Solving the Cyber Riddle
Battlespace, Marketplace, or Playground? The real answer is, “All”… each interpretation in its own way exciting, leveraging, stimulating… and each dangerous… individually, institutionally, and nationally (even globally)… do we have the organization, the rules, the technology, and the will to harness the virtue while avoiding the vice? On February 16, 2010, the Bipartisan Policy Center hosted a “Cyber Shockwave” exercise that sought to open that discussion in an interactive role-playing simulation of what could happen, why it might happen, and start the search for practical, implementable answers whether grounded in technical elegance, policy and legal authorities, shared responsibilities, or the will to make hard choices . What follows are not the answers, but some of the questions:
Hardly a day goes by that lacks some story on Cyber organizations, attacks, scams, software, hardware, and either their imminent solution to world hunger or their contribution to world catastrophe. There also has been no dearth of “previous officials”, legislators, Czar hopefuls, technocrats, privacy gurus, and academics willing to add their voices to the cacophony … as well as a crazy-quilt of marketing campaigns and fragmented legislation promising protected systems, secured data, and assured access. Moreover since we have not faced an equivalent Cyber 9/11, it is easy to view the problem as some abstract future threat, wildly overblown. What’s a person in charge to do… and who is and who should be in charge?
Sometimes creating analogies can be helpful in analyzing a situation… even if only to discredit the analogies.
One view is that Cyberspace ought to be viewed as a castle… you can build the castle ever higher, but the cyber Huns and Visigoths are just as smart and adept as you are and build their siege engines stronger and higher as well. Back in the day, when you looked at the King’s Letter of Marque, he clearly was in favor of a couple of other things… watchtowers on the edge of the empire that sent warnings on what was going on beyond the horizon, and someone out there to bottle up or slow the enemy on his march, and perhaps drop a few bridges on the approach as well. Finally, once the adversary gaggled up in front of the castle you could pour boiling oil on him… (Oh, for the good old days)! Of course even back then there was always the threat of an insider attack and an opened a window or unbarred a door, so some distributed defense and vigilance had to be oriented inward as well… but the penalties for being caught were usually swift and final.
Another view of Cyberspace is that it ought to be viewed as that big electronic highway in the sky and have some of the same rules: If you drive a car you are supposed to have a license, some form of insurance, in many states you also need a safety and emissions check… get caught without one of them and there is a penalty to pay. If you operate with defective brakes and run into someone you can be charged even more seriously.
Someone is responsible (and must be held accountable) for the roads, the stoplights, the bridges, and the rules. At least in theory, if “they” build a bridge with defective materials or a road with substandard asphalt they can be sued. Carmakers can be forced to recall automobiles with issues that resulted during the production process. And via a government-mandated inspection process, vehicle owners must maintain their vehicle to meet a certain set of standards (typically set by State government) to ensure both their own safety and that of others on the highways.
Another analogy deals with legal aspects. If you don’t like the windows I have on my house (or the company that made them) and throw a rock through them because, “They ought to be better made.” (!), it doesn’t matter how many countries you travelled through to get to my house, or how many different hotels you slept in… you can still at the very least be arrested and charged. Similarly, if you break into someone’s house at midnight… even if you were only “just curious”, being arrested for home invasion might be the best you could hope for… you run the risk of being carried out on a stretcher or worse!
Further, in the big game of life we all spy. Every country that can afford it, can arrange it, and can execute it, spies. The generally accepted rule is that if I catch your spy then I can try to turn him into a double agent, jail him, execute him, or perhaps quietly exchange him for a spy of mine that you have. Spying or finding a spy on sovereign soil in the physical world doesn’t seem to immediately lead to World War III. True, we have laws that outline and regulate domestic spying by our government on us, and law enforcement “spying”, but then again, we as individuals all can, and frequently do, have alarm systems and video cameras on our properties(and businesses) and can record who is doing what to whom when, if we choose to.
Of course there is also the analogy of the innovators… that the internet must be free, “like the air that we breathe” in order for it to prosper and make the next leap. Regulation or oversight or loss of anonymity is somehow antithetical to all of that. Conveniently overlooked are the Environmental Protection Agency, the Federal Communications Commission, the Federal Aviation Administration, and a host of other agencies and rules that either impinge upon our use or make safe the “air that we breathe”.
Then of course there is, “attribution”… that’s the term everybody murmurs, then throw up their hands and walk away from it as just too hard. But wait, is that a technical problem or a legal problem? If you steal cash from my bank, you are liable to end up with a face full of purple dye or a stack of “marked bills” that can be tracked relatively easily… if you even get out the door. Do we not have the equivalent of purple dye and “marked bills” in the cyber world? We certainly have counterfeits. If beacons and malware and logging/transmitting scripts can be injected into my computer… cannot interlopers be tagged and tracked in the same way? Even now, Cyber Clubs are appearing to replace some traditional Retirement
Investment Clubs… their apparently recreational aim is to hunt down, track back, harass, and attack and misdirect cyber miscreants. Their posit is, “If the trouble-makers can do it to us and get away with it, why can’t we take the same steps against them… and isn’t this fun!?” Good question… my guess is we will make it hard on the vigilantes to operate because, “They may crash the world banking system or hospital life support by mistake”… but at the same time we will let the outlaws continue to run loose to do as they may… presuming that they care about the world banking system or hospital life support. On the other hand, returning to Dodge City 1861 vigilante days may not be the best road ahead either.
So the question is, “Why don’t we, in an authoritative way, address cyber like we do everything else? “ Why aren’t there personal responsibility rules, and product reliability and liability rules? Why aren’t there “attractive nuisance” statutes? And why aren’t there legally enforceable penalties?
Why can someone not break into my house or my car with complete immunity, but can break into my network or my personal computer with immunity just about assured… and this is way less about attribution than some people would have you believe! Why can I spy in the physical world, or send a double agent home with bogus stolen information, or bug him so I know where he is… and not do the same, unimpeded, in the cyber world? If you are out on the internet with no anti-virus and no firewall and get taken as a botnet and through your computer damage is done, then what is your responsibility? (Conventional statistics guess that there are somewhere north of 200 million computers in the U.S, 85-90% have some sort of firewall/virus protection, but 65% of users don’t routinely update their programs… you do the math… and don’t get me started on all of those handheld “mobiles” with all of those “aps” that you blithely download, install, and then routinely dock to your desktop network) On the business side of the issue where it is estimated we are losing probably $8-10 billion a year… not to mention lost intellectual property…if you are a company or an agency and see that you are under attack or have been penetrated, what is your responsibility to send up a flare for everyone else… and what provisions have been made to encourage you to share that information if you are one of the many thousands of companies not “encumbered” by Securities Exchange Commission rules? And while we are at it, what compelling policy requires all law enforcement to share what they know with users or the intelligence community before an attack happens… and should they (prevention or apprehension… who connects those dots and gets to chose the greater good)?
So beyond the analogies, one reason that the problem is daunting is that there really is no one in charge with the authority and resources to be in charge… money, people, talent, gravitas… someone who can say, “Yes”, or “No” and make it stick. Much hope for the Czar, which skeptics believe is the Washington way of doing something without really doing something… but if the President can’t turn to a Department Head and say… “Make it happen”, and to all of the other heads, “Make sure it does happen”, can a Czar fill that void? The Department of Homeland Security has a lot of responsibility, including critical infrastructure protection, but has never gotten the money or the people to do the .gov and .com cyber piece. The National Security Agency certainly has the talent, but they have a day job of being spies. The Department of Defense has decided to get serious and organize for the .mil fight with Cyber Command …so ultimately they will have everyone suited up and on the right team with the right players and coaches, for the same game. Predictably this has made some heads explode in Congress and among some of the private and academic sectors and civil libertarians as they misunderstand it as a “Military takeover of the internet”… but not to the degree that anyone wants to offer any meaningful alternative solution or partnerships and authorities that would pair with DOD when the chips are down. So we continue down that dreary road of reaction instead of action… littered with multiple legislative attempts to fix one small pothole at a time without a view of where the road is going.
There is much talk of the imperative of a “Public-Private Partnership” and collaboration, but no willingness to sit down at the table and discuss and agree on the crucial issues of classification (how does classified information get shared across the unclassified enterprise?), bona fides (how does information coming the other way accrue verification and protection?), comingling (how does the information get integrated or should it be?), enterprise data sharing versus antitrust concerns (will be a big concern depending on whether you are in or whether you are out!), indemnification (if private providers are going to police their nets for the government as their commercial responsibility… what if they make a mistake… who gets arrested or sued?… if we are going to change from “own and operate” to everyone owning, operating, and defending their nets… there are some sticky questions on legal and financial issues.), anonimization (if even a word…) how do you ensure proprietary or competitive information is not exposed when alerts are shared?) and confidentiality ( how do you ensure partnerships are not exposed – and should you?).
There is a disturbing lack of agreement on what terms actually mean and what actions those terms presage. Does exploit mean to analyze something you already have, spy for something you need, or take advantage and act on something you now know… and what sort of authorities are needed or lacking in each case. Similarly the term “active defense” conjures all manner of demons, but in the prosaic physical world, automobiles can set off alarms, call satellite monitoring sites, and disable their ignitions, sometimes using sensors that do not even require the car to be touched. And what perchance is an agent in place but active defense?
Beyond that is the agreement on what to do about data protection. People (or organizations) steal things because they have value and they are safe to handle and easy (or at least available) to steal. They penetrate and steal to sell, to compress idea development time, to blackmail, to understand their adversary, simply to acquire funds, and sometimes just for personal prestige. Therefore to make those things less attractive it is useful to make it hard to access (current and emerging hardware and software and enclaving approaches attempt to do so… but like the castle analogy the battle is constant), make it worthless (encrypting the data or tokenizing the data or both…. Yes things can be unencrypted, etc… but … not all things by all people), and make it dangerous (cyber dye to prove provenance, seeding data with misinformation, beacons to call “home”, even bots to exfiltrate the thief’s data… I know… attribution, active defense… I’m just saying.)
So here we are. We must acknowledge that individuals, companies, and in fact nations rely on a network developed for ease of connection/communication… for speed and convenience, not for security and safety. Into that mix we throw together a witches’ brew of cyber natives… too tech savvy, with an insatiable need for speed and connectedness, but often too trusting for their own good, with the rest of us, the cyber immigrants… too fearful, too naïve’, and too slow to adapt. We have to admit we face a daunting array of threats, from cyber voyeurs, hobby hackers, hacktivists, committed criminals, commercial espionage and nation states (friendly and unfriendly) and we are unable or unwilling to take even the first steps to effectively and cooperatively attack (yes, attack) these threats. In effect, in a world of asymmetric warfare we choose to accept battle symmetrically on our adversaries’ terms, but then not use their rules. To add to the problem there is no discipline to the chorus of voices one hears, and it seems that every argument is always produced in isolation to all of the others. In reality the problem is a Rubik’s Cube of incredible dilemmas but also incredible opportunities if we can find the resolve to work through the frameworks of shared tiered authority, prerogatives, and responsibility.
So what do we need? First we need somebody in charge with the authority to force (yes, force… certainly in this town) all the players to the table; Next we need to agree that the unthinkable will happen whether we think about it or not…so let’s get the unmentionables, the faulty analogies, and the essential liberties versus essential security arguments, and the law enforcement/intelligence divides on the table. Let’s work through anonymity and authentication. Let’s come to a conclusion on standards versus standardization. Let’s agree that nothing will be 100% effective… we will have to manage the risk… most dear to least dear, most threatening, most probable, most damaging… individual chips to entire networks. We have to force agreement on responsibility/liability for product, service, personal, and governmental (force again being the operative word here… but if you can force everyone to have health insurance, or electronic medical records… I’m just saying.) ; Finally we have to be able to reorder oversight of the enterprise in order to answer one simple question… which happens to be the one that people in charge from the President on down ask over and over again: “What’s going on?”, or alternatively, “How’s it going?”. For our purposes here that means being able to answer who’s on the net (which frighteningly to some means we must have some sort of identity management), do they belong on the net, what are they doing, and are they supposed to/authorized to do that?… and have everyone come up with the same answer at the depth we need and at the speed we need.
So again: Battlespace, Marketplace, or Playground? The real answer is, “All”… but within these great productive, conductive, and collaborative spaces propagates an unending series of malicious probes and attacks on us… each one of us… that seek to take advantage of our individual and institutional inattention, patience, and lack of focused responsibility. This could be the next Long War… and all the talk about self-forming, self-healing, self-immunizing, resilient networks in the universe will not protect us if we are not willing to recognize the threats as clear and present dangers and collectively come to the table and cooperatively prepare for the fight that is already upon us.