On February 2, the Director of National Intelligence (DNI), Admiral Dennis Blair, USN (Ret.) and his main subordinates from the CIA, DIA and FBI, appeared before Congress to deliver their annual threat assessment. According to Admiral Blair, the nation’s cyber infrastructure is “severely threatened.” Not only is the threat increasing, but the DNI delivered the ominous judgment that for the foreseeable future the balance of network technologies will favor malicious actors. According to cyber security experts, advanced “hacking” tools are readily available on the Internet. Moreover, the tools are becoming ever more sophisticated. In 2009, the DNI reported, we saw the first self-modifying malware. This event also highlights one of the great disadvantages of cyber defense. The defender is always one step behind, having to experience an attack before a defense can be developed against new forms of attack.
One of the other problems confronting the DNI and the cyber security community is the problem of attribution. This is not only a problem for cyber defense but also for the prospects of being able to deter attack through the threat of retaliatory action. For deterrence to be effective, the one being deterred must be convinced that retaliation will be sure, swift and costly. The problem is that while we can generally identify the perpetrator of a cyber attack (or at least the computer that was the source of the event), this is not the same thing as knowing the identity of the human at the keyboard. But even if we could do that, we have almost no ability to determine causality. Is the person launching the attack a member of Al Qaeda, an officer in Chinese or Russian intelligence, a criminal or a bored teenager? Even if he was the last, was he being manipulated by someone? Connecting the dots in cyber space is even more difficult than it is in the world of counter terrorism.
Then there is the problem of public-private cooperation. Most of our cyber assets are in private hands. Most of our cyber “warriors” either are in the government or work for it. It is for this reason that theNational Security Agency has been called in to help defend Google after it was attacked, allegedly by Chinese hackers. The federal government has been struggling for years to work out an effective partnership with the private sector with spotty results.
The challenges facing the DNI, in reality the entire U.S. government, when it comes to cyber offense are different, but equally serious to those in the cyber defense domain. There are many tools and techniques available to our cyber warriors. I am sure they could do enormous harm to any network they were directed to attack. But what is lacking is a theory of cyber warfare. There are no credible, tested doctrines, strategies or operational concepts to guide offensive operations in cyber space. Part of the reason for this is that much of what occurs in cyber offense is very classified. In part, it is because the national security establishment, in general, and the military, in particular, has yet to recognize that cyber warfare will be central to the future of war.
At present, our government is struggling just to protect itself from cyber attacks. The focus of discussion about cyber issues in the 2010 Quadrennial Defense Review was on defending defense networks. There is nothing wrong with this but it is not enough. The administration and key federal departments and agencies need to get much more serious about war in the cyber age.
Find Archived Articles: