Cyber Scene #10 - Cyber Insecurity: the Optic of Informed Outreach Pragmatists
Cyber Scene #10
Cyber Insecurity: the Optic of Informed Outreach Pragmatists
In the wake of a month of cyber-linked, below-the-surface icebergs rising to the top half of digital daily newspapers, to include dramatic Russo-US investigations and the Manchester bombing, this Cyber Scene will focus on broad issues that feed into the creation of policy and its implementation intended to direct and fund countermeasures, technology, and legal support.
The Cyber Savvy: Thoughts from Private Sector Former US Officials
As promised last month, the Senate Armed Services Committee (SASC) hosted Gen. (Ret.) Keith Alexander, CEO and President of IronNet Cybersecurity (more famously former COM/CYBERCOM and DIR/NSA) along with three non-governmental cyber experts: Dr. Craig Fields, Chief, Defense Science Board (DSB); Honorable James Miller, Member DSB and former Undersecretary of Defense for Policy; and Mr. Matthew Waxman, Columbia Law School Professor of Law. In addition to their open testimony on 2 March 2017, Gen. Alexander's written statement focused on the USG building connectivity and interoperability with the private sector on cyber; Fields and Miller submitted written testimony and jointly addressed cyber deterrence regarding both great powers and non-state threats, and Mr. Waxman discussed the yet un-reconciled issue of a cyber attack's relationship to an act of war, addressed earlier in this Cyber Scene series and framed by Waxman in the context of a violation of the UN Charter's prohibition of force. He noted that NATO's Article 5 does include cyberattacks--a footnote of interest in light of the US President's public failure to endorse Article 5 in his visit with NATO on 25 May 2017, an omission addressed by US Ambassadors to NATO under both George W. Bush and Barack Obama. According to Waxman, the expectation is a bar set at deterrence, not elimination of a cyber threat. Fields and Miller added that there is a "thin line" of a cyber secure force to create cyber resilience at this time. Their collective testimony referenced the broad role of the DSB to collaborate across universities, Federal Funded R & D Centers (FFRDC's), National Labs, the National Academies of Science and Engineering, etc.
Gen. Alexander's testimony triggered a return Hill visit on 30 Mar. 2017 to discuss, relatedly, Russia before the Senate Select Committee on Intelligence (SSCI)--the SSCI's first open hearing on this subject.
Threats:
a. teenage hacker in the basement? b. crazy uncle in the Korean attic? c. wily ex-KGB chief in the Kremlin? d. all of the above and lots more? (correct answer)In its April 8 2017 edition entitled "Why computers will never be safe," The Economist pursues the story of a British high school student (Response "a" above) to illustrate its subject "Computer Security: Why everything is hackable." It cites examples of why hackers don't need to deal with chip design and manufacture to create havoc, whether for purposes of "show-of vandalism" or criminality. In addition to efforts by Google, Microsoft, Amazon and others to develop standard encryption protocols, DoD's DARPA, which arguably can lay claim to inventing the internet, continues to work against its vulnerabilities. The article includes a catchy chart mapping the lines of text and source code starting roughly with 1985's Super Mario Bros. to today's Google products. The Economist also examines various attempts to bake security into software under development, including work at the University of Cambridge by a Dr. Watson (not THAT one!) on innovations to be added to existing chips used by INTEL and others. Another angle proposes that the myth of cyber security hinges on economics, not technology and that the market will, in the final analysis, drive innovation.
Since this 8 April article went to press, aftershocks from the RANSOMEWARE attacks, which did in fact impact the daily lives of many in the UK and elsewhere, were the subject of the 14 May edition of the New York Times. The globalization of the internet, and the number of things it entails, as well as the wall-free borders well beyond Schengen given the origin of the attack, spotlight the impact on everyday life worldwide.
As a follow up to discussion of SecDef Mattis's confirmation hearings last Cyber Scene, his reference to deterrence continues the previous administration's policy, laid down in an Executive Order "naming and shaming" to include Iranian and Chinese hackers resulting in the US Treasury Dep. being directed to impose financial sanctions on hackers.
However, operational options remain on the table. The SASC hearing of 9 May chaired by Senator John McCain underscored concern about a lack of strategy on cyber security and the need to create a whole of government approach to enable DoD to counter threats in cyberspace. This hearing noted the elevation of Cyber Command last year to a full combatant command, the possibility of extracting lessons learned from the US Coast Guard's domestic and international authorities as a model, and discussion of creating a cyber service. ADM Rogers, Commander of CYBERCOM, opined that a cyber force would create a narrow and isolated set of technologies rather than the role of cyber in a much broader context in need of a whole of government focus. He also added that implementation of this approach needed to fall under the policy aegis of and coordinated with the US Undersecretary of Defense for Policy.
Looking further forward, post-Manchester, new DNI Dan Coats spoke before the SASC on 23 May 2017 underscoring two reasons for the severe risk represented by cyber threats to the US. First, growing numbers of nation states to terrorist organizations are becoming bolder and more capable. Secondly the potential impacts of these threats are "amplified by the ongoing technology on our critical infrastructure and our daily lives."
Come here, Dr. Watson (DARPA, and innovators of the universe); world needs you.