Here is the latest edition of my column at Foreign Policy:
Topics include:
1) The Pentagon's cyberdefenders get a hopeless mission,
2) Can deterrence work on al Qaeda?
The Pentagon's cyberdefenders get a hopeless mission
In the current issue of Foreign Affairs, Deputy Defense Secretary William Lynn reveals Operation Buckshot Yankee, the Pentagon's effort to counter what Lynn terms "the most significant breach of U.S. military computers ever." In 2008, a foreign intelligence service, which Lynn doesn't identify, slipped malicious software code onto a flash drive. This flash drive was subsequently inserted into a U.S. military laptop computer in the Middle East, spreading an infection across both classified and unclassified Defense Department networks. The infection was designed to extract information from these networks and deliver it back to the foreign intelligence service. Lynn describes the Pentagon's response to this incident as "a turning point in U.S. cyberdefense strategy" and a catalyst for wide-ranging reforms.
According to Lynn, more than 100 foreign intelligence organizations are attempting to break into U.S. networks. Lynn believes that a dozen determined hackers, if they found a vulnerability to exploit, could steal the U.S. military's plans, blind its intelligence systems, or disrupt its military operations. On the current cyber battlefield, offense is dominant, with U.S. cyberdefenders constantly lagging behind.
Lynn states, "[T]he United States cannot retreat behind a Maginot Line of firewalls or it will risk being overrun." In this case, the threat of punishing retaliation doesn't apply -- cyber attackers hide their identities and mask the origins of their attacks.
The U.S. government's first response has been to get organized. The military's cyber operations have been collected into a Cyber Command, purposely co-located with the National Security Agency (NSA). Next, the Pentagon has extended its cyber expertise to its network of essential outside contractors and to critical civilian infrastructure that the Pentagon requires for its operations. Finally, the Pentagon is establishing cyber defense alliances with the Department of Homeland Security and selected foreign allies.
These are all logical steps that the government always takes when it faces a new persistent problem. Yet by Lynn's description of the problem, the Pentagon faces an unending siege on terms very unfavorable for those responsible for its cyber defense. Lynn and his colleagues are placing their hopes on an improved model of "active defense." In addition to standard computer "hygiene" (anti-virus software and firewalls), the Pentagon now works with the NSA's signal intelligence capabilities to anticipate intrusions, classify them when detected, prevent them from making a penetration, and if all of else fails, chase down and quarantine threats after they make it inside.
Although Lynn disparages a defensive Maginot Line mentality, the "active defense" he describes sounds like soldiers forever on the ramparts. Lynn aims to deter hackers by denying them the benefits of an attack. But as long as there is no cost for attacking, there is no reason to stop trying. Lynn and his colleagues hope that better cooperation within the U.S. government, and with the technology industry, computer researchers, and foreign allies, will ensure that the United States maintains its technological edge and thus the success of its cyber defenses. Regrettably, in spite of these resources, the U.S. faces a whole world of intruders and should not count on any enduring qualitative advantage over its adversaries. And that world of intruders can keep attacking without cost or risk until they slip by the defenders.
What is the answer? Lynn describes it near the end of his article: "[The Defense Advanced Research Projects Agency (DARPA)] is also challenging the scientific community to rethink the basic design of the Pentagon's network architecture so that the military could redesign or retrofit hardware, operating systems, and computer languages with cybersecurity in mind." In other words, the Pentagon and its supporting infrastructure should leave the current cyber battlefield that so favors its adversaries. Instead of using commercial off-the-shelf computer hardware, software, and standard Internet protocols, the Pentagon would design and install customized and exclusive systems (at least for its classified and operational applications) that would deliberately be incompatible with the rest of the Internet.
The U.S. government has a perfectly horrible record at efficiently executing large computer projects. Such an effort to overhaul the Pentagon's computer systems would be the largest, costliest, and most complicated yet. It is thus understandable that Lynn and his colleagues would prefer to give their less-costly active defense approach a try. But this decision also leaves in place the structure that gives enduring advantages to the Pentagon's cyber adversaries. Active defense and truly isolating the Pentagon from the rest of cyberspace are not mutually exclusive efforts. While DARPA works on cutting off the Pentagon from the rest of the world, the Pentagon's cyber warriors will get no sleep defending the fort.
Can deterrence work on al Qaeda?
Western academics and military analysts spent decades during the Cold War working out theories of deterrence to prevent a war with the Soviet Union. Now one of those theorists -- Paul Davis, a researcher at the Rand Corp. -- has published a study that attempts to fashion a theory of deterrence against al Qaeda. Davis's study is based on his review of recent academic research, blended with his attempts to fashion models and organize the variables that bear on al Qaeda's decision-making and its ability to sustain its operations. Many hope that deterrence theorists could make as large a contribution to countering al Qaeda as they did to preventing World War III. Alas, Davis's summary appraisal -- "deterrence and other influence efforts are desirable because of their upside potential rather than the certainty or expectation of good results" -- is not hopeful.
Davis takes the now-standard view that al Qaeda is a network system rather than a singular entity. He then explores the possibility that counterterrorism actors like the U.S. government might exert behavior-modifying "influence" on various parts of the al Qaeda system. During the Cold War, deterrent influence was directed at the decision-making calculations of top Soviet leaders. With al Qaeda, Davis largely bypasses the top leadership and instead focuses on the decision-making calculations of lower-level individuals and the population in which al Qaeda attempts to find shelter.
After diagramming the various social factors -- such as grievances, peer group persuasion, the search for social status, disruptive societal change, etc. -- bearing on individual and population support for al Qaeda, Davis seems to conclude that the United States' ability to have a direct and positive influence on these factors is limited, except perhaps in the very long run. By contrast, Davis seems to agree with those who believe that direct attempts by the United States to manipulate these social factors against al Qaeda are more likely to makes things worse.
Davis suggests that small successes at tactical deterrence may over time accumulate to larger strategic success. For example, physical hardening of probable terrorist targets (such as airports and iconic buildings) can deter successful attacks. If such attacks are deterred for many years, Davis suggests that terror groups could lose their credibility and thus support from demoralized leaders, financiers, recruits, and the population.
Much more controversially, Davis examines the role of collective punishment. He points to Israeli research, based on interviews of current and would-be terrorists, which concluded that individual terrorist members can sometimes be deterred or dissuaded by knowledge that participation would bring severe harm to their families. That a suicide bomber may care more about his family's lives than his own provides leverage for the counterterrorist.
Collective punishment presumably remains well beyond the pale for U.S. policymakers. As long as the damage done to the U.S. homeland by terrorists remains minimal, these policymakers get a pass at having to contemplate such harsh moral dilemmas.
Comments
Mike Few: The above anonymous was by me (an anonymous now using a sobriquet). Thanks for the heads-up - interesting.
I am also, through my mentioned 16-year old computer tech (full-time hacker?) that cadets at West Point competed in competition against NSA in to identify talent in this field awhile back.
A little levity for Sunday: "We like hacking every day. We hack for the U-S-A! We made a virus just for fun - and infected the Tali-ban.
In July, an SWJ journal entry covered recruiting, development and retention of the "proper" cyberwarriors.
Recruiting, Development, and Retention of Cyber Warriors Despite an Inhospitable Culture
by Lieutenant Colonel Gregory Conti and Lieutenant Colonel Jen Easterly
http://smallwarsjournal.com/blog/2010/07/recruiting-development-and-ret/
Just as we have now developed doctrine for COIN, has any thought been given to developing such for maneuver warfare in cyberspace?
Obviously its a given that adversarial foreign militaries such as China, N. Korea, Russia etc. are ramping up advanced hacking cells, it makes strategic sense for America to do the same.
In my estimation, the best personnel for recruiting individuals to staff opposing cells at the Pentagon are not found in the normal recruiting pools, but probably need to come from the "black hat" underground community of hackers, which was reinforced by a 16-year old that I had recently "tune-up" my computer.
Amusingly, my sense is that the very nature of the type of individual who populates this underground community might lead one to question how reliable, ethical and disciplined our information warfare teams will be if populated by what some may view as criminal activity, but that's probably a generational issue we can get over.
If we are serious about the cyber threat challenge in the 21st century (after all, few can navigate with a map & compass anymore) we might want to remember that problems are information and knowledge intensive. This means that an old rule from the software world applies: a couple of great programmers, are more valuable than a room full of good ones.
Apply this rule to any complex information-intense problem you face and you will get much faster, cheaper, and better results. My point being, unlike the hordes of bureaucratic defense contractors that permanently infest the halls of the DoD, look elsewhere and lets put together a private military company staffed by field mission specific employees - young hackers!
Toujours Fidele