5 June 2015

DEFENDING THE CYBER NATION: LESSONS FROM CIVIL DEFENSE

June 2, 2015
If you grew up during the Cold War, as we both did, you probably remember all sorts of ways that we prepared for the possibility of a nuclear attack. Bert the Turtle taught us how to “duck and cover,” and we practiced hiding under our desks at school. Thousands of American families built fallout shelters in their backyards and stockpiled foodstuffs to last for months. Practice exercises ensured that members of Congress, the Supreme Court, and the president could be evacuated to elaborate underground sites to ensure continuity of government.

There was a collective name for such preparations: civil defense. U.S. presidents saw civil defense as a part of the strategic balance with the Soviet Union, and as “insurance for the civilian population” in the event of a nuclear exchange. Thankfully, its efficacy was never tested. But every American understood its importance, because the threat of nuclear war was ever-present and, frankly, terrifying.

Today, most Americans would find such preparations archaic, if not darkly comic. A generation has grown up far from the shadow of the Cold War, and no obvious international threat has taken the place of Soviet missiles or long-range bombers aimed at the United States on hair-trigger alert. Even terrorism in the aftermath of the 9/11 attacks has failed to create the kind of Cold War menace that then touched every school child and every home.

Yet perversely, the United States may be more vulnerable today to highly disruptive attacks than it was during the Cold War. While thankfully the levels of potential human and societal destruction pale in comparison to nuclear Armageddon, the nearly unlimited scope of national vulnerability is real, and the outcomes could still be devastating. Concerns about an “electronic Pearl Harbor” have been increasing since the late 1990s — and that vulnerability will only increase, as the Internet of things rapidly expands the cyber connections across most elements of our daily lives.

As we wrote in our first Strategic Outpost column, the “central nervous system of the nation is now at catastrophic risk.” Massive attacks against critical networks — such as those that govern the financial system, the air traffic control system, and power grids — would disrupt the ability of American society to function and the country would grind to a halt. Even more importantly, such attacks would dramatically reduce the confidence that Americans currently have in the entire system of trade, transport, recordkeeping, and governance.

Yet despite this tremendous vulnerability, few U.S. businesses, state and local governments, or individual citizens are even aware of — much less preparing for — this threat. During a recent visit to Silicon Valley, we heard one refrain often: “There are two kinds of people in the world: those who have been hacked, and those that don’t know they have been hacked.” And while being hacked can take all forms, from simply probing home desktop computers, to stealing a bank’s financial data, to leaving dormantmalware behind in government networks, the utter pervasiveness of these daily intrusions are already far more extensive than most Americans realize.

The possibility that destructive malware has been left behind hidden in a company’s servers by an adversarial hacker group clearly invokes a much less animated government and societal reaction than did Cold War satellite photos of Soviet ICBMs on launch pads. Today’s threat often has no face, exhibits no menacing weaponry, and frequently remains opaque. As a result, most Americans do very little to protect and defend their own networks, which are being penetrated on a near-daily basis, and few elected officials understand their role in crafting effective legal and policy responses.

Fixing this massive problem will require a new form of civil defense for the 21st century, with active engagement from citizens, the private sector, and government officials at all levels. Yet the federal government has a unique and critical role to play — not because it can (or should) dictate solutions, but because it can draw attention to this important problem and adopt laws, policies, and incentives that encourage better protection against cyber threats.

We offer five important steps the U.S. government can take now to begin addressing this crucial national vulnerability and set the foundation for cyber civil defense.

1. Educate the public and national leadership. The White House must lead a concerted effort to publicize today’s serious threats to the nation’s cyber networks. The U.S. populace has been successfully mobilized in the past to respond to public safety concerns ranging from preventing forest fires to drunk driving. But today’s pervasive lack of awareness of the growing risks to computer networks undercuts any serious effort to mobilize the appropriate national response. The executive branch needs to brief elected leaders in Congress and at state and local levels on the scope of the threat. This awareness campaign is a vital first step in order to engage those leaders in alerting the U.S. public to the danger, and enlisting their support to accept improved individual cyber hygienemeasures.

2. Establish clear roles and responsibilities for network protection.A fundamental question in dealing with this immense challenge is that of responsibility. Where should the government — federal, state, local — assume the responsibility to protect? What role do business and the private sector have? And where do individuals fall on the spectrum? The U.S. government is the only actor that can initiate a broad national conversation about these crucial questions and then establish clear roles and responsibilities. It should also reexamine the National Response Framework, which establishes roles and responsibilities for disaster and emergency responses, to determine whether and how it should be adapted for responding to cyber attacks.

3. Develop a comprehensive picture of the scale and scope of the cyber threat. It is both surprising and alarming that no such picture exists today. The Department of Homeland Security should lead an interagency effort to fully map the extent of the ongoing threat to better capture the full range of government, business, and individual targets that are under attack daily. Doing so, however, will require much better reporting, from both the public and private sectors, about suspected and confirmed compromises of their networks. One cyber security firm told us that two-thirds of its clients learn that their computer systems have been compromised by reading about the breach in the media. This is an unacceptable level of vigilance.

In order to fully understand current and evolving cyber threats, the government must better incentivize businesses to improve vigilance and aggressively report suspected compromises. Greater two-way information sharing might be one incentive, since companies that report attacks often complain that they never receive any information in return. Other possible forms of incentives are discussed below. But simply asking companies to report this critical and sensitive information to the government as soon as an attack happens without any incentives to do so — too often today’s model — will only guarantee both sustained ignorance of the danger and increased long-term vulnerability.

4. Build a legal framework to criminalize cyber intrusion and attacks. Most of today’s state and federal laws are woefully out of date in a world where cyber criminals can steal identities, personal information, and millions of dollars without ever leaving their home or a foreign cyber café. Crimes that would be severely punished if committed in person, such as robbing a bank, may carry little or no punishment if committed online — even if the perpetrator can even be found and the legal jurisdiction issues are clear (which they often are not). This not only encourages criminals to shift their activities online, but it may actually increase overall crime rates, as people who would never pick up a gun and walk into a bank to rob it may be willing to hack into the bank’s financial systems and steal money from the comfort of their living room. One lawyer told us that prosecutors often need to rely on creative legal theories in order to prosecute cyber crimes because they often are not covered by existing statutes. Activities such as “breaking and entering” networks that fall short of the outright theft or wiping of data must be examined to determine if they cross the threshold of criminal behavior, and if so, new laws enacted where appropriate.

5. Provide stronger incentives and certifications for cyber security. The government should not dictate specific cyber security standards for U.S. businesses and individuals to follow, because the threat adapts far too rapidly for the government to ever be able to respond effectively. However, it can and should encourage better cyber security through various incentives and certifications. For example, organizations like Underwriters Laboratory have long provided safety testing and certifications standards for a wide range of commercial products. The government could similarly establish a federal certification for computer software that meets certain safety standards, and then recommend that consumers only purchase software or use services that have earned that certification. It might also consider tax breaks for companies that use certified software.

The government can also use incentives and certifications to remove barriers that prevent companies from improving cyber security, such as the threat of liability and lack of insurance. After the 9/11 attacks, for example, Congress passed the 2002 SAFETY Act, which encouraged private companies to develop anti-terrorism technologies by providing acertification that shields them from liability. In late April, the Department of Homeland Security awarded the certification to a cyber company, FireEye, for the first time, and more are sure to follow. In essence, this creates a form of free cyber insurance.

Today’s cyber threat to the United States holds the potential to be the most dangerous and disruptive threat faced by the nation since the end of the Cold War. The nuclear balance of terror has thankfully receded, but the hidden threat of massive disruption to a nation now almost wholly dependent on cyber networks is real. The U.S. government needs to raise the national consciousness of this little recognized and poorly understood risk, and start adopting the laws and policies needed to avoid the worst effects of a significant cyber disruption.

Lt. General David W. Barno, USA (Ret.) is a Distinguished Practitioner in Residence, and Dr. Nora Bensahel is a Distinguished Scholar in Residence, at the School of International Service at American University. Their column appears in War on the Rocks every other Tuesday.

No comments: