As the White House continues to carve out the broad outlines of U.S. cybersecurity policy, the Pentagon released its new strategy for operating in cyberspace, the third such formal strategy issued from the government under the Obama administration. The document is the first of its kind from the Defense Department (DOD), released amid growing concerns over persistent, sophisticated cyberattacks (WashPost) targeting the nation's classified networks. CFR cybersecurity expert Adam Segal says the strategy offers few specifics and little new insight into DOD policy, and suggests the release is "clearly an effort to downplay foreign countries' perceptions that the United States is going to militarize cyberspace." The most significant concept the strategy touches on, he notes, is that of resilience--the notion that the U.S. military will be able and prepared to continue operations effectively in a degraded communications environment.
What is the general role of the Pentagon in the U.S. cybersecurity space?
The Pentagon is responsible for defending the "dot mil" (.mil) networks, in other words anything that is used by the military. It is also responsible for any offensive operations the United States would conduct in cyberspace. It is supposed to coordinate its efforts with the Department of Homeland Security in defending the nation's critical infrastructure--such as electrical grids, financial networks, and the defense industrial base. Most of this critical infrastructure is in private hands. DHS is supposed to have primary responsibility for it, but they can turn to the Defense Department for support if needed.
What do you see as the biggest cyber threat out there right now? Is it nation-states and their intelligence services? Is it individual hackers? Terrorists? And how do you see this threat evolving?
I think the predominant threat right now is espionage. It's hard to say if it's state-based or non-state--many times it may be non-state actors working on behalf of the state, or independent operators who sell their plunder to a foreign government. The Stuxnet (NYT) attack [a self-replicating computer virus designed to attack software used by Iran's uranium enrichment equipment] suggests the possibility of using a cyber-weapon for physical or kinetic effects that, as we move forward, becomes much more of an alarming threat. The capabilities required to present this type of threat seem to be state-based, but non-state actors will eventually acquire this capacity. But so far terrorists don't seem all that interested in cyberattacks--cyber doesn't seem to offer the public spectacle sought in other types of terrorist attacks.
How do you see the Pentagon's new cyberstrategy fitting into the fabric of U.S. cybersecurity? This release is the third major cyberstrategy from the government--following the Cyberspace Policy Review (PDF) and then the International Strategy for Cyberspace.
What the DOD is going to do in cyberspace is the part people have been most focused on. This document is clearly an effort to downplay foreign countries' perceptions that the United States is going to militarize cyberspace. I don't know how effective this is going to be, but that's clearly the message.
All three strategies leave a whole range of unanswered questions and avoid a lot of specifics, showing that there are still lots of things that have to be addressed and worked out as we move forward.
Is that the big message here?
I think that's one of the messages they clearly wanted to send. The document is really entirely about defense. There is no mention on how the Pentagon might use cyberweapons in an offensive capability. It's clearly also focused on larger strategies, for example "Pillar IV"--working with our allies in building international agreements, cooperation, and partnerships on this front. Other than that, there is not a great deal of it that's new. Deputy Secretary of Defense William Lynn's Foreign Affairs article from September 2010 has almost all of this in it and other parts were pre-released.
The Pentagon has stated that the strategy's emphasis is on the idea of denying attackers the benefit of the attack and changing the incentives involved. Do you see this as the best approach?
It is part of the approach. I think what is probably the most important concept is resilience--the notion of be able to operate effectively even under conditions where our networks have been significantly degraded. We want to make sure we can continue to operate even when these attacks exploit and degrade, which is what's going to happen in the future. The problem with the language they use, however, is that no one really knows what that means. Does that mean this notion of "active defense" is somehow raising the cost to the attackers? That, we just don't know.
This document is clearly an effort to downplay foreign countries' perceptions that the United States is going to militarize cyberspace. I don't know how effective this is going to be, but that's clearly the message.
What is this so-called active cyberdefense?
It's not really clear. Active defense somehow suggests the idea of using surveillance and outer-perimeter monitoring, where attacks can be detected before they are formed and begin. But another interpretation would suggest that somehow we will go after these attacks or prevent them before they ever occur--where the United States will enter other countries' networks to somehow stop these attacks. But this is not spelled out very clearly. In the state of war, it's been suggested that, yes, cyber command has the right to enter other countries' networks, or at least certainly the combatants' networks. But there is no guidance provided on this in this unclassified report.
Is there anything that surprised you about the release?
Not particularly. I guess I was a little bit surprised that it was just kind of a rehash. If you were going to roll out a huge formal strategy like this, you would imagine that they would have more to say. I do wonder if they were slightly gun-shy because the reporting on the international strategy [above] was so heavily focused on the declaratory statement, for instance, "If you hack us, we might park a missile on your doorstep." I think they may have been afraid that the reporting on this would be so focused on the military side of things.
There's been some discussion on the concept of a creating a "dot secure" (.secure) domain (NextGov.com)--a facet of cyberspace that would require visitors to have certifiable credentials? What are your feelings about that and the possible necessity for it in the future?
This idea of a separate Internet has come up over time. Many people have suggested that we'll have a very secure Internet and also an alternate one that will cater more toward social engagement, entertainment, and the like. The problem is that many times, in order to get on a secure Internet, you have to be identified and have your credentials authorized, which means that the device you use to do this--your desktop or mobile--can still be compromised by hackers. Once they do that, they're able to infiltrate the "dot secure" space.
So while from the outside, it may seem more secure to have this separate facility, if you still have defense contractors picking up thumb drives (Bloomberg) in the parking lot and plugging in into their computer, it's not clear that this type of Internet architecture is going to make a huge amount of difference. For instance, Stuxnet was able to compromise a system that wasn't even connected to the Internet. So, it's not clear to me that building this whole other network necessarily creates a new secure system.
Given that, is the culture of anonymity that seems to exist on the web today a sustainable reality moving forward?
Some would certainly think so. I'm not sure, quite honestly, but there are many out there arguing that if you want a more secure Internet you are going to have to compromise on anonymity and privacy. The question is, though we're willing to do that for lots of other things, are we willing to do that for the Internet? And I don't think it's been decided yet.
Do you see a change in the innovation process given the evolving cybersecurity concerns?
It's hard to say because the economics of cybersecurity for companies is not very good. Most companies don't want to spend more on it and will only do so if they are forced--if they have some major breach that has been made public. Most CEOs look at cybersecurity as just another expense. From a risk-management perspective, they don't see it in the bottom line. And so for small startups, it's very hard to figure out where the market is. When it comes down to it, how do you sell a product that most people don't want to buy? People are trying to change the dynamics of that, and of course the government is supposedly expected to drive that change.
The most important concept in the report is resilience--the notion of be able to operate effectively even under conditions where our networks have been significantly degraded.
That is one of the things that's mentioned in this new strategy--they talk about how government procurement policies are going to change. They claim it will shift from seven to eight years for an IT product to twelve to sixteen months. So there's been a lot of talk now on how the government can encourage that kind of innovation. In-Q-Tel, which is the CIA's and intelligence community's venture-capital arm, is investing fairly heavily in this realm. But it may come from something like DARPA [Defense Advanced Research Projects Agency], which doesn't have to worry about the market's concern as much.
On a scale of one to ten, how would you rate the pace of U.S. cybersecurity progress? Is the country moving fast enough?
It's been a busy, I would say, six months. So I would give the last six months an eight or a seven. However, speed is not a measure of efficacy. I think there are still big questions on how effective any of this is going to be. The measure most people give is that 80 percent of cyberattacks could be dealt with using basic cyber hygiene--updating your patches, not clicking on suspicious links, etc. To the extent that it raises public awareness of all of this, this progress is all positive.
Only 20 percent of the attacks are really sophisticated. But it's hard to get a sense on how much we're going to improve in handling these types of attacks. Secretary Lynn talked about this new umbrella, this defense industrial base and how the new technology has been helping us. But in the same speech, he mentioned that some 24,000 files were stolen from a defense contractor (WashPost). This seems to suggest that it's really not that effective.
What are some of the next steps the United States needs to take, or the problems that we have yet to properly address with regards to cybersecurity?
I think the next big thing will be these breach laws that are currently being negotiated in Congress.
What are breach laws?
Right now there's a kind of mosaic of state-based rules that say, if a company's hacked and data is stolen, they have to report the breach and notify customers if it significantly affects them. But there's no national standard. Several pieces of legislation say we need to have national reporting (The Hill). The idea being that this information will be shared among companies and create a kind of market. Ideally, companies would also be incentivized to spend more on security and innovate in this area.
Are you encouraged by what you are seeing as far as cybersecurity policy and the general tenor of the debate?
I think it has been fairly unpoliticized thus far. For the most part, you see cross-aisle cooperation [in the U.S. Congress] on this issue. I think the nature of the debate has been fairly positive, and it's not surprising since so many of these issues are extremely difficult and complicated. However, there hasn't been much talk on the specifics of how these problems are going to be resolved. But, like I said, it is not all that surprising given the complexity of the issue.