The Cyber Fortress Mentality

Commentary | November 29, 2010

Writing for the Foreign Policy Journal, EWI Associate Franz-Stefan Gady argues that traditional boundaries cannot protect cyberspace but international cooperation can.

Most people imagine that historical battles were fought between opposing armies charging and countercharging over open fields. On the North American continent, however, the fortress played the pivotal role in deciding the outcome of wars rather than traditional open battle—for example, in the siege of Quebec in 1759 or in the Battle of Vicksburg in 1863. As a result, the fortress has shaped the outlook of American foreign policy makers and its military brass ever since the creation of the United States. Even today, dealing with the 21st century challenge of cybersecurity, policy makers still think in 18th century terms.

In a recent article for Foreign Affairs Magazine, Deputy Secretary of Defense William J. Lynn III wrote:“In an offense-dominant environment, a fortress mentality will not work. The United States cannot retreat behind a Maginot Line of firewalls, or it will risk being overrun.” In other words, defense-centric strategies primarily aimed at blocking unauthorized access through filters such as application gateways or proxy servers is not enough to keep America safe. New strategies and new thinking are needed, which may finally end the United States’ two centuries-long romance with fortresses.

As the recent militarization of cyberspace illustrates, however, this romance is far from over. In 2009, President Barack Obama declared America’s digital infrastructure to be a “strategic national asset.” This promptly was followed by the integration of a new Cyber Command in May 2010 to defend American military networks and attack other countries’ systems.

Since then, the US military has been a dominating force in the discourse on cybersecurity in the United States. The Pentagon went on to call cyberspace a “domain,” reinforced by the description of cyber warfare as “the fifth domain of warfare after land, sea, air, and space.” This characterization implies that cyber space as a “domain” can be protected from intrusion.

True to the fortress mentality, efforts are currently under way to strengthen the defenses of networks with the aims of keeping the “bad guys” out, strengthening secure network communications, and boosting information insurance. The Department of Defense has increased efforts into blocking malicious software and codes entering military networks. It is decreasing the number of gateways to be protected. Booze Allen Hamilton is building a USD 14-million bunker for the United States’ new US Cyber Command. Some senior military leaders even are musing about establishing a “secure zone,” an Internet within the Internet, aimed at protecting US military networks and essential industries.

The Department of Defense recently obtained additional powers through a memorandum of understanding (MOU) signed in October 2010 between the Department of Defense and the Department of Homeland Security, which aims to increase “interdepartmental collaboration in strategic planning for the Nation’s cybersecurity,{and} mutual support for cybersecurity capabilities development.” Despite the Department of Homeland Security still being the lead agency in cybersecurity, this MOU will significantly reduce its overall importance since the Department of Defense will take the lead domestically in any future computer network warfare scenario.

The striking thing about all of this is how inward-oriented most of these strategies still are. Even the Identify Ecosystem Framework, which was recently proposed by the White House Cybersecurity Coordinator to deal with the “attribution problem” in cyberspace for both the public and private sector, is primarily domestic-oriented and has no true provisions for international collaboration. This is not a critique of the very necessary efforts to strengthen network defenses, but rather to over emphasize it and the neglect of other fields.

It is true that the United States is reaching to international partners in both the public and private sector, but the outreach is largely confined to NATO countries, Canada, Australia, and New Zealand— traditional US allies. It is an old, often repeated truism but nevertheless worth repeating: in cyberspace, there are no boundaries. Talking to these countries and forging partnerships with them is important, but it is only one step.

Data moving at the speed of light along channels owned by commercial carriers knows no national boundaries and no distinction between the West and the “rest.” It helps little to forge partnerships with France and Great Britain when most hardware is manufactured in Asia and enters the United States already compromised with malicious codes embedded in them. This so-called “supply chain vulnerability” already breaches any “Cyber Maginot Line” long before any hacker encroaches upon a US server and tries to disable it with a Distributed Denial of Service Attack. True to its fortress mentality, however, US military brass is considering establishing a cyber distant early warning line for cyber surveillance and better protection against intrusions. (The original distant early warning line was a chain of radar and sonar stations to detect Soviet bombers and submarines during the Cold War.)

Much more pressing is better cooperation between the major cyber nations such as Russia, the United States, China, India, the EU, and Brazil.

What would better international cooperation look like?

First, international cooperation needs to be truly international, i.e., it encompasses both Russia and China despite their reputation as being “rogue cyber nations” in the United States. The United States, Russia, and China have much to gain from cooperation in protecting undersea cables, the Achilles heel of our digital world. One carefully planned attack on one of the three cable chokepoints (spots in the Luzon Strait, the Suez Canal-Red Sea-Mandab Strait passage, and the Strait of Malacca where undersea cables converge) in the world would cost the world economy billions of USD due to the loss of connectivity, which might last from a few days to a few weeks depending on how well the cable system owner, the operator of the repair vessel, and the national government involved can coordinate their efforts. In this volatile economic climate, an outage for more than 24 hours would be disastrous.

An additional initiative could be to gather experts from the United States, China, and Russia and compose clear, mutually agreed upon definitions of key terms that facilitate collaboration among states. For example, what exactly do we mean with terms such as “cyber war,” “information security,” and “probing”? Every nation will have a different answer to that question. A common understanding of key terms is pivotal in a truly collaborative international environment.

Cyber crime could be another potential field of better collaboration, if not the most important one. All industrial nations agree that cyber criminals pose the biggest threat to their respective critical infrastructures. The methods used by cyber warriors are not different from those of cyber criminals or cyber terrorists. Private-public partnerships, i.e., partnerships that share sensitive information across sectors (e.g., type of cyber attacks, level of damage, number and sophistication of attempted intrusions, etc.), play a key role in that respect. So far, they have focused primarily on domestic markets with often limited success due to too many ineffective initiatives and too little trust between the government and the private sector. Instead, these partnerships need to expand across borders.

To build trust, major cyber nations (US, EU, Russia, India, and China) could also compose a “Code of Conduct for Cyberspace” focusing on each other’s vulnerabilities rather than threats. This code would contain provisions of who to hold responsible for cyber crimes originating from nation states. Following the code of conduct, governments would decide upon “Cyber Risk Reduction Centers” set up in the various defense ministries, notably in Russia, China, India, the United States, and major European countries. These centers, permanently staffed and linked with each other, should reduce misunderstanding and tensions in times of crises.

Any fortress wall is vulnerable; they will all, sooner or later, be taken. No matter how good its defenses, every network can and will be breached. The trick is avoiding a siege altogether! In the hard world of power politics, this might not always be possible, but through an increasing emphasis on international cooperation and focus on common security interests, nations will be less vulnerable in the long term.

Click here to read the article in the Foreign Policy Journal