Recommendations for Dealing with
Cyber Threats and Warfare
Dave Carlson - January 26, 2007
In his book related to defending the U.S. homeland from cyber-threats, Cordesman lists thirty recommendations for U.S. homeland defense. Five recommendations discussed in this article specifically deal with issues related to the federal government’s ability or inability to define and mitigate cyber-warfare challenges. The United States is on the right path toward protecting against various cyber threats, and still faces a long challenging labyrinth of solutions. The greatest hurdle is the difficulty the myriad of government agencies, at all levels, have communicating and coordinating with each other in an effective manner. Is there hope? Of course! We need to ensure that, as a nation, we do not loose focus of our objective -- meet the challenge of constantly changing cyber threats.
Recommendations for Dealing with Cyber Threats and Warfare
Cordesman (2002) lists thirty recommendations for homeland defense. This article will discuss the merits of five of those recommendations:
- Define cyber-warfare: “The U.S. government must establish a clear distinction between general cyber-crime and cyber-warfare, and tailor the federal role and response accordingly” (p. 168).
- Determine defense response: “The U.S. needs to determine what its real vulnerabilities are, and what action is needed to deter attacks, provide defense, and to respond” (p. 169).
- Define intervention requirements: “The federal government needs to decide at what point federal intervention is required” (p. 171).
- Develop response doctrine: “The U.S. government needs to develop a clear response doctrine” (p. 173).
- Deliver effective programs: “Create an effective set of programs and future year budget plans to implement an effective federal effort” (p. 176).
All of Cordesman’s recommendations have merit. The five recommendations selected for discussion in this paper specifically deal with issues related to the federal government’s ability to define and mitigate challenges related to cyber-warfare.
The first step in problem solving is to define the problem. To accurately define a problem, one must have a purpose for solving that problem. “If you don’t have a purpose then you don’t have a problem” (Michalewicz & Fogel, 2004, p. 2). This paper assumes the U.S. government has a purpose for solving its cyber-warfare and the related cyber-terrorism problem.
Quoting Dorothy Denning, a professor of computer science who testified before the House Armed Services Committee in May 2004, Weimann (2004) shares an “unambiguous definition of cyberterrorism” (p. 4).
Cyberterrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not. (Weimann, 2004, p.4)
Many cyber-type malevolent acts have been initiated in recent history. Many of these acts cause a great deal of financial and emotional harm to organizations and individuals. However, not all of these acts can be categorized as cyber-warfare. “The U.S. faces and inevitable ongoing and growing problem with cyber-crime and low-level cyber-attacks with motivations ranging from treating hacking as a sport to employee sabotage and ideologically driven terrorism” (Cordesman, 2002, p. 168).
The challenge for U.S. homeland security is to identify which cyber acts constitute threats to national security. Cordesman (2002) suggests that private users and corporations must provide a defense against at least 90% of cyber attacks (p. 168).
Alford (2000) suggests the following definition for Cyber Warfare (CyW): “Any act intended to compel an opponent to fulfill our national will, executed against the software controlling processes within an opponent’s system. CyW includes the following modes of cyber attack: cyber infiltration, cyber manipulation, cyber assault, and cyber raid” (p. 105). Only after the U.S. has defined specific cyber-warfare and cyber-terrorism components can it determine an appropriate response.
Determine Defense Response
Cordesman (2002) argues that the U.S. does not have a credible defense response to cyber attack, primarily because there is no clear determination of real vulnerabilities. “At present, there seems to be little coherent vulnerability analysis, little prioritization, and little effort to distinguish what level of federal role is really involved” (p. 169). In some cases, Homeland Security is trying to establish defense responses to undefined threats.
Shotgun blast approaches to evaluating vulnerabilities are inefficient at best. Trying to hit the most targets with the least effort may be an appropriate strategy for duck hunting, but certainly is not the appropriate response to continually changing specific vulnerabilities. “It can be argued that many who assess cyber-vulnerability fail to evaluate the ongoing evolution of defensive efforts in reaction to the constant pressure from crackers and cyber-criminals” (Cordesman, 2002, p. 170).
When I was in Army Basic Training, Sergeant First Class Wascom, my marksmanship instructor, used to say “a soldier who shoots at nothing will hit it every time” (personal communication, July 1978). His intent was to encourage his students to identify a specific target before squeezing the trigger. In practical application, random shooting rarely was as effective as deliberate identification of a specific target. The same principle applies when establishing a response to cyber attack. It is important to focus on a specific threat and attack it directly, instead of relying upon generic defensive strategies.
In February 2005, the Department of Homeland Security released an updated national plan for critical infrastructure protection. While that is a very positive step in the correct direction, GAO (2005) identified that this Interim National Infrastructure Protection Plan “does not yet include detailed plans for addressing cybersecurity in the infrastructure sectors” (p. 29). In response to this deficiency, GAO (2005) recommended that the Secretary of Homeland Security “perform a national cyber threat assessment” (p. 60). Only after there has been a comprehensive definition of the problem, can the U.S. develop an effective defensive solution.
Define Intervention Requirements
There needs to be a clear definition of what constitutes an attack of sufficient magnitude to require a national response. Cordesman (2002) asks the question, “What is the level of organized foreign, terrorist, or extremist attack that individual users cannot be expected to defend against” (p. 171)?
The federal government needs to concentrate its limited strategic assets on responses to attacks that threaten key infrastructures, government functions, and significant sections of the nation’s economy (Cordesman, 2002, p. 171). Cyber-crimes against individual corporations, while devastating to the corporation, are not a high enough priority to attract the focused attention of a national effort at cyber defense.
As more modern companies move key operational functions to the Internet to improve efficiency and reduce costs (Weimann, 2006, p. 161), they increase their vulnerability to attack. There must be a definition of the boundary that exists between financial inconvenience to a corporation and physical danger to the public. A specific sector which must be explored is the energy sector.
If someone broke into the computer systems of a major electrical company and modified billing records to reduce all customer accounts balances by 10% would that incident merit federal intervention? How about if that same cyber intruder shut down power to a single manufacturing plant -- would that merit federal intervention? What if the intruder was able to force the electrical grid to surge and blow out a local transmission station that generated a cascading surge through an entire network of power systems, causing a power outage that affected millions of people, including dozens of hospitals? Would that merit federal intervention?
While it is not possible to create a list of every conceivable event that would or would not merit federal intervention, there needs to be more effective methods to determine when federal intervention is required. Limited threats may be ignored, but the appropriate organizations must address cyber attacks that could cause significant strategic damage.
Develop Response Doctrine
Cordesman (2002) acknowledges that there is no question about which organization has the responsibility for response to cyber attacks from a military opponent—it is the U.S. Military. However, there is no clear delineation of responsibility for offensive action against cyber attacks by an unknown entity (p. 173). Cordesman (2002) proposes that the United States should develop “a deterrent capability for massive retaliation that could convincingly devastate the information and communication systems of any opponent, cripple its economy, and produce direct and indirect casualties far higher than any opponent can inflict upon the US” (p. 173).
A major roadblock toward a rapid response to cyber attacks is the lack of a centralized chain of command to direct an appropriate response. “Response times are incredibly important in this areas, and multiple layers of approval will fatally compromise any action by adding excessive latency” (Cordesman, 2002, p. 173). Although, the Department of Homeland Security is taking appropriate steps in the right direction with their formation of the National Cyber Response Coordination Group “to coordinate the federal response to cyber incidents of national significance” (GAO, 2005, p. 55). Even so, there remains much to be done. The following section further addresses this issue.
Deliver Effective Programs
An obstacle to effective defense against cyber threats is the lack of communication between government agencies. The 9/11 commission report identified “official resistance to sharing information as a key reason the government failed to thwart the 2001 terrorist attacks” (Williamson, 2007, ¶ 2).
Steven Aftergood, an open-government advocate who runs the Federation of American Scientists' Secrecy News blog, eloquently expressed his concept of when he said, "You need an anthropologist to understand how these bureaucracies function" (Williamson, 2007, ¶ 6). Williamson (2007) noted that the government tends to over-classify information and individual agencies have their own unique methods of identifying the classification of information (¶ 10).
Even though a plethora of classification methods exist among federal agencies, there is a ray of hope toward overcoming the obstacle to effective programs. Congress has authorized the President to create an “information-sharing environment (ISE) program” (Williamson, 2007, ¶ 2). The purpose for this program is to move toward a method to allow effective sharing of terrorism-related information between all levels of government—from the President of the United Stated down to the mayor of a small town (Williamson, 2007, ¶ 2).
On November 22, 2006, the President approved ISE privacy guidelines. To balance the openness of information sharing created by the ISE, “protecting privacy and civil liberties is a core tenant of the Information Sharing Environment” (www.ise.gov). It appears this program is on the right track toward improving the ability to develop effective counter cyber terrorism programs.
The United States is on the right path toward protecting against various cyber threats, and still faces a long challenging labyrinth of solutions. The Department of Homeland Security is the lead agency responsible for many of the concerns related to cyber security. Remaining are several hurdles that may be insurmountable in the near future. The greatest hurdle is the difficulty the myriad of government agencies, at all levels, have communicating and coordinating with each other in an effective manner. Is there hope? Of course! We need to ensure that, as a nation, we do not loose focus of our objective -- meet the challenge of constantly changing cyber threats.
Alford, L. D. (2000, Spring). Cyber warfare: Protecting military systems. [Electronic version]. Acquisition Review Quarterly, Spring 2000, 100-120. Retrieved January 23, 2007 from http://www.dau.mil/pubs/arq/2000arq/alford.pdf
Cordesman, A. H. (2002). Cyber-Threats, information warfare, and critical infrastructure protection: Defending the U.S. homeland. Westport, CT: Praeger.
GAO. (2005, May). Critical infrastructure protection: Department of Homeland Security faces challenges in fulfilling cybersecurity responsibilities. [Electronic version]. Highlights of GAO-05-434, a report to congressional requesters.
Michalewicz, Z. and Fogel, D. B. (2004). How to solve it: Modern heuristics, 2nd Ed. Berlin: Springer-Verlag.
Weimann, G. (2004). Cyberterrorism: How real is the threat? Special Report 119. [Electronic version]. Washington, DC: United States Institute of Peace.
Weimann, G. (2006). Terror on the Internet: The new arena, the new challenges. Washington, DC: United States Institute of Peace.
Williamson, E. (2007). Group attempting to simplify terror alerts: Current system of notification called chaotic, confusing. MSNBC Politics, January 24, 2007. Retrieved on January 24, 2007 from http://www.msnbc.msn.com/id/16781030/