Cyberspace Cooperation

In his short speech on October 11 on Pentagon responses to evolving cyber threats, Defense Secretary Leon Panetta revealed both the strengths and shortcomings of United States public policy on issues of national cyber defense. The forum for the speech was not necessarily the place where Panetta might have been expected to give a full exposition of policy, yet in his need to summarize complex issues for his audience of Business Executives for National Security, the secretary outlined a picture of where the United States is and where it is going. Panetta set the scene by mentioning the threat of a “crippling cyber attack,” as serious as the 9/11 terrorist attacks. Several points that relate to China are of interest.

No Secret about Chinese Cyber Capabilities?

The most challenging statement Panetta made was: “It's no secret that Russia and China have advanced cyber capabilities.” As a researcher of Chinese cyber policies using only unclassified sources and the knowledge gained from occasional conversations with senior U.S. intelligence figures, I would question the statement’s implication about “advanced capabilities.” First, it is impossible to find a comprehensive assessment of China’s military cyber capabilities on the public record; however, there are several useful sources—their titles, at least, sound like they fit the bill. For example, a report prepared by Northrop Grumman for the United States China Commission, with the subtitle of “Chinese Capabilities for Computer Network Operations and Cyber Espionage” released in March 2012, is a stunningly detailed overview of many aspects of the problem. But it offers almost no credible assessment of China’s military capability. It documents a series of doctrinal writings and reports at a very general level of Chinese information warfare activities, citing mostly examples of espionage activity. Another useful article, “The Art of (Cyber) War” by Brian Mazanec from the Journal of International Security Affairs in 2009 cites a senior State Department official commenting that Chinese capabilities “have evolved from defending networks from attack to offensive operations against adversary networks.” But there is no Chinese equivalent of Stuxnet yet. Mazanec’s article could only postulate the outlines of possible Chinese cyber war strategy.

The European Defence Agency has been sponsoring a survey of the military capabilities of European Union countries in cyber defense. Their methodology gives some insight into what is missing in public assessments of China’s military cyber capabilities. It has been following a systematic model with the acronym DOTMLPF, which stands for doctrine, organization, training, means (i.e. budget), leadership (chain of command), personnel and facilities. The study has also expanded this model to include interoperability, a fundamental characteristic of cyber warfare at the strategic, operational and tactical levels of war. Interoperability among different branches of the armed forces is one of the hardest organizational challenges facing any country.

The existing public studies on Chinese capability are strongest on doctrine, but they don’t have much detail on the other aspects beyond identifying the names of units involved, the names of some of the commanders and the facilities. In addition, China has had relatively poor performance when it comes to interoperability. Another significant aspect of assessing military capability is the net assessment: how well would the forces of one side (say, China) perform against an adversary (say, the United States, Taiwan or their military allies, such as Japan, the United Kingdom and Australia). In comparison to the high level of detail on Chinese conventional and nuclear force capabilities available in the public domain, the current state of public knowledge of Chinese military cyber capability is very low; basically, it’s still a secret.

The public record of Chinese cyber espionage capabilities is slightly better. There is a long list of authoritative reports describing various intelligence victories attributed to the Chinese government. This is in itself significant in terms of cyber military capability, since according to U.S. sources, well targeted and sustained intelligence collection is an absolute precondition for advanced cyber offensive operations. China’s espionage capability is a part of the capability assessment overall. Yet even here the picture is incomplete. Well-placed sources in Washington with access to the intelligence record have concluded that the United States can see enough to worry us but not enough to know with confidence the full picture.

U.S. Vulnerability: the Cyber Defense Gap

The United States feels its vulnerability in cyberspace deeply. It does not always recognize that this is an inherent characteristic of the domain and too often seeks to address the anxiety by resorting to exaggerated assessments of potential adversaries. Striking the right balance in United States strategic policy is no less of a problem now than it was in preceding decades: the bomber gap (1950s), the divisions gap (late 1960s), the missile gap (1960s), the civil defense gap (1970s) and so on. The 9/11 attacks and a decade of war in Afghanistan, and the long Iraq campaign, have incubated a sense of insecurity. In spite of exhibiting strong confidence in American cyber superiority, Panetta noted about the private sector that “too few companies have invested in even basic cybersecurity.” He called for support for administrative, legislative and regulatory efforts because without them “we are and we will be vulnerable.” Invoking the 9/11 attacks and lack of effective anticipatory defense against them, he added that “the attackers are plotting.” Well, yes, they are. But we all need a much clearer sense of how big the cyber defense gap is. What are the relative capabilities, and more importantly, how do capabilities fit into overall concepts of deterrence for countries like China, Russia and Iran?

Panetta acknowledged that U.S. systems will never be impenetrable. The same is true of the Chinese systems. The global infrastructure and its vulnerabilities, to which Panetta referred to, is also shared by China. In assessing where China stands today, we should certainly factor that into the equation as well.

For further information on how the global community can co-create solutions to these challenges, visit the website for the EastWest Institute’s 3rd Worldwide Cybersecurity Summit in New Delhi, to be held on October 30-31, 2012.

"We're now worried [about] the integrity of the products coming into our global supply chain that might compromise businesses' confidentiality or the overall availability of those essential services," said Hathway.

She explained that supply chain vulnerabilities allow for "greater opportunities to manipulate the product from design through its entire life cycle," potentially leading to malicious behavior.

Her appearance was picked up by a number of media organizations, including Foreign Policy's "Killer Apps" blog, Federal Computer Week, Federal News Radio, and Nextgov.

For further information on how the global community can co-create solutions to these and other cybersecurity challenges, visit the website for the EastWest Institute’s 3rd Worldwide Cybersecurity Summit in New Delhi, to be held on October 30-31, 2012.

Click here to read this piece at Business Standard.

Here are excerpts from the interview, conducted by Santosh Tiwari:

Why has India become so important in terms of cyber crime and security?

Spam and botnets are the core pieces of cyber crime.  Our study shows that China has been quite good in fighting them. The data from five sources that track spam globally, shows that India is a problem area and two of them ranked India as the worst in spam and others ranked it number two about a year ago. In the latest study, two more sources have put India as number one. So, four out of five think that India is a major problem area in case of spam. This is the initiation point of cyber crime and this is where the work has to start.

Why is India at the top of this list?

A day before the summit, we will be organizing an interactive day-long session between global experts and Indian companies. The main reasons for India facing major spam and botnets problems is use of vernacular language in which you don’t have products to prevent them and also mobile becoming the biggest communicating device. So, I would put this as priority number one.

According to you what should the companies, not just the IT or telecom but any business,  and government do to rectify the situation?

Businesses need to realize that spam can be the primary vehicle for malicious code that can infect their internal networks, and possibly compromising the security of their operations or that of their customers.

There are two basic steps that service providers should perform. One, detect abusive messages and share the data with peers. Detecting is accomplished by having the right software and intelligence in the operations of networks and applications.  Sharing is done by local and international cooperation.

Putting in place the preventive mechanism would mean additional cost for the companies. Isn’t it?

Realizing the value of secure networks in their enterprise, there is a need to select service providers that are aggressive in implementing world-class best practices.This means that they do not select their service providers based on lowest cost only.

They should also have policies in place to avoid unlicensed software and keep their software updated with the latest patches to keep known security flaws patched.

Service providers should take advantage of abusive message reporting mechanisms that their subscribers can use.

Obviously, these issues will be discussed in detail at the summit. Which are the other areas of focus in dealing with cyber crime?

During the Summit and in a special October 29 FICCI-hosted workshop, world-class talent is being convened in New Delhi for intense, interactive working meetings that will focus on engaging Indian ICT and broader business communities with the international spam and botnet fighting efforts. ICT development supply chain integrity, the role of international companies in cloud computing and storage, reliability of global undersea communication cable infrastructure  and proposals for establishing a system of priority international communications are the other areas on which the conference would focus.

Dr. Luis Kun was the chief editor of these sessions.  For the next year, discussions were held among members of a team, culminating in the publication of The Internet Health Model for Cybersecurity, an EWI report which examines the possibility of applying a public health model to cyberspace.

Dr. Kun is currently Professor of National Security Affairs at the Center for Hemispheric Defense Studies (CHDS) of the National Defense University. He spoke with EWI’s Thomas Lynch about his role in shaping the EWI report on the Internet health model and what conclusions can be drawn from that process. Excerpts:

How did you become involved originally with EWI’s cybersecurity work?

EWI’s chief technology officer Karl Rauscher has known me from many years from the IEEE.  I happened to be a biomedical engineer who worked about 14 years with IBM, so I was very much involved right after finishing my career with UCLA in medical or public health informatics.  I work at the intersection of these two powerful fields: cyberspace, in which pretty much every sector of the world economy is involved, and then healthcare and public health, which is one of those major sectors. I put together several special issues of the IEEE Engineering in Medicine and Biology Society that dealt with three major topics: Bioterrorism (Jan./ Feb. 2002) , Homeland Security (Sept./Oct. 2004) and Protection of the Healthcare and Public Health critical infrastructure (Nov./Dec. 2008).

What insights have you gained from this background in cybersecurity and public health?

In critical infrastructure protection, all sectors are interdependent. If something happens for example to the water, the food, or the agriculture, public health will suffer the consequences.  It’s very important to understand all of these interdependencies because, for example, if you don’t have electricity or telecommunications, the healthcare of the public could be at stake as well.

The healthcare system through the years has developed ways of dealing with global health problems.  Although any health crisis is local for someone, it also has  (or will have) a global impact; global crises on the other hand have a local impact as well, so it goes both ways (from local to global or from global to local).  And in so many ways there is a resemblance to cyberspace, where many times different sectors have solutions that other sectors are completely unaware of. This leads to wasting a lot of time reinventing the wheel, spending resources, when some of these same solutions could be applied.

What’s the principle purpose of the paper then? To outline solutions to cyberspace challenges in the existing public health model?

Right. It’s pretty much thinking from a public health perspective, how could we solve cybersecurity problems with the rubric of a public health system. You have organizations like the World Health Organization that collect, analyze and disseminate information, making sure that the silos of excellence that we have all over the world are interconnected.  And then there were different pieces that I used from that model, performing functions similar to epidemiology and medical surveillance. Cybersecurity has many parallels: monitoring sick people, education, immunization, quarantining, incident response, etc. 

After the SARS public health crisis of 2003 we learned that Public Health (PH) needed an Information Network (PHIN) to face a “New Normal.”  The 3 main ideas behind it were globalization, connectivity and speed.  The response requirements for the PHIN called for: fast detection, fast science, fast and effective communications, fast and effective integration and fast and effective action

The paper goes over a lot of ways that the public health model applies to the Internet and cybersecurity.  What are the limits to that and what are the major differences between the public health system and ensuring security in cyberspace?

There was a wide variety of people involved in the paper and different individuals had different views of what the real problem was. I tend to look at all problems in a holistic way.  For example, when you talk about threats for the policemen they tend to be guns and knives, for the fireman they tend to be smoke and fire, for physicians they tend to be bacteria and viruses.

So when you use that construct you start realizing that, depending on who you’re talking to, you’re going to have very different threats in mind. In our case some only see certain sectors. For example, many see network security as posing the greatest threat. Although networks are important, from my perspective the critical infrastructures of the different sectors are much more important than networks per se. All sectors use cyberspace, but they use it differently. So a bank will not use it in the same way as a hospital, or the people controlling the gates of a dam, or those who are producing hydroelectric power.

A cyber attack can come from anywhere in the world including from within an organization or a country.  Usually when you get sick you start showing certain symptoms that sometimes are miss-read.  In some instances you may already have some disease for which you have not developed yet any symptoms.  This could be similar to a computer that already has a virus which has not been activated….yet.   In terms of limits with a disease the best way to prevent someone from becoming infected is physical isolation.  In the case of a computer system, you may be by yourself at home but your system may already have a program that could be activated at a certain time of a certain day; if you happen to be connected to others with whom you may be sharing files or certain types of information you can be unknowingly passing the problem to others around the world.

So in a health system everyone is more or less on the same page in terms of what the challenges to that system are?

To a certain extent, but the problem is that 85 to 90 percent of the critical infrastructure in the United States belongs to the private sector, and yet those that protect tend to be the public sector. So if these two sectors don’t communicate you’re going to have a problem.

When you look at that same issue in public health, you have the World Health Organization. They advise every country about what’s going on. And to a certain extent this is what we need in cybersecurity.  We need some sort of WHO, not just for the Internet, but also for IT and for cyberspace. We tend to focus more on Internet than anything else, but the Internet is not the only network that exists. 

What’s an example of how the public health model can lead to new kinds of thinking in cybersecurity?

In the case of some of the big problems, like the 2009 H1N1 influenza pandemic, you need to start thinking about who is going to do what if the people who deliver solutions start getting sick.  The issue is not just for a mother to come home with her children vaccinated, but rather, once you get home, how do you assure yourself that your children and your whole family will have electricity, water, food, etc?  In order to do that you have to vaccinate not only the children but those that provide you with the essential services, which in some ways is a continuity of operations and of services that are needed for the nation to function as such.

Ultimately, this paper emphasizes the issue of looking at a problem holistically and through the lenses of multiple disciplines—as a system and not as independent boxes. 

For further information on how the global community can co-create solutions to these challenges, visit the website for the EastWest Institute’s 3rd Worldwide Cybersecurity Summit in New Delhi, to be held on October 30-31, 2012.

Click here to read the article in New Europe. 

To learn more about EWI's third Worldwide Cybersecurity Summit in New Delhi on Oct. 30-31, visit:

www.cybersummit2012.com

The Cybersecurity Act of 2012 (CSA), the most significant legislative undertaking on cybersecurity issues in the United States to date, was blocked from proceeding to a vote in the Senate on August 2. The CSA is now left to languish as members of Congress return to their districts to prepare for the fall campaign.

In a July 19th Wall Street Journal op-ed supporting the bill, President Barack Obama maintained that “the cyber threat to our nation is one of the most serious economic and national security challenges we face.”  

On that point, members of both parties and most of the policy community agree—but on little else. Critics of the recent bill, which changed substantially from its original form, raised objections to the bill’s implications for both privacy and government regulation of businesses.

Civil liberties groups raised an outcry over provisions in the bill that called for increased information sharing between businesses and government. Warning of the potential for misuse of personal information especially by defense-related organizations, the American Civil Liberties Union claimed that an early version of the bill would “unnecessarily threaten our privacy.”

A group of Republicans, led by Senator John McCain of Arizona, voiced opposition to the original CSA provision allowing the government to enforce minimum standards on critical infrastructure services such as power plants and dams. Charging that this part of the law imposes new regulatory burdens on businesses, McCain said in a statement that the solution isn’t “adding more bureaucrats or forcing industries to comply with government red tape.”

Both of these concerns were addressed in a later version of the CSA. The mandatory standards were changed to optional recommendations, and the information-sharing provisions were made fully transparent and revised to exclude non-civilian agencies. The result is a bill that partially addresses a number of major concerns, but fails to update the country’s infrastructure to adequately face the consequences of an attack.

To address cyber threats, any future bill must impose substantive changes to infrastructure management while simultaneously satisfying the concerns of pro-business and civil liberties groups. Unfortunately, given the heightened polarization of today’s Congress, such an outcome appears unlikely.

Now that the bill has failed, there are a number of options the Obama administration can consider. In an interview with BankInfoSecurity.com, EWI Board Member Melissa Hathaway explained that the president could engage with existing advisory panels as well as “industry leaders and/or key companies that have been breached” to galvanize voluntary reforms.

Additionally, in a recent statement that fueled speculation about an impending executive order, White House Press Secretary Jay Carney said that the president “is determined to do absolutely everything we can to better protect our nation against today’s cyber threats.”

Whatever unfolds legislatively, it is becoming increasingly clear that new measures are needed to ensure the security of critical infrastructure—and that a crisis situation in one country is more than likely to reverberate elsewhere. Much as the recent blackouts in India had unprecedented international repercussions, a cyber attack on the United States would severely impact the global economy. The price for inaction could be very high.

For further information on how the global community can co-create solutions to these challenges, visit the website for the EastWest Institute’s 3rd Worldwide Cybersecurity Summit in New Delhi, to be held on October 30-31, 2012.

Raduege explains that the dire consequences of India's blackout had reverberations internationally. "It's more far reaching than just the fact that India had 679 million of their own residents and population affected by this," he said. "It also had implications and impact on the rest of the world."

Read the article and listen to the full interview at BankInfoSecurity.com

"Cyberwar is coming!" announced two RAND Corporations analysts in 1993, yet to date, there is a wide controversy surrounding the existence of cyberwar. Opinions among policy makers, IT experts and the military differ widely with some referring to the threat as a looming "Cyber Pearl Harbor," while others simplystate that "cyberwar will not take place." The United States military views cyberspace as crucial to military operations as air, land, sea, and space.

This current ambiguity is impending policy development and leads to confusion among governments about the true cyber threat. As a report by the EastWest Institute on "Rendering the Geneva and Hague Conventions for Cyberspace" states, "It is possible that the binary peace versus war paradigm is too simple for the complexities of the Internet Age." The report recommends the development of "a third, 'other than-war' mode" to clarify how to use existing policy instruments and more importantly, the applicability of international law.

Scattering the metaphor of war regarding cyberspace dilutes and extenuates the true nature of warfare. As an inscription in the Swedish Army Museum in Stockholm reads, "This is -- after all -- what this museum is about: killing and maiming, or at least threatening to do so." Among the many definitions of war, cyberwar often (not always) fails to meet two of the most basic aspects of how we understand war; war must be lethal and political.

To gain clarity in this discussion, I propose a system of categorizing cyber attacks based on two simple criteria: impact and intent. Any act in cyberspace can be assessed through the prisms of this II Model. Assessing various high profile actions in cyberspace such as the infamous Stuxnet attacks, it becomes fairly clear that the war metaphor fails to apply to these occurrences. While the intent of Stuxnet may have had a political component (e.g., forcing the Iranian regime to return to the negotiation table), the lethal component was missing. Even if lives were lost in these attacks, the principle aim was sabotage, an "accepted" act in the international arena and a form of political warfare, not war and death in itself.

If the II Model is applied rigorously, it becomes clear that most cyber attacks in the political sphere (the core criteria for any discussion of organized violence towards a clear political objective) should be categorized as sabotage, espionage, and subversion -- all actions short of war and generally not constituting a "casus belli" in international law.

As such, cyberwar, is merely an extension of already existing forms of political warfare -- a metaphor that may have led to the nascent "cyberwar" metaphor. Political warfare's ultimate goal, however, is to alter an opponent's actions without using military power.

Many pundits argue that cyberwar is different because of the strategic impact and the immense power an individual can yield with just a few keystrokes. Above all, they lament the omnipresent power of cyber weaponry to strike anywhere and at any time; however, this is historically nothing new.

During the Seven Years War, the Austrian Army introduced irregular forces, the famous "Grenzer"(borderers), recruited from the Austrian provinces adjacent to the Ottoman Empire, where for centuries the Ottomans and Croatians fought small skirmishes, raided each other's lands and destroyed crops while the Austrian Empire was officially at peace with the Ottomans. When Austria introduced this concept into the rigid understanding of Western European Warfare, the outcry by orthodox commanders, such as Frederick II, was immense and led to confusion: Was this warfare or was it not?

The Grenzers unintentionally had a strategic impact on the war since the Prussians simply lacked a military doctrine on how to deal with these acts of sabotage and plundering. The Grenzers principle aim was not lethal but like some cyber attacks today, could have indirect lethal consequences (e.g., a starving population). Also, like today's cyber attacks, once unleashed, the Grenzers were hard to contain. Last, the aims of the Grenzers were not political but only to plunder. Again we are confronted with the dilemma of failing to properly categorize actions in cyberspace because of our own rigid understanding of war.

It is finally time to jettison the concept of war in the context of cyberspace, and the II Model may be a good starting point. When the model is applied, cyberwar fails to meet the most basic criteria of war, but then again, metaphors have their own life. Lest we end up with Bertold Brecht's old, mocking phrase, "imagine there is a (cyber)war, but nobody shows up for it!" we must establish new criteria now.

Rauscher's panel, "Securing the Supply Chain," addressed, among other issues, "the vast interconnectedness of today's supply chain and the challenges of securing both computer systems and supply chains."