Hope is Not a Foreign Policy » Cyber Warfare

Insurgents Hack U.S. Predator Drones with $26 Software Package

Tom Skypek — Thu, 17 Dec 2009 15:59:40 +0000

Congress Should Launch All-Star Commission to Examine Cyber Threats

Tom Skypek — Tue, 17 Nov 2009 23:43:43 +0000

A report issued last month by the U.S.-China Economic and Security Review Commission concluded: ”China is likely using its maturing computer network exploitation capability to support intelligence collection against the U.S. Government and industry by conducting a long term, sophisticated, computer network exploitation campaign.” For the last decade, China has been conducting ”hacker attacks” and network intrusions against U.S. Government and private sector computer networks. In June 2008, Congressman Frank Wolf (VA-10th) revealed that computers in his office had been hacked; authorities concluded that the attacks originated in China. Last May, I argued in The Washington Times that our lack of a declaratory cyber deterrence policy makes us weaker as a nation by enabling our adversaries in cyberspace to operate in what amounts to a consequence-free environment.

Congress should launch a new independent commission to examine the threat posed by offensive cyber capabilities. But this commission should not be comprised of only career national security professionals. Rather, it should include innovative thinkers in private industry. We need creative thinkers to look at this challenge with fresh eyes, unencumbered by Washington’s national security bureaucracy. Cyberspace remains America’s Achilles’ heel. Great steps have been taken to enhance our cybersecurity and head off a “Pearl Harbor” in cyberspace but the threat of a catastrophic, disruptive attack remains.

Candidates for this commission should include an eclectic mix. Here are a few candidates:

Steve Jobs, Founder and CEO, Apple Corporation, Inc.
Sergey Brin, Co-Founder and President, Technology, Google, Inc.
Mitt Romney, Former CEO, Bain & Company
Richard Rumelt, Professor, UCLA Anderson School of Management
Ian Bremmer, President, Eurasia Group

Can you imagine the brainpower these men would bring to bear on this problem? These commissioners should be assisted by a team of staff assistants with expertise in defense, intelligence, information assurance, and law enforcement. Each staff assistant should have 15-20 years of experience in their area of expertise. Each staff assistant should be supported by a cadre of research assistants with 5-10 years of experience in defense, intelligence, information assurance, and law enforcement.

Topics for exploration should include:

Cyber Deterrence
Interagency Resourcing for the Acquisition of Materiel Cyber Capabilities
Human Capitial Elements of Cyber Warfare in the U.S. National Security Community
Offensive Cyber Capabilities
Intelligence Collection on Cyber Threats
Public-Private Sector Coordination
Cyber Capabilities of the People’s Liberation Army

The cyber challenge requires “outside of the box” thinking. Each of these prospective commissioners have proven themselves as innovative thinkers, problem solvers, and entrepreneurs. They are an intellectually diverse group and would examine the cyber challenge with a unique perspective. Rather than have the same Washington think tanks and the same Washington analysts look at the problem, we should ask these successful businessmen to leverage their experience to tackle a huge national challenge.

New Cyber Attacks Showcase Need for Cyber Deterrence Policy

Tom Skypek — Wed, 08 Jul 2009 18:20:33 +0000

The AP is reporting on a new round of cyber attacks that targeted computer networks at the Treasury Department, Federal Trade Commission and Secret Service. Other targets are reported to have included the White House, Pentagon, and New York Stock Exchange. W. David Gardner of InformationWeek reports that the attack was even more expansive, including more than 25 targets:

Law enforcement officials in the U.S. and South Korea were stepping up their efforts Wednesday to halt a rash of denial of service cyber attacks against more than 25 government agencies and companies. While the source of the attacks wasn’t pinpointed as of Wednesday morning, officials said they suspected the attacks originated in North Korea or from groups sympathetic to North Korea.

This problem is not going away. I wrote an op-ed in The Washington Times in May which communicated the need to articulate a clear cyber deterrence policy. Our adversaries, I argued, are launching attacks in cyberspace in what amounts to a consequence-free environment. We need to find ways to impose costs on our adversaries. They cannot continue to launch attacks in cyber space without fear of retaliation. Here’s what I wrote on May 7, 2009, just after the Joint Strike Fighter (JSF) program was hacked and design information was stolen:

Policymakers in Washington should examine how the threat of military force can be used to prevent attacks in cyberspace. Regrettably, deterrence has been an underutilized element of Washington’s efforts to build a strong cybersecurity policy.

Without a cyberdeterrence policy in place, the United States can expect more and larger cyberattacks on its interests. It was reported in the Wall Street Journal on April 21 that a cyberintrusion breached the Pentagon’s $300 billion Joint Strike Fighter (JSF) program. The attackers copied critical design information which could make it easier for an adversary to defend against the aircraft in a conflict.

The Obama administration recently concluded a 60-day review of U.S. cybersecurity; details of the review have not been released, though it is believed the review focused largely on the coordination of U.S. cyberinitiatives throughout the federal government.

An effective cybersecurity strategy must include a clearly articulated cyberdeterrence policy. When responding to a cyberattack, Washington should move beyond cybercounterattacks to include full kinetic attack options.

In other words, cruise missiles or precision guided munitions should be used to retaliate against facilities where cyberattacks are launched with the complicity of an enemy state. All options should be on the table when it comes to responding to attacks in cyberspace.

A declaratory cyberdeterrence policy will not eliminate the threat of cyberattacks, but it will limit the number of attacks – particularly from state actors such as China. Lone-wolf hackers are much more difficult to deter, but deterring state-sponsored cyberattacks will make an incredibly complex problem more manageable as resources can be diverted to focusing on lone-wolf hackers. The deterrent piece of U.S. cybersecurity strategy should focus on state actors. States who sponsor cyberattacks – or allow nonstate actors to launch attacks from within their borders – should be held responsible for such attacks.

I recognize the fact that the attribution piece makes deterring cyber attacks challenging. It is easy for the bad guys to conceal their identity in cyber space or even make it look like another country executed an attack. However, attribution is not an insurmountable challenge and in many cases we are able to attribute the attacks. Developing a comprehensive response plan is what policymakers need to work on–and fast. As I said, this problem is not going away. The “Pearl Harbor in cyber space” that I wrote about in May is preventable, but the U.S. needs to act quickly. These cyber attacks are becoming more frequent and more damaging. The U.S. cannot afford to be surprised by a catastrophic cyber campaign against military, government, and private sector targets. The 2007 adventure film, Live Free or Die Hard, starring Bruce Willis gave us a glimpse into what a catastrophic cyber campaign could do to this nation. This is serious business. The Congress and the Obama administration need to act.