What is needed to fight the cyber war

Michael McConnell:

The United States is fighting a cyber-war today, and we are losing. It's that simple. As the most wired nation on Earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking.

The problem is not one of resources; even in our current fiscal straits, we can afford to upgrade our defenses. The problem is that we lack a cohesive strategy to meet this challenge.

The stakes are enormous. To the extent that the sprawling U.S. economy inhabits a common physical space, it is in our communications networks. If an enemy disrupted our financial and accounting transactions, our equities and bond markets or our retail commerce -- or created confusion about the legitimacy of those transactions -- chaos would result. Our power grids, air and ground transportation, telecommunications, and water-filtration systems are in jeopardy as well.

These battles are not hypothetical. Google's networks were hacked in an attack that began in December and that the company said emanated from China. And recently the security firm NetWitness reported that more than 2,500 companies worldwide were compromised in a sophisticated attack launched in 2008 and aimed at proprietary corporate data. Indeed, the recent Cyber Shock Wave simulation revealed what those of us involved in national security policy have long feared: For all our war games and strategy documents focused on traditional warfare, we have yet to address the most basic questions about cyber-conflicts.

What is the right strategy for this most modern of wars? Look to history. During the Cold War, when the United States faced an existential threat from the Soviet Union, we relied on deterrence to protect ourselves from nuclear attack. Later, as the East-West stalemate ended and nuclear weapons proliferated, some argued that preemption made more sense in an age of global terrorism.

The cyber-war mirrors the nuclear challenge in terms of the potential economic and psychological effects. So, should our strategy be deterrence or preemption? The answer: both. Depending on the nature of the threat, we can deploy aspects of either approach to defend America in cyberspace.

...

How do we apply deterrence in the cyber-age? For one, we must clearly express our intent. Secretary of State Hillary Rodham Clinton offered a succinct statement to that effect last month in Washington, in a speech on Internet freedom. "Countries or individuals that engage in cyber-attacks should face consequences and international condemnation," she said. "In an Internet-connected world, an attack on one nation's networks can be an attack on all."

That was a promising move, but it means little unless we back it up with practical policies and international legal agreements to define norms and identify consequences for destructive behavior in cyberspace....

... More specifically, we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment -- who did it, from where, why and what was the result -- more manageable....

...
Some actors are going to require preemption. That is something we have not shown to date. I think that once we master the attribution aspect of cyber defense we need to take the same approach we do with any radar when it locks onto our approaching planes. We release an anti radar missile that homes in on the signal and take sit out.. We need to be able to release a destructive cyber attack on anyone who attempts an attack.

Comments

Popular posts from this blog

Should Republicans go ahead and add Supreme Court Justices to head off Democrats

29 % of companies say they are unlikely to keep insurance after Obamacare

Is the F-35 obsolete?