The prospect of an assault on the United States through its networks has been a doomsday scenario for a number of years.
It has often been couched in real-world military strategic terminology. “Attribution” is one of these words. To launch a counter-attack, the United States would need to know who is trying to take down its networks.
In this regard, the best defense is a good offense, according to former Department of Homeland Security Deputy Secretary Stewart Baker.
“We’re not going to win this fight by building better defenses, we’re going to win this fight by making it expensive to attack us,” he said during a discussion at the release of a report, “Cyber-Security: The Vexed Question of Global Rules.”
Baker’s advice was for U.S. Cyber Command to improve those capabilities.
“That means we have to do a much better job of attributing attacks, a much better job of mapping adversaries’ networks from where they are launching the attacks. And then we have to show there are consequences to doing that.”
So will there ever be cybersecurity treaties or bi-lateral agreements as is the case for nuclear weapons?
The report, produced by Security and Defense Agenda, a Brussels-based think tank, said the leader of the International Telecommunications Union, a United Nations body, called in 2010 for a “cyber peace treaty.” But his suggestion has received very little traction.
Ellen Tauscher, undersecretary of State for arms control and international security, told a gathering of Washington, D.C.- based defense reporters that she knew of no such agreements in the works at the State Department.
There are questions of how to verify that treaties are being followed, she said.
Meanwhile, some are wondering what good deterrence is if potential adversaries don’t know what the nation is capable of doing? The year 2012 may be when the Defense Department stops being coy about what it can do in the cyber-offense realm, network security firm McAfee said in its annual Threat Predictions report.
“Will this be the Year of Cyberwar, or merely a showcase of offensive cyberweapons and their potential?” McAfee researchers posited in the report.
There are ongoing discussions about cyberwar: What is the definition? Does it even exist? What is an act of cyberwar? Dave Marcus, director of security research at McAfee Labs, noted in an interview. “All the discussions are setting the stage for potential conflict,” Marcus said.
How do you ensure that an adversary is sufficiently afraid of attacking in the digital realm? In the Cold War, the United States would test a nuclear bomb on a Pacific atoll and share the frightening video footage with the world. Simply talking about responses is not the same thing as demonstrating capabilities, Marcus said. Today, some nations are public about their capabilities and conduct cyberwarfare games. That is not the case for the United States. While military officials acknowledge publicly that they have offensive capabilities, they do not say much beyond that in non-classified settings.
The U.S. military may conduct more public cyber-offense exercises, Marcus predicted. Despite numerous, almost daily, headlines about China and other adversaries penetrating U.S. networks, “we seem to take a very passive stance on all this,” he said. “In the media, we appear to be getting walked all over on a daily basis,” Marcus added.
Baker echoed this. “The American approach to fighting war is to try to be aggressive, yet we have been remarkably defensive in this fight. We need to go on the offense in significant ways,” he said.
Cyber Command, meanwhile, needs to do away with the army of lawyers that sit around deciding what the government can and can’t do in cyberpsace, he added.