A series of high-profile events in 2010 and 2011 highlighted the increasing and multifaceted threat of cyberattacks. These include the espionage hacks on Google and Western energy companies (WSJ), the Stuxnet (VanityFair) infiltration of Iranian nuclear sites, and the targeting of government networks in South Korea (BBC). U.S. cybersecurity policy continues to evolve to meet these challenges, but critical gaps remain, including the incomplete protection of digital infrastructure vital to national security, such as power grids and financial networks. Upon assuming office in 2009, President Barack Obama declared cyberspace a strategic national asset and requested a complete Cyberspace Policy Review (PDF). In May 2011, the White House also released its International Strategy for Cyberspace (PDF)--an attempt to signal to both allies and adversaries what the United States expects and what its plans are in this emerging medium. Current U.S. cybersecurity policy splits responsibilities between the Departments of Defense and Homeland Security, with the former managing "dot mil" and the latter "dot gov" domains. Despite these initiatives, U.S. policy still lacks a coherent approach to protecting critical digital assets outside of the government and, in most cases, relies on the voluntary participation of private industry.
Identifying the Threat
Cyberattacks include acts of cyber war, terrorism, espionage, crime, protest, vandalism, and more. Lines between categories are often blurred, and it is usually difficult to identify the perpetrators or understand their motives. For instance, there is still debate in the cybersecurity community over whether the 2007 cyberattacks that targeted Estonian government networks (UPI) constitute cyberwarfare by Russian intelligence or acts of political protest by hackers.
Attackers' level of expertise varies from small-time hackers employing botnets (USAToday) and inexpensive malware kits (eSecurity) to national intelligence agencies with thousands of software engineers exploiting the latest techniques. Anyone with a computer has the potential to inflict harm. The U.S. Department of Homeland Security (DHS) designates at least five primary "cyber threat sources," but other typologies exist (InfoWorld). Most observers acknowledge the greatest and most persistent threats are cyberespionage and cybercrime (CSIS).
Cyberattacks have a few characteristics unique to the digital medium. First, they are often asymmetric, meaning that actors with limited financial or technical resources have the capability to compromise high-value targets. Second, offense has the advantage in the digital realm. The web's collaborative nature means openness is prioritized over security. This design feature ensures cyberdefenses lag behind offensive methods. Finally, investigations into cyberattacks suffer from a so-called attribution problem. The high degree of anonymity of digital interactions makes identifying an attacker a time-consuming, if not impossible, task.
Cybercrime, broadly defined as any crime that uses a computer, is a global problem that affects the government, corporations, and individuals. It can take a variety of forms, from online fraud, to cyberstalking, to data theft. A 2010 report from Norton found that nearly two-thirds of people worldwide have been the victim of cybercrime (PDF). A 2009 study done by McAfee shows cybercrime, including data theft and security breaches, may have cost global businesses as much as $1 trillion globally (CNET).
"U.S. policy still lacks a coherent approach to protecting vital digital assets outside of the government and, in most cases, relies on the voluntary participation of private industry."
The vulnerability of digital networks has brought the exploits of cybercriminals to new heights. In 2009, U.S. hacker Albert Gonzalez (Reuters) pled guilty to helping steal forty million credit and debit card numbers from major retail stores via the Internet, one of the largest cases of identity theft in history. The small town of Râmnicu Vâlcea in Romania--known as "Hackerville" (Wired) to international law enforcement--has become a notorious sanctuary for operators in e-commerce scams and malware attacks. These cyber-schemes funnel tens of millions of dollars into the Transylvania region and have become a primary source for the area's economic boom.
Cyberespionage, sometimes categorized as a subset of cybercrime, involves cyberspying and the theft of industrial technology and state secrets. In February 2011, hackers linked to China were found to have conducted a multi-year cyberespionage campaign directed at Western energy companies (WSJ). Despite the evidence, investigators were unable to confirm whether the operation, known as "Night Dragon," was sanctioned by Chinese authorities.
In January 2010, a sophisticated cyberattack originating in China targeted Google's corporate infrastructure (along with those of other tech companies), stealing intellectual property and infiltrating the email accounts of Chinese human rights activists. An investigation into the incident led Google to end its policy of censoring searches on Google.cn.
In April 2009, computer spies infiltrated the Pentagon's $300 billion Joint Strike Fighter project (WSJ)--the Defense Department's costliest weapons program in history. In milliseconds, bandits were able to make off with several terabytes of data related to the aircraft's design and electronics system. Once again, officials said the attacks appeared to originate from China, but attribution challenges make verifying this claim extremely difficult.
Some experts, like industry analyst Bruce Schneier, contend cyberwar is overhyped (CNN) and used to describe activities that don't fit the label. Some observers cite the cyberattacks on Georgia (ForeignPolicy.com) prior to Russia's August 2008 invasion as a seminal moment in cyberwar because it was the first "integration of offensive cyber operations" into political-military strategy. Others suggest the March 2011 denial-of-service attacks on South Korea (BBC), which disabled several government websites, signal the growing threat from a North Korean cyberwarfare unit.
Many observers view the havoc wrought by the Stuxnet worm as the best example of cyberwarfare, because it caused physical damage to infrastructure vital to national security. First reported in June 2010, Stuxnet may be the most advanced cyberweapon ever deployed, according to the New York Times. There is still a great deal of mystery shrouding the program's origins, however some analysts speculate Stuxnet was a joint project between the United States and Israel, with possible assistance from Germany and Britain.
Though many countries appear to have been affected by the worm, Iran seems to have been the primary target. Stuxnet was the first malicious software specifically engineered to target a particular type of industrial control system. In this case, the program infiltrated Siemens systems at Iranian nuclear power plants and caused centrifuges to malfunction. The sabotage occurred while the plant's management observed a façade of normal operation.
Stuxnet demonstrated the tremendous allure that acts of cyberwar may have over traditional means of political or military action. In an op-ed for the New York Times, CFR's Richard Falkenrath emphasized this appeal: "A sophisticated half-megabyte of computer code apparently accomplished what a half-decade of United Nations Security Council resolutions could not."
The Stuxnet worm also demonstrated the potential damage such an attack could have on similar infrastructure in the United States. A 2010 report by the Congressional Research Service found that "should the industrial control system of a critical infrastructure facility become affected by a Stuxnet worm (PDF) or similar malicious code, disruptions could hamper the government's ability to provide domestic and international security, safety, and essential services for lengthy periods of time."
Only a handful of countries (Forbes) have the capability to carry out attacks of this caliber, including China, Russia, and Israel, but over one hundred have begun to organize cyberwarfare units. Still, some critics like James Fallows at the Atlantic argue that even if countries like China have these advanced abilities, it would be against their self-interest to deploy them on major powers like the United States. He argues that if such an attack were traced back to the Beijing, U.S. military retaliation and the resulting damage to bilateral trade would have unforeseen ripple effects, such as upheaval in China's migrant labor population.
An Evolving U.S. Cybersecurity Policy
The United States divides principal responsibility for cybersecurity between the Department of Defense (DOD) and DHS. For fiscal year 2012, the two agencies requested a combined $3.4 billion (FierceGovernment) in cyber-related funds (yet to be approved). A primary catalyst in the formation of the government's current cybersecurity posture was a significant breach of DOD networks in November 2008 at U.S. Central Command (ForeignAffairs). The infiltration enabled an unnamed foreign intelligence agency to extract critical operational plans without detection.
Upon this pivotal security breach, the Pentagon made the strategic decision to proclaim cyberspace a "fifth domain" of warfare, on par with sea, air, land, and space. It also inaugurated U.S. Cyber Command (PDF) in May 2010 to integrate its cyberdefense operations across the military. The new centralized command leverages the technical expertise of the National Security Agency (NSA) and the Defense Advanced Research Project Agency. CYBERCOM has three missions: day-to-day protecting of all defense networks; establishing a single chain of command running up to the president; and working with a variety of partners to share threat information and help coordinate responses.
However, CYBERCOM's active defenses only fully protect networks in the government's "dot mil" domain. Protection of digital infrastructure at non-military departments falls under the aegis of DHS, primarily at the National Cybersecurity and Communications Integration Center. The center also houses the U.S. Computer Emergency Readiness Team. This group defends against cyberattacks within the "dot gov" domain and is responsible for security collaborations with government and private industry. Included in these relationships are public-private partnerships with the owner/operators of strategic national assets. DHS has identified seventeen sectors of U.S. critical infrastructure that must be protected, including the defense industrial base, financial systems, transportation networks, and water works.
In September 2010, DHS and DOD signed a cybersecurity pact (InformationWeek) formalizing cooperation between the two departments and allowing DHS to capitalize on the advanced technical expertise of NSA (part of DOD), the primary U.S. agency in charge of signal intelligence and cryptologic work. The agreement also allowed the co-location of personnel and a joint operational planning element.
Shortly after assuming office in 2009, President Obama requested a complete review of federal efforts to defend the nation's digital infrastructure, and declared cyberspace a strategic national asset that the United States should use all means to protect. Building on the Comprehensive National Cybersecurity Initiative launched by the Bush administration, Obama's Cyberspace Policy Review (PDF) made several recommendations, including the creation of a cybersecurity coordinator in the White House; increased cybersecurity and science education; improved partnerships between the private sector, government, and the international community; the creation of a "comprehensive framework" to coordinate responses to significant cyber incidents; and increased efforts at improving cybersecurity innovation.
Obama's review acknowledged the government's responsibility to physically protect critical infrastructure in the hands of the private sector, but it lacked a strategy for safeguarding those assets against digital-based attacks as in the Stuxnet worm (PDF). The report states that most private network providers consider it their responsibility to defend their own networks, and suggests that the role of government should be in "incentivizing collective action" through some combination of incentives or regulation.
In a January 2011 report (PDF) on U.S. cybersecurity, the Center for Strategic and International Studies took issue with this suggestion: "no one in particular defends private networks ...The [free] market will not deliver adequate security in a reasonable period, and voluntary efforts will be inadequate against advanced nation-state opponents." CFR cybersecurity expert Adam Segal adds, "Clearly the government has to be more involved . . . but how do you make sure you don't quash innovation? The solution will focus on outcomes and not companies being told what to do."
Defending the Future
Both U.S. policymakers and business leaders see the need to "bridge the gap" between the independent cybersecurity demands of commercial enterprise and the collective security imperatives of a nation protecting its vital infrastructure. Jerry Cochran, chief cybersecurity architect at Microsoft, says, "Without a set of concrete government incentives or enforceable regulations, corporations will continue to make risk-management decisions based on their individual self-interest. These are considerations that do not necessarily account for larger U.S. national security concerns."
"Without a set of concrete government incentives or enforceable regulations, corporations will continue to make risk-management decisions based on their individual self-interest, [which] do not necessarily account for larger U.S. national security concerns." -- Jerry Cochran, Chief Cybersecurity Architect at Microsoft
Writing for The Hill, McAfee CEO Dave DeWalt encourages policymakers to better define public/private partnerships, and recommends establishing an entity that can overcome corporate competition. In addition, he suggests government and industry should develop security standards and best practices collaboratively rather than top-down prescriptions from federal regulators.
Any expansion of government into private-sector security will raise a host of additional concerns, including issues of privacy, innovation, and legality. For instance, what role, if any, should the military (CNET) play in a new security paradigm? In a Council Special Report on cybersecurity and Internet governance, Robert K. Knake cautions against a state-centric approach to these problems. Instead, he suggests a flexible dialogue that includes a wide range of participants from the technical community, the private sector, government, and the user/consumer groups.
As the network of global commerce and communication continues to integrate, the United States will also have to navigate its relationships with its partners throughout the world. Some headway has been made in this area, including the International Strategy for Cyberspace (PDF) released by the White House in May 2011. According to its authors, it constitutes the first U.S. attempt to lay out "an approach that unifies our engagement with international partners on the full range of cyber issues." Other examples of such outreach include the establishment of an EU-U.S. Working Group on cybersecurity in November 2010, and the first joint U.S.-Russian report on cyber conflict (EastWestInstitute) in February 2011. But considerable obstacles lie ahead. For instance, China's vast online censorship apparatus, known as the "Great Firewall," contradicts basic American ideals of Internet freedom.
Experts foresee human capital (BBC) as a potential pitfall in future U.S. cybersecurity efforts. Speaking to Congress in March 2011, CYBERCOM chief General Keith Alexander described cybersecurity staffing and resources as very thin and likely to be overwhelmed by a crisis. Writing for Foreign Affairs, U.S. Deputy Secretary of Defense William J. Lynn acknowledged the disproportionate number of computer scientists being produced by India and China, and suggested that the United States will "lose its advantage in cyberspace if that advantage is predicated on simply amassing trained cybersecurity professionals."