentrate more on the physical aspects of security.
The Coast Guard and DHS are now training so that these organizations understand cyber effects and interdependencies because threats can come through a phone line, any data transmission or a thumb drive — a very different environment compared with the maritime domain.
Parker said in the post-9/11 period it has been a challenge for federal and state governments to define their critical infrastructure and the associated implications of cybersecurity. Furthering the adoption of common definitions of the critical infrastructure to advance common understanding and the role of the federal government and what DoD’s role should be are all important to increasing cybersecurity, Parker said.
The DON CIO’s Assessment
The Department of the Navy Chief Information Officer Terry Halvorsen said he took a different tack. “First of all, the question of whether cyber should be militarized has already been answered. It is militarized. There are people, both criminals and nation-states, doing bad things in the cyber world.”
Stating the United States is already under cyber attack, Halvorsen said, “We use cyber, like we use any other warfare domain, to conduct operations and that have already happened. We are, that is, the DoD is going to have to operate in the dot.com world and there is no way to secure all of the dot.com world or even the dot.mil at the unclassified level completely. It is going to [require] risk analysis to where do we take the smart risks. What do we invest in and how do we pay that bill? One of the things that we are going to have to do is answer part of the economic question, and I don’t know that anyone has been able to answer it yet. If you are in industry, and you are told that you are going to have to spend money to protect something, you might say, wait a minute, isn’t there a standing Department of Defense that is paid to protect that industry? I think that is a legitimate question to ask in our form of government … We are going to have to answer questions about who pays the bill for [national] cybersecurity.”
Halvorsen also discussed the ongoing national debate about the cyber “red line.”
“When has the red line been crossed in cyber, when does the Department of Defense get involved and provide a form of retaliation? That is part of the national debate right now. I don’t purport to have the answer but those are the kinds of discussions we need to have.”
Halvorsen theorized that the DoD could be called on to protect the nation’s treasure trove of business and financial data to ensure economic stability.
“There are some who will say that the Defense Department doesn’t have a role in cyber. But in the Second World War, both the Coast Guard and Navy escorted civilian convoys not just for military supplies, but for [protection of] commerce as well. If you will grant me that today, data is valuable for economies and warfighting … and for everything else, should DoD have a role in escorting the data? I don’t know the answer, but it is an interesting question,” Halvorsen said.
Supreme Allied Command Transformation
Army Maj. Gen. Peter C. Bayer, Jr., Deputy Chief of Staff, Strategic Plans and Policy, Supreme Allied Command Transformation, provided an international viewpoint from the U.S.’s closest alliance — NATO. Bayer said that NATO is struggling to find cybersecurity consensus in the 28-nation alliance. “Try to imagine the challenges in NATO with 28 nations with all the individual elements of their national power and trying to understand and direct outcomes in the cyber environment,” he said.
“In 2002, NATO first had a public proclamation that we needed to get serious about cyber as part of the Prague Summit. In that same year we stood up our NATO computer defense capability totally focused on securing our own networks. In 2013, we will achieve full operational capability of something that we directed 11 years ago. That gives you a good perspective of how long it takes 28 [nations] to come to a meeting of the minds and execution,” Bayer said. “Our strategic concept of 2010 for the first time allowed … defensive measures. The focus right now in the alliance is prevention, defense, resilience.”
U.S. CYBERCOM and DoD
Kramer discussed the security progress made since the stand-up of U.S. Cyber Command four years ago.
In testimony to the House Armed Services Subcommittee on Intelligence, Emerging Threats and Capabilities in March, Army Gen. Keith B. Alexander, commander of U.S. Cyber Command and director of the National Security Agency, said one of his top priorities is working to establish the necessary authorities, policies and standing rules of engagement (ROE) to operate in cyberspace. Gen. Alexander said that NSA and CYBERCOM are working with the Defense Department, the White House and the interagency components “to set up standing rules of engagement — what I'll call the way in which we would actually execute in response to a cyberattack on critical infrastructure, for example, from a foreign adversary on the United States.”
At the hearing Alexander said he thinks it’s reasonable “that when our nation is under attack, whether it's physical attack or cyberattack, the Defense Department will do its part to defend the country.” The issue, he said, “is when does an exploit become an attack and when does an attack become something that we respond to?”
Critical to CYBERCOM’s ability to defend the nation are both the cyber cadre the command is developing with the help of the military services, and a critical partnership with industry, Alexander said. In his written testimony, Alexander said a Cyber National Mission Force and teams will help defend the nation against national-level threats, a Cyber Combat Mission Force and teams will be assigned to the operational control of individual combatant commanders, and a Cyber Protection Force and teams will help operate and defend DoD’s information environment. A fourth set of direct support teams will provide analytic support.
Each cyber mission team is being trained to a common and strict operating standard, he said, so they can be online without putting at risk the nation’s own military, diplomatic or intelligence interests.
Kramer asked the panelists how their services were organizing in the cyber domain to survive a so-called first hit.
“Part of the problem is that in cyber we tend to focus on what I call the big-bang cyber event, which is pretty clear and we have a pretty good response to, I think. The more typical action in cyber is a little more subtle,” Halvorsen said. “So part of the problem with ROE is where did [the hit] occur, did it occur, and who did it? They are all questions that in cyber many times are harder to answer than in a kinetic or other environment. So I think we have to spend more time in that in-between area of cyber because that is the most likely place where we will have the most problems. That big-bang cyber event coupled with something kinetic, we know how we would respond to that; there are some pretty good rules. Those more subtle attacks that may not be attacks, and don’t occur on DoD but in the private sector that we care about, is a much more complicated set of rules than in our traditional land, sea and air combat areas.”
From a Coast Guard perspective, Parker said, “In terms of the ROE, and from a law enforcement view, we look at extended self-defense arguments, whether it’s the use of force in law enforcement circles or acting under Title 10 authority, we look at the rules of engagement. We [Coast Guard] are wired to protect against things that we see are going to do harm to others. There are thresholds associated with that and those aren’t clear at all in the cyber world … [Y]ou could reach all the way into a hospital emergency room or critical care unit to where an individual hacker, and it doesn’t even have to be someone with malicious intent, could accidently turn off critical support systems. Is that a criminal issue; is that a defense issue? If somebody sees that, do they have the extended right for self-defense or the defense of others if they have the capability, and is there culpability on that person’s part? These are the kinds of questions that General Alexander and his team have been wrestling with.”
The Stakes are High
U.S. intelligence organizations report that state and non-state actors have cost U.S. companies billions of dollars in stolen intellectual property in recent years, while U.S. consumers lost $20.7 billion to cybercrime between July 2011 and the end of July 2012, according to a report by security company Symantec. Given the scope and enormity of the threats, cybersecurity continues to be at the forefront of a national debate, and progress is being made on many fronts within government and in industry for protection of vital U.S. interests and critical infrastructure.
Retired Navy Vice Adm. Brown said while the risks are great, there is good news, not only at the federal government level, but within cities and states. Local officials across the country are putting together cyber defense teams composed of local law enforcement agencies, academia and private industry partners which can connect with other like-minded organizations across the country and with DHS so that lessons do not have to be relearned.
Kramer agreed that the public and local governments need to be involved because the federal government can’t do everything. He said roles and responsibilities need to be defined for the federal government, local governments and private industry because more is at stake than just an industry’s business concerns. He questioned what can be done to incentivize private industry to do more whether through tax incentives or perhaps legislation.
Bayer offered another insight, “I think we need to go back to our fundamental strengths. With the advent of new technologies throughout the history of mankind and as security forces, we have always figured this out,” Bayer said. “So we go back to the basics and fundamentals of what is the right way to defend ourselves just applied in a different way … What I am most concerned about is that sometimes in the things we don’t understand, we fail to apply fundamental logical thinking to solve the problem.”