Cyberspace Cooperation

As U.S. military strikes against the Syrian government become more likely, many in the West are worried about retaliatory cyber attacks of pro-Assad forces on critical information infrastructure in Europe and the United States. The Syrian Electronic Army and its recent activities of hacking various news websites and social media platforms, has especially caused ‘cyber angst’ among private-sector companies. However, while sophisticated cyber attacks are a possibility, the likelihood of severe disruptions is minimal to non-existing.

From all the open source intelligence gathered at this stage, Syria’s offensive cyber warfare capabilities are limited. While Iran, which boasts that it has "the fourth-largest cyber force in the world" is actively supporting the Assad regime, this effort, led by the Iranian Ministry of Intelligence and Security, is largely focused on electronic surveillance and identifying members of the opposition. The Assad government’s principal focus in cyberspace is domestic.

The Syrian government has little incentive to pour precious resources into sophisticated offensive cyber weapons that will not influence the outcome on the battlefield in Syria. In this case bullets are beating bytes, or, as Eric Schmidt and Jared Cohen put it succinctly in their book The New Digital Age: “You cannot storm an interior ministry by mobile phone.”

Consequently, pro-Assad cyber attacks have largely been conducted by proxy (cyber activists rather than government forces), with the result that attacks emerging from Syria or pro-Assad hackers in Iran and Russia have not been particularly sophisticated and consisted mostly of Distributed Denial of Service Attacks (DDOS). The attack on the New York Times was more elaborate, penetrating the Domain Name System—the "phone book" of the internet as it is often called—yet it also did little damage and was more of a cyber protest than an attack aimed at the destruction of networks and data.

Iran’s role

While Syria’s capabilities are limited, Iran and potentially Russia could lend Assad a hand and deploy their arsenal of cyber weapons in support of the Syrian government. This, however, will have to be preceded by a conscious decision of the Iranian government to escalate the level of conflict by launching sophisticated strikes on Western critical information structures such as SCADA (supervisory control and data acquisition) systems that monitor and control power grids. These sorts of attacks are hard to pull off, since they demand sophisticated knowledge, require layers of resources and are difficult to coordinate. Because of this, such complex attacks need some form of state sponsorship.

Cyber Deterrence

The current improbability of debilitating attacks by Iran or Syria is not so much a sign that they are deterred from acting because of the West’s asymmetric advantage in cyber capabilities, but rather of the domestic focus of Syria’s efforts in cyberspace.

Unlikely, however does not mean impossible. Steps have to be taken to convey to Iran, Syria and the world what the likely reaction to cyber strikes against Western targets will be in order to actively reduce the likelihood of debilitating attacks. Clearly, the West needs a strategy of cyber deterrence against Iran and Syria.

A combined Syrian-Iranian DDOS attack on a well-known Fortune 500 company—although probably fixed within a few hours—could trigger panic in global financial markets. The media is such that it can create cyber mountains out of cyber molehills. Cyber deterrence—unlike nuclear deterrence—is not meant to deter all cyber attacks. Its principal aim is to dissuade adversaries from engaging in debilitating cyber strikes.

At the lowest level, one way to increase the deterrence factor vis-à-vis adversaries is to have a more systematic public display of nation states’ cyber-war capabilities. This can have a greater deterrence effect on nonstate actors operating in the service of Iran and Syria, because they will have a clearer understanding of the forces arrayed against them. It can also make ‘signaling’—conveying the intentions of a state through a particular policy or move—easier, since a better understanding of capabilities reduces the likelihood of misguided policies.

Often, the media has been used to convey a country’s capabilities with strategic leaks of classified information (e.g. Stuxnet, Flame etc.) to some news outlets—this is part of a country’s cyber-deterrence strategy. It is likely that we will see such a strategic leak shortly before any air strikes. Whatever this leaked cyber asset may be, the ability to identify, defend and retaliate against any attack from the Middle East will be its key characteristics.

When it comes to cyber deterrence, the revolutionary idea for policy makers to get their heads around is that the public and private sector need to be better informed on discussions pertaining to a state’s cyber war capabilities. It is no longer enough to have a small clique of policymakers and the militaries on both sides know each other’s cyber arsenals. In order to deter nonstate actors and reduce uncertainty about the consequences of cyber attacks in the general public, a more open discourse on cyber capabilities—beyond Iran and Syria—will be needed in the future.

Click here to read the article in the National Interest. 

Click here for Gady's recent article "What Would Cyber-War With Syria Look Like?" in the U.S. News & World Report. 

Responding to increased levels of cyber risks, governments are now taking more interest in cybersecurity policy, Mroz points out. But he argues that more cooperation and sharing of information between government and the private sector will allow for a faster response to threats than government policies can provide on their own.

"Cybersecurity is a critical issue that affects everyone," Mroz notes. "Both the United States and the European Union recognize that people are not really free if they are not safe."

The article summarizes some of the topics discussed at the Global Investment Risk Symposium held in Washington, D.C. on March 7-8, 2013.

Click here to read full article. 

Rauscher, along with McAfee’s Chief Technology Officer and Global Public Sector Vice President Phyllis Schneck and the Center for Strategic and International Studies’ Director and Senior Fellow James Lewis, gave official statements and fielded questions from the Subcommittee on Asia and the Pacific. They discussed a broad array of cybersecurity challenges, U.S.-Chinese bilateral relations in cyberspace and the prospects for regional and global cooperation.

“Malicious actors are taking advantage of a lack of cooperation in cyberspace,” Rauscher warned. “We just don’t have the tight coordination that we need.” He pointed out that EWI has already started promoting both better coordination and cooperation. Holding up the EWI reports on Fighting Spam to Build Trust and Priority International Communications, Rauscher focused on the need to take proactive measures, including implementing a new means of effective international communication in times of crisis.

In his full testimony, Rauscher drove home this point by using a metaphor to explain the state of cyberspace when an emergency situation arises. “We have too many people practiced in bailing water out of the boat and not enough capable of plugging holes,” he said. “But when there is water in the boat, and you are getting wet, it is hard to focus on long-term solutions. We need leadership to shift the focus.”

Rauscher also pointed out that, to a large extent, the major players in Asia complement each other’s strengths. “The United States is the leading innovator in cyberspace while China is the largest manufacturer of hardware systems, and India is a leading supplier of both software and networked services,” he noted. “Our mutual interdependence in cyberspace is profound.”

Rauscher stressed optimism in improving bilateral relations with China, “The benchmark [for success], really, is zero percent. These are really hard issues. If you look at what we’ve taken on, people aren’t trying to address them because they think they’re impossible.” With other countries, too, he argued, much more can be done to move beyond purely reactive measures.

Committee Chair Rep. Steve Chabot (R-OH) reiterated this point. “The U.S. must engage its allies around the world to promote the preservation of global network functionality, in addition to establishing confidence building measures that foster trust and reliability with nations,” he said. “Establishing some sort of norms, or principals, to guide actions in cyberspace that the Chinese can agree to will be incredibly difficult.” Chabot and the rest of the committee focused much of their attention on U.S.-China cyber relations.

Some Congressmen raised the issue of China’s domestic cyber policy, and its effect on U.S. cybersecurity. “We’re in the phase now where we need to persuade the Chinese to change their behavior,” Lewis responded. “We cannot coerce them, they’re too big a country, the only way you could coerce them is if you go to war, and that is in no one’s interest.”

The hearing covered more than just U.S.-China relations. It included the need for international cooperation in both the private and public sectors and the prospects for new multinational treaties, U.N. regimes and high-level international dialogue on sensitive issues.

In the discussion, Schneck said, “We [at McAfee] believe in global conversation. We need more conversation, and commend some of the recent efforts, like those in the UN. These forums, like [EWI’s annual cybersecurity summit] mentioned by Mr. Rauscher and others, are good starts to that global forum.”

Rauscher stressed that governments alone cannot deal with these problems. “Given its more intimate knowledge of technology design and development, this leadership will likely need to come from the private sector,” he concluded.

Click here to view video coverage of the testimony, on the House Committee on Foreign Affairs' website. 

To read Karl Rauscher's statement in full, please click here. 

“In no other area of security are the rules undefined,” McConnell said, making the point that without agreed-upon guidelines, critical infrastructure systems across the globe are at stake and financial and political stability are continually threatened. Discussions continued on ways that EWI, with its unique history of building trust between nations, can help make significant progress in fighting cyber crime and avoiding global misunderstandings and tensions. The European delegation emphasized the U.S.-EU alliance and hopes for improved cyber cooperation despite recent strains.

Participants stated that one of the main roadblocks to significant progress is the gap between the rapid pace of technology and the slow pace of policy approvals. One reason is that lack of familiarity with rapid technological advances often overwhelms and confuses uninformed policymakers. All agreed that there must be a bridge between these two arenas and that dialogue is a key component.

Click here to view more photos from the event. 

Not that long ago, cybersecurity was an issue for the back room. Now, it's made its way to the boardroom and the Situation Room.

In February, President Obama issued an executive order aimed at protecting critical infrastructure, adding the administration's voice to those of Congressional members and corporate leaders in the national conversation on cybersecurity.

Just as government and industry coordinated the telecommunications response after the 9/11 terrorist attacks, the order enlists both public and private entities in assuring that critical infrastructure is continuously monitored and protected from attack.  Cyber threats are growing in intensity and scale. We've seen significant breaches at government agencies and in private businesses, including leading financial institutions and large U.S. media companies. Recent allegations of the theft of top-security information connected to the development of sophisticated weapons and air defense systems have only heightened concerns about the security of the nation's networks.

The public and private sectors need to work together to protect critical assets with confidence and trust—helping manage the risks we know, and getting ahead of those we don't.

There are two primary areas of concern. The first focuses on the concept of enhanced public/privateinformation sharing and developing standards. The second is crafting a cybersecurity framework that addresses risks across government and industry—and to do so quickly. The National Institute of Standards and Technology (NIST) wants a preliminary framework in place by the end of this summer, with a final set of guidelines ready to go in February 2014.

The response to today's cyber threats can't be limited to Washington. Cybersecurity isn't just about compliance with laws and regulation—it's about guarding businesses from the increasing dangers of persistent threats. As importantly, an effective cybersecurity framework has to overcome barriers to continued economic growth—creating an environment that protects and nurtures innovation.

Certainly, the environment is complex. Critical industry sectors from energy and banking to transportation and health care answer to different government agencies or regulators. Therefore, it is imperative that any designated corporate cybersecurity officer sustain strong working relationships with appropriate government stakeholders.

It's encouraging that many business leaders understand the threat. A growing number of corporate boards are demanding regular updates from CISOs or CIOs on their states of readiness. Corporate executives should be asking themselves: how can public and private organizations work together most efficiently; how should a productive relationship develop between the two sides on key cybersecurity issues; and how can threats be addressed while protecting intellectual property and individual rights to privacy?

It is critical that the public and private sectors work together to build a cybersecurity framework that takes into account the very legitimate business concerns of maintaining individual privacy obligations, securing corporate proprietary information, and safeguarding competitive positioning, while promoting an efficient exchange of information.

Not all attacks rise to the level of a Page One headline. In fact, many breaches can damage businesses in significant ways without triggering news attention. Vandalism of websites to full-fledged short-circuiting of networks lead to theft of intellectual property, fraud, and in the most extreme cases, threats to corporate survival.

Take, for example, the energy industry: According to one recent Congressional report, the computer systems that drive the U.S. electric grid are under frequent—even daily—attack. That survey of corporate officials found striking examples of ongoing attempts to steal critical information; one company reported experiencing 10,000 attempted attacks a month.

Every C-level executive has a role in stemming the tide of cyber-attacks. It's not the responsibility of the CIO or even the CEO alone; COOs, CFOs, CROs, CPOs, and the corporate board should be equally invested in sharing active responsibility for the effort. A comprehensive corporate cybersecurity strategy is required.

To that end, all business leaders should adopt the following four steps:

Understand the challenge An organization's threat profile must be top of mind for all leaders. Creating ongoing monitoring methods and finding resolutions to reporting challenges would allow executives to see well ahead of the curve. Risk intelligence is perhaps more valuable in 21st century business than conventional business intelligence.

Establish accountability:Company management should be requesting quarterly reports on the organization's most pressing cyber threats, to ensure that executives develop, track, and chart metrics which would enable them to quantify the impact of any intrusion. One designated leader, whether the CIO or other senior-level executive, could serve as the nexus for all cyber activities.

Coordinate efforts: A unified approach needs to be exactly that—unified. Assure that cyber security is well-managed not only through company headquarters, but all along the supply and value chain. Developing an effective national system to secure our critical infrastructure requires the coordination of key elements: protocols, sharing of sensitive data, and IT strategies.

Communicate: Government regulation and corporate risk management activity is at a high level. Cyber security officers should maintain regular communication with their industry associations and government contacts to make sure that industry perspectives are heard. Given the pervasive, business-critical role of IT and value of high-tech assets, the case for increased transparency and dialogue among stakeholders has never been stronger.

Nationally, we spend hundreds of millions of dollars on detecting, neutralizing, and recovering from cyber-attacks. There is perhaps no more important financial aspect of running a business these days than data maintenance and security.

While the cost of building an effective cyber defense system could be high, the cost of not doing enough may be even higher. One thing is certain: cyberattacks won't stop while we discuss how to build a protective network, who should run it, and the price tag for implementation.

The solution starts with cooperation across public and private lines, and collectively putting the greater good—America's national security and economic competitiveness—at the top of our priority list.

Click here to read this article in Harvard Business Review. 

Ambassador Peter Wittig opened the event calling cybersecurity “a major cross-cutting issue of foreign policy,” where “the stakes are too high and too many lives are at risk for a mere laissez-faire approach.” He admitted that cyber issues are rarely discussed within the UN and that this must change.

Wittig called for a “framework for lawful state conduct in cyberspace. We should have clarity about the rules and norms that apply in cyberspace.” The panelists focused on just that in a lively debate that engendered many questions from the audience.

The panelists were James Lewis, senior fellow and program director at the Center for Strategic and International Studies (CSIS), Washington, D.C.; Sandro Gaycken, researcher in technology and security, Institute of Computer Science, Freie Universität, Berlin; and Cherian Samuel, associate fellow, Strategic Technologies Centre, Institute for Defence Studies and Analyses, New Delhi. Colum Lynch, UN correspondent for the Washington Post and blogger for Foreign Policy moderated.

All panelists agreed that current strategies for cybersecurity are not working; they differed however, in their long range views of how to tackle this immeasurable problem.

Gaycken stated that because attribution is so difficult to determine in cyber incidents, he believes that applying international laws that already exist in the military, aviation or similar spheres will not be effective, and that other paths of containment must be explored. This, he emphasized, is especially true in light of almost daily advancing technological capabilities.

Speaking from the perspective of the hacker, Gaycken said, “It’s very unlikely that anything you do will be discovered…and you’re not being identified, so you’re out of risk. Not much is going to happen to you if you do it right.” He continued, “So that’s something that all of these nations must consider—getting the golden key to all these castles. That was simply not possible before.”

Lewis countered this argument using a graffiti analogy. “Even though most times no one sees the spray painter who defaces property with graffiti, there are still laws against it. Eventually the spray painter is identified and prosecuted. The same with hackers—there still must be laws that are and will be enforceable and we should continue working toward that.”

Samuel spoke to the urgency of this work, as he reminded the audience that India has the third largest Internet-driven market in the world. “Bad guys are taking advantage of the fact that nation states are not tackling cybersecurity in more effective ways. We have the same problems as other countries but of course on a much larger scale.”

To that point, Lewis stressed that, “Government is better at addressing certain issues, while the private sector is better able to handle others. That is why it is essential to have both at the table working in tandem.”

EWI President John Mroz concluded the event with a summation of main points, stressing that there must be global cooperation on this frontier, and that this event is the first in what will be a series of co-sponsored cyber panels with the German mission.

“Nobody knows how big the cybersecurity problem is, and that is why it is essential that we continue this dialogue and work together for tangible solutions,” Mroz stated.

To read Huffington Post's blog on the event, click here. 

To view pictures from the event, click here. 

Considering the panel of leading cybersecurity experts, Maiello notes, “They found an interesting balance between doom and cautious optimism regarding future cyber security solutions.”

Despite challenges in reaching consensus among member states on a global framework for securing cyberspace, the panel remained generally optimistic. Panelist James Lewis commented, "I'm very optimistic. It will take years, but we will get there.”

The full blog post is available here.

To read EWI’s report on the event click here.

Gady states, "One of the principle questions moving forward will be how the United States and China can manage to contain their disagreements over cyberspace without an escalation in cyber rivalry and the risk of a full-scale cyber war. One approach may be that both governments seriously discuss strategic cyber stability. The goal would be an equilibrium in which both sides are deterred from engaging in reckless behavior for fear of upsetting the status quo in cyberspace and inciting a cycle of retaliatory cyber attacks."

To read full published article, click here.