Defense in the Information Age

US cybersecurity strategy faces an uncertain future in Washington while the private sector bolsters its ability to respond to cyber attacks

Monitoring a simulated test at Central Control Facility at Eglin Air Force Base (080416-F-5297K-101)

U.S. Air Force officers monitor a simulated test April 16 in the Central Control Facility at Eglin Air Force Base, Fla. They use the Central Control Facility to oversee electronic warfare mission data flight testing. April 16, 2008 (U.S. Air Force photo/Capt. Carrie Kessler/Wikimedia Commons)

In July 2011, the Department of Defense (DoD) issued a five-point strategic initiative, the first of which designated cyberspace as the fifth domain of warfare, joining land, air, sea and space.1 Recent events such as Target’s security breach, which resulted in the compromise of the personal data of over 70 million consumers and the resignation of CEO Gregg Steinhafel, highlight the vulnerabilities of even the largest, and supposedly best-defended, enterprises.

Cyber warfare, defined as espionage or sabotage conducted through politically motivated hacking, has existed as long as networked devices. In 1998, US officials discovered systematic unauthorized access to sensitive data at NASA, the Department of Energy, private research labs, and the Pentagon. The DoD traced the attacks to a mainframe computer in the former Soviet Union, although Moscow to this day denies any involvement.2 In 2003, cyber attackers gained access to the networks of several major US defense contractors, including Lockheed Martin.3 The SANS Institute, a US security company, determined two years later that the attacks were “most likely the result of Chinese military hackers attempting to gather information on U.S. systems.” In the decade since these two milestone incidents, known by their codenames Moonlight Maze and Titan Rain, networked systems have experienced order-of-magnitude growth. Over 80,000 pieces of malware are reported daily in the United States.4 Despite the best efforts of financial institutions and large corporations, defending against cyber warfare has never been so difficult.

Recent events have revealed that cyber attacks can come from various sources, including national governments, militaries, organized crime, or individuals. In March 2014, a group of unknown hackers installed a malicious piece of software in Target’s security and payments system designed to siphon customer to a remote server. Over the course of two weeks, the hackers obtained 40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information that Target had been trusted by its customers to protect.5 Just a few days later, the tech world was rocked by the discovery of the Heartbleed Bug, an accidental mistake in the coding of the OpenSSL cryptography library – part of the backbone of the Internet. In this case, a concerned citizen reported the vulnerability; had it been exploited, an attacker could theoretically have decrypted the web traffic on 20% of the world’s servers.6

If cybersecurity was not in the national spotlight already, then these two events certainly pushed it in. The Pew Research Center reported that 39% of Internet users surveyed either changed at least one account password or shut down at least one online account to protect personal data as a result of Heartbleed media coverage.7

The private sector was similarly quick to respond. On May 9, General Electric (GE) announced its acquisition of the privately held company Wurldtech, a Vancouver-based leader in cybersecurity solutions for oil refineries and power grids.8 On May 14, Gap, JC Penney, Lowe’s, Nike, Safeway, and Walgreen’s partnered with a large group of other retailers (including Target) to launch the Retail Industry Leaders Association (RILA), an independent organization combining the cybersecurity efforts of private retailers with those of the Department of Homeland Security.9 Finally, private firms funded this year’s United States Cybercrime Conference – an annual gathering of hundreds of private-sector administrators and CISOs (Chief Information Security Officers) – instead of the DoD as is typical.10

There is little argument in Washington with the opinion that the government must now protect public infrastructure and sensitive national data at all cost. Homeland Security, in its 2013 year-end report, stated that it responded to 256 cyber invasion incidents last year, 151 of which occurred in the energy sector.11 The thought of hackers compromising energy grids, or troop configurations and weapon designs falling into the hands of a foreign military, is chilling. A repeat of Moonlight Maze or Titan Rain in 2014 could compromise America’s position in a number of domestic and international affairs.

But the rapid emergence of cyber threats elicits two difficult questions. One, what should be the role of the government in protecting private sector institutions against cyber attacks? Two, how will voters and policymakers balance the need for cybersecurity with their desire for online privacy?

In a 2009 speech, President Obama declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.”12 He commissioned a comprehensive review (entitled “Cyberspace Policy Review”) of the US government’s ability to defend information and communication infrastructure. The resulting report outlined a ten-point plan designed to accomplish two objectives: improving US resilience to cyber incidents and reducing the general threat of cyber attacks.13 The ten-point plan, like the two objectives it was supposed to accomplish, was vague and largely procedural. Its scope was limited to the appointment of officials, the creation of preparedness plans, the promotion of national awareness, and the creation of new international relationships.

In February 2013, the President urged Congress to pass a more comprehensive and action-oriented plan named the Cyber Intelligence Sharing and Protection Act (CISPA). CISPA’s aim is to help the US government investigate cyber threats and ensure the security of networks against attacks.14 Introduced in 2012, the bill has twice passed the House and twice failed to pass the Senate due to concerns over a lack of civil liberties safeguards. Dozens of Internet privacy activist organizations have decried the bill for its failure to provide specificity on when and how the government can monitor an individual’s browsing history. Ron Paul (R-TX) labeled the bill “Big Brother writ large.”15

Recent reports from Capitol Hill suggest that Intelligence Committee Chair Dianne Feinstein (D-CA) and Ranking Member Saxby Chambliss (R-GA) have drafted a new piece of cybersecurity legislation currently being circulated for comment. Yet, the stated aim of the bill sounds too similar to that of CISPA to have a chance of passing the Senate. The new bill’s goal is reportedly to “allow companies to monitor their computer networks for cyber attacks, promote sharing of cyber threat information, and provide liability protection for companies who share that information.”16

Two new proposals have also been introduced in the Senate. The first, proposed by John Thune (R-SD), would allow the Federal Trade Commission to punish companies retroactively for failing to adopt “reasonable” data security practices and would preserve Congress’s authority to determine what those security practices should be.17 The second, proposed by Jay Rockefeller (D-WV), would give the Federal Trade Commission (FTC) legislative authority to set cybersecurity standards, removing Congress’s authority altogether.18

Given the rapidly increasing threat that cyber attacks pose and Congress’s relative lack of cybersecurity knowledge compared to the FTC, Rockefeller’s plan seems more reasonable. But the past history of the Senate’s concern for privacy indicates that neither bill will garner enough votes to pass.

The unfortunate reality for cybersecurity policy is that online security is simply not a top priority for enough Americans. Edward Snowden’s unauthorized disclosure of the PRISM program profoundly altered the public psyche toward online privacy, creating a largely irrational belief among many technology users that the government should not have a right to ensure maximum cyberspace security with their personal data. In CISPA’s case, people seem to value the privacy of their Internet browsing histories alone over the reduction of imminent cyber threats. Given Washington’s inability to pass legislation promoting cooperation between the private sector and the government, and that its chief responsibility is to ensure the security of nationwide systems and government facilities, individual companies are beginning to realize that the security of private sector networks is their prerogative alone.

Evidence suggests that the private sector is up to the task. In April, the National Retail Federation, a trade association comprising both independent and chain retailers, established the Information Sharing and Analysis Center, which links the threat data of all member retailers and shares anonymized data with the US government.19 The steps of GE in protecting its infrastructure through the acquisition of Wurldtech will bolster private sector confidence in the value of cybersecurity and will dispel fear that the return on investment of protecting critical information is outweighed by its cost.

In the coming years, companies will need to focus their efforts in these areas:

1. Transitioning the chief objective of cybersecurity from preventing attacks to reacting quickly and determining their source. Given the difficulty of predicting hacker behavior and the inevitability of eventual breaches, companies must develop robust internal programs that can destroy cyber attacks before they do damage. Target’s shortcoming was not its failure to prevent a breach, but rather its failure to act swiftly once it diagnosed the problem.20 The post-mortem investigation showed that Target’s systems set off unmistakable red flags, yet officials waited several days before acting on the information. Had they responded immediately, the stolen data would never have made it to the hacker’s servers.

2. Holding third-party providers to a higher standard. Most major company data breaches come through third-party service providers rather than through the company’s infrastructure. Data security is inconsistent across platforms and industries, and companies need to subject all of their partners and contractors to rigorous stress tests to ensure that attackers have no easy entry points.

3. Building stronger relationships with the government and the police so that attackers can be prosecuted. Regardless of what legislation is passed in Congress, the government’s role in cybersecurity should include, at a minimum, the vigilant pursuit of known cyber marauders.

While the burden may seem to fall hard on private sector companies today, the government will eventually pass definitive and meaningful legislation. The political climate toward national cybersecurity is simply too charged for a bill not to pass at some point in the next few years. The Pentagon’s annual reports to Congress have become increasingly direct in their condemnations of national militaries and governments. The 2012 report openly accused both the Chinese government and the People’s Liberation Army of propagating cyber attacks against the United States in deliberate attempt to “gain strategic advantage.”21 The government is aware of the grave threat posed by cyber attackers; it now needs to match its rhetoric with legislation and action. Although largely symbolic, the Justice Department’s May 19 indictment of five members of the Chinese People’s Liberation Army for hacking into US networks was a step in the right direction. The hackers allegedly compromised the networks of Westinghouse Electric, the US Steel Corporation, and several other private companies. Attorney General Eric Holder Jr. stated that these actions crossed the line because the government commissioned covert actions for the purpose of gaining a commercial advantage, not for advancing national security.22

Nonetheless, it is not and should never be the government’s responsibility to ensure the full security of private sector networks. For the sake of both national security and auxiliary benefits to individual companies – such as liability protection after security breaches in exchange for sharing data with the government – Washington should still attempt to pass legislation that will improve cooperation between the private and public sectors. Perhaps the upcoming midterm elections will yield a Congress more appropriately focused on pushing a cybersecurity bill into law. If the Senate, as well as the American public, can realize the relative importance of national cyber attack preparedness over the disclosure of personal user data to the government, then US cybersecurity strategy may have a promising near-term future.

 

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff and editorial board.

 

Works Cited

                                                                                                                                                         

1. U.S. Department of Defense. “Defense.gov Special Report.” 12 June 2013. <www.defense.gov/home/features/2013/0713_cyberdomain>.

2. Drogin, Bob. “Russians Seem to be Hacking into Pentagon / Sensitive Information Taken.” SFGate. 7 October 1999. <www.sfgate.com/news/article/Russians-Seem-To-Be-Hacking-Into-Pentagon-2903309.php>.

3. Lewis, J.A. “Computer Espionage, Titan Rain, and China.” Center for Strategic and International Studies. December 2005.

4. Proofpoint. “Upwards of 80,000 malware breaches a daily problem.” ThreatInsight. 19 March 2014. <www.proofpoint.com/threatinsight/news-feed/articles/upwards-of-80000-malware-breaches-a-daily-problem-596921>.

5. Kash, Wyatt. “Retail Breaches Bolster Interest in NIST Cyber Security Conference.” InformationWeek. 15 May 2014. <www.informationweek.com/government/cybersecurity/retail-breaches-bolster-interest-in-nist-cyber-security-advice/d/d-id/1252740>.

6. Yadron, Danny. “Massive OpenSSL Bug ‘Heartbleed’ Threatens Sensitive Data.” The Wall Street Journal. 8 April 2014. <http://online.wsj.com/news/articles/SB10001424052702304819004579489813056799076>.

7. Rainie, Lee and Maeve Duggan. “Heartbleed’s Impact.” PewResearch Internet Project. 30 April 2014. <www.pewinternet.org/2014/04/30/heartbleeds-impact/2>.

8. Lee, Richard. “GE purchase of Wurldtech focuses on cybersecurity.” Ctpost.com. 14 May 2014. <www.ctpost.com/news/article/GE-purchase-of-Wurldtech-focuses-on-cybersecurity-5479275.php>.

9. Gagliordi, Natalie. “Target, JC Penny among new ragtag retail cybersecurity team.” ZDNet. 15 May 2014. <www.zdnet.com/target-jc-penney-among-new-ragtag-retail-cybersecurity-team-7000029500>.

10. Tobias, Marc Weber. “Your Cybersecurity: Don’t Count on the Government.” Forbes. 12 May 2014. <www.forbes.com/sites/marcwebertobias/2014/05/12/your-cybersecurity-dont-count-on-the-government>.

11. National Cybersecurity and Communications Integration Center. “Trends in Incident Response in 2013 Overview.” ICS-Cert Monitor. 14 February 2014.

12. Office of the Press Secretary. “Remarks by the President on Securing our Nation’s Cyber Infrastructure.” The White House. 29 May 2009. <www.whitehouse.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure>.

13. The White House. “Cyber Security.” <www.whitehouse.gov/issues/foreign-policy/cybersecurity>.

14. Whittaker, Zack. “Obama’s cybersecurity executive order: what you need to know.” ZDNet. 13 February 2013. <www.zdnet.com/obamas-cybersecurity-executive-order-what-you-need-to-know-7000011221>.

15. McCullagh, Declan. “Opposition grows to CISPA ‘Big Brother’ cybersecurity bill.” Cnet. 23 April 2012. <www.cnet.com/news/opposition-grows-to-cispa-big-brother-cybersecurity-bill>.

16. Dianne Feinstein: United States Senator for California. “Feinstein, Chambliss Statement on Cybersecurity Information Sharing Bill.” 30 April 2014. <www.feinstein.senate.gov/public/index.cfm/press-releases?ID=2d6e00eb-e6aa-42a8-9ff8-d39fd4197251>.

17. Martinez, Jennifer. “Senate Commerce panel approves cybersecurity bill.” The Hill. 30 July 2013. <http://thehill.com/policy/technology/314433-senate-commerce-panel-approves-cybersecurity-bill>.

18. Sasso, Brendan. “Rockefeller to offer cybersecurity amendment to Defense bill.” The Hill. 21 November 2013. <http://thehill.com/policy/technology/191015-rockefeller-to-offer-cybersecurity-amendment-to-defense-bill>.

19. Higgins, Kelly Jackson. “Dual Retail Cyberthreat Intelligence-Sharing Efforts Emerge.” InformationWeek. 15 May 2014. <www.darkreading.com/analytics/threat-intelligence/dual-retail-cyberthreat-intelligence-sharing-efforts-emerge/d/d-id/1252767>.

20. Riley, Michael, Ben Elgin, Dune Lawrence, and Carol Matlack. “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It.” BloombergBusinessWeek. 13 March 2014. <www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data>.

21. Sanger, David E. “U.S. Blames China’s Military Directly for Cyberattacks.” The New York Times 6 May 2013. <http://www.nytimes.com/2013/05/07/world/asia/us-accuses-chinas-military-in-cyberattacks.html>.

22. Schmidt, Michael S. and David E. Sanger. “5 in China Army Face U.S. Charges of Cyberattacks.” The New York Times. 19 May 2014. <www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html>.

A Response to the Pentagon’s Arctic Strategy

Last month, the Department of Defense (DOD) issued an “Arctic Strategy” white paper along with a positioning statement by Secretary of Defense Chuck Hagel. Major newspapers such as the Wall Street Journal and the New York Times ran stories summarizing the strategy, but the authors of this response feel that those analyses lacked context and stake. The Pentagon release on an Arctic strategy is not a hot news item, and the terms “Arctic security” do not figure much in public discourse. Arctic security encompasses the international agreements for search and rescue, environmental and ecological security, international agreements on border delimitation, Arctic military capability, as well as the economics resource extraction and the potential for trans-Arctic maritime trade. While a good start, the policy paper produced by the Pentagon is lacking substance. The authors of this piece seek to apply our diversity of knowledge studying Arctic politics – in the field – to provide context and recommendations in response to the Department of Defense. While we will discuss the politics of political and military security, the other issues of ecological security and Arctic governance will be addressed in kind.

International Security Cooperation Forum Proposal:

Although the Pentagon emphasizes the need for greater international cooperation as a way to prevent the Arctic from becoming a militarized zone, it falls short in identifying effective means of multilateral security cooperation. The Pentagon’s Arctic strategy document supports cooperative efforts via the Arctic Council as well as regional military training exercises as ways to maintain peace. However, there still does not exist a multilateral forum for the five Arctic littoral states to discuss hard security issues. The Arctic Council is prohibited from engaging in security discussions, and Arctic nations seem reticent to mention these sensitive issues. Given the fact that each littoral Arctic state is gradually increasing its military presence in the region, it is crucial for the U.S. to engage Arctic nations on hard security issues to prevent a conflagration that could result in an arms race – one the public would likely not notice. Although conversations on hard security issues have occurred bilaterally, it is time to discuss these issues multilaterally. A potential forum could be a recurring Arctic security summit where both civilian and military representatives from each Arctic state meet to discuss the role of each nations’ military in the Arctic. This summit would be a step toward preserving the Arctic as a peaceful zone through meaningful dialogue and addressing the sensitive issues head-on. Without an honest and recurring dialogue on both hard and soft security issues, the possibility of the Arctic becoming further militarized would increase dramatically.

The Arctic, a region that has only recently seen a spike in interest and development, requires fresh governing structures. The proposed security summit and other potential means of hard security cooperation could serve as models for existing international security governance structures that do not function as effectively. In this regard, the Arctic represents an opportunity for the international community to explore more effective and transparent ways to conduct international security cooperation.

UNCLOS and Arctic Governance

The decision by the US Congress to postpone, delay, and ignore the UN Convention on the Law of the Seas (UNCLOS) is beyond counterproductive. UNCLOS is de facto law in the Arctic Ocean since the US is the only state in the region that has yet to ratify the law. Ratifying UNCLOS will allow the US to make larger maritime claims in the Arctic. It will also allow the US to contest and petition Article 76, which allows nations to extend their maritime borders on the basis of how far their continental shelf extends. The Russian Federation currently has an outlying claim that would extend their claims as far as the North Pole. Considering an estimated 15% of the world’s oil and 30% of the world’s natural gas is in the Arctic region, it would be wise for the US to join other states in signing on to this international law. Furthermore, the potential opening of the Northern sea route to shipping means that the designation of Exclusive Economic Zones (EEZs) now has expanded political-economic significance.

Arctic Claims

This map shows current borders in the Arctic as well as claims made by Russia. Recently, Canada made claims that extend as far as the North Pole. Map by Ahnode (Own work) [Public domain], via Wikimedia Commons

Ecological Security and why it should matter to the Pentagon:

In the twentieth century, global air temperatures rose an average 1-2°C. This is nothing compared to the Arctic where temperatures rose 5°C. This comparison illustrates the importance of the Arctic environment as a climate change barometer. In 2012, scientists measured a 97% surface melt of Greenland’s ice sheet. This exceeded most accepted models and scientists are re-evaluating at what point in this century we may expect no summer Arctic ice. The questions of whether we will witness the disappearance of the polar caps is not one of ‘if,’ but ‘when.’ Since Arctic ecosystems are impacted more rapidly by climate change, understanding these changes is crucial to managing the effects on the world’s interdependent ecosystems. While climate change might not affect the DoDs daily operations, a dialogue between scientific research and political-military objectives should inform the overall strategy. The Arctic Council is an institution that already seeks to bring dialogue to the vast array of information, scientific or otherwise, relevant to the Arctic region and climate change discussions in general. Heightened dialogue between the Department of State and the Arctic Council would be a good place to start.

Need for Investment in Arctic Capabilities:

Although the Pentagon states its intention of increasing its presence in the Arctic, it also makes clear that the current fiscal environment may stunt further investment. Not asserting American interests would be a mistake insofar as an image of disinterest will be perceived as American weakness in the Arctic. Indeed, other Arctic nations already perceive a strong US disinterest in the region. The lack of an American presence in the region would also prevent US military and law enforcement entities such as the Navy and Coast Guard from protecting the integrity of territorial claims, carrying out search and rescue missions, executing law enforcement functions, and responding to environmental disasters. As of now, the US lacks sufficient dedicated Arctic resources for security and humanitarian purposes. While other US military equipment, such as nuclear submarines and aircraft carriers, have the capability of traversing the Arctic, the US does not have Arctic-specific resources to effectively respond to a disaster or other threats.For example, the US possesses only 5 icebreakers in its fleet and has had to lease icebreakers from Russia and Sweden in the past.This small number of icebreakers stands in stark contrast to Russia’s 37 vessels. Even small Sweden outdoes the US with 7 icebreakers. Due to climate change, the region will likely see increases in resource extraction, shipping, fishing, and tourism. This increase in activity in the Arctic would likely be accompanied by an increase in emergency situations. The US currently lacks effective Arctic capabilities severely limiting the ability to respond to emergency situations or security threats.

In order to mitigate these threats and to enhance US military and rescue personnel in the region, the US needs to invest more in developing Arctic-specific technology and infrastructure. For starters, the US should build a dedicated Arctic icebreaker fleet to better navigate the frigid terrain. Additionally, the US should explore the option of pursuing joint search and rescue exercises with all of the littoral Arctic states, especially Russia. These search and rescue and/or environmental disaster relief exercises would not be as controversial as conventional military exercises and would allow each nation’s military/law enforcement services to become more familiar with one another. Actively working to break the divisions of yesterday by building collaborative relationships today could ameliorate the potential for conflict in the Arctic.

Concluding Remarks:

The US is faced with the enormous challenge of increasing its Arctic presence while convincing other Arctic states that its intentions are peaceful. The US cannot afford to see the Arctic escalate into a zone of conflict and thus must handle this situation very delicately. The DoD’s Arctic strategy is a welcome policy document to a country that has historically lacked a significant interest in the region when compared to the other littoral Arctic states. However, the Pentagon’s strategy needs to incorporate more pragmatic and effective means of international cooperation to accomplish its objectives. In addition, the current fiscal environment should not influence the US’ ability to help secure and develop a region that will likely see a heavy increase in activity due to climate change. Both US military and civilian units need to invest more resources into developing superior Arctic capabilities to better respond to disasters while protecting American interests in a region that is growing in significance and accessibility.

In the 19th century, the established nations of Europe met in Berlin to carve up Africa with the intent of extracting from it resources and riches upon which empires were built. The social, political, and human costs of this are still being felt today. In the 21st century, the established nations of the Europe, Asia, and North America are prepared to, and in certain instances already have, descended upon the Arctic for similar motivations: resource wealth, trade, and power. It would be foolish to think that because Arctic states are politically stable or economically developed that somehow this translates into regional stability. If history is any indication of what is to come, we should actually be all the more alarmed that “established” states are scrambling for the Arctic. Granted, the “Scramble for Africa” involved a large landmass and the intent of colonizing large populations, thus the forthcoming “Scramble for the Arctic” will not be a carbon copy of the past. In sum, there is an opportunity for the Arctic to be used to and for the benefit of all nations, and this begins with a sustainable governance regime.