This week, news outlets have again directed attention at the problem of cyber insecurity, i.e. the vulnerabilities of our Internet-enabled infrastructures. There is no easy way to quantify the level of risk to which corporations, governments and other organizations are exposed. Nonetheless, we have seen enough anecdotal evidence to know that from personal finance to critical infrastructure, there are plenty of ways for things to go wrong in cyberspace, through malicious acts or not.
A recurring debate in Washington is the matter of what exactly constitutes conflict in cyberspace. Cyberwar is a term that captures the imagination of strategic theorists much in the way air power did a century ago. According to the Wall Street Journal, “The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.” This is nothing new, and the Journal’s National Security Agency-watcher Siobhan Gorman knows this.
The Defense Department, which has established a unified Cyber Command (pulling together representation from the armed services under the command of the director of the NSA), needs to establish some rules for the thousands of servicepersons, civilians and contractors who will staff up the new organization. These rules, what the Pentagon calls doctrine, have been undergoing review and revision for some time now and remain secret. Of course, it’s by no means wise to keep declared policy on what the U.S. will or won’t consider an act of war under wraps. It’s good that Department of Defense’s cyber doctrine will become public knowledge, and this is nothing sensational.
Other news this week on the cyber front has been on the report of persistent attempts to gain access to the computer networks of Lockheed Martin, a major defense contractor. Lockheed holds significant interest in the cyber security business (both in protecting its intellectual property, much of which is classified, and providing cybersecurity services to the U.S. government). This set of incidents involved the sending of much email to Lockheed accounts in which a hidden remote access program was embedded. Kudos to the Financial Times’ Joseph Menn for not over-hyping the Lockheed item. We need to remember that the cyber channel has opened a new world of possibility in the field of espionage.
The problem of hyperbole is a serious one in this debate. When we speak of attempts to send phishing email (email messages designed to fool the recipient into granted access to an un-trusted outsider) we know that we are dealing with attempted theft or fraud of some sort. Unfortunately, such events are categorized as hacking or cyber attacks. Attempted robbery and assault are very different crimes, but not in our cyber lexicon. This is the crux of the matter; any attempt to steal data, deny access to a system or subvert function of a real-world computer controlled machine (the latter exemplified by the alleged attack against Iran’s nuclear enrichment infrastructure) is considered an attack. The Pentagon can say that it deals with thousands and thousands of cyber attacks every day, as its definition includes scans of Internet ports across its infrastructure (essentially the equivalent of turning door knobs in search of the unlocked door).
So we are left in an unsatisfying place. As a former colleague from the Bureau of Diplomatic Security opined regarding one threat, “The key is not to over-react or under-react.” This is very much the case in our reaction to our cyber insecurities. Is the sky falling in cyberspace? No. Should we be concerned about the rickety ship that is our global cyber infrastructure? Definitely. Bottom line: We need to re-engineer a more secure, more resilient cyber-infrastructure in a global effort. What is needed is international bridge building, cooperation and collaboration — not investment in a new domain of war.
Christopher Bronk is the Baker Institute fellow in information technology policy. He previously served as a career diplomat with the United States Department of State on assignments both overseas and in Washington, D.C.