There’s a lot more going on behind the scenes, of course, but White House Cybersecurity Coordinator Howard Schmidt has this week done the world a big favour by deflating the rhetoric of cyberwar being perpetrated by certain elements of the US security community.
Last weekend, Mike McConnell, ex-Director of National Intelligence, and currently vice-president of Booz Allen Hamilton, wrote an inflammatory op-ed in the Washington Times, declaring that the US was fighting – and losing – a cyberwar. He called for massive security investment, a re-engineering of the internet, and drew a number of spurious conclusions from a disparate range of examples to support his argument. Ryan Singel took him to task in an excoriating piece at Wired, which laid bare the inconsistencies and self-interest at the heart of McConnell’s statement. I get the sense that Singel had basically had enough of the American public being taken for a ride, and his post for one of the internet’s most respected media outlets may well mark a significant point in cybersecurity discourse.
Two days ago, Schmidt took the time to talk with Singel and to make his own mark on the debate:
Howard Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United States is caught up in a cyberwar that it is losing.
“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.
“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”
This is a serious rebuttal to the claims of those like McConnell who explicitly support a return to Cold War thinking – and spending – and will hopefully be backed by the Obama administration in both words and deeds. I’m not going to get into why we shouldn’t expect too much on that front now, but it’s very encouraging that the senior US cybersecurity administrator is making it clear that cybersecurity measures should not be predicated on the incorrect assumption that the US is on a war footing in cyberspace; it’s not. There are live issues of espionage and crime, as Schmidt points out, but a dishonest appeal to fears of persistent military threat is not a sound basis for good policy, domestic or foreign.
{ 5 trackbacks }
{ 10 comments… read them below or add one }
There is a cyber-war going on right now, with China, North Korea, Iran and others going full bore to disrupt US cyber-operations, if not destroy the ability to operate within that medium. And these attacks are from agents of those governments.
I was at a breakfast lecture about a month ago with Gen Lord, the USAF “Cyber” gawd . He discussed the challenges associated with waging cyber-war and in his view, the enemy is over the wall and we must now fight within our home. We are fighting a defensive war rather than an offensive war.
This is troubling because we all recognize that wars fought purely defensively are ones that you can’t win. Why aren’t we admitting that we are in a cyber-war? I see three main reasons:
1) When it comes to conducting offensive operations, telecommunication law (most drafted in the 1930′s) are unable to adjust and accommodate the cyber-battlefield. We simply can’t fight the war the way it needs to be fought because we are hamstrung by archaic laws.
2) The administration has more pressing issues they wish to fight for (health-care), and do not want to expend political capital or budget to fight the war that needs to be fought.
3) The administration doesn’t want to point an accusatory finger at an attacker when there is no chance the administration will do anything about the attacks, thereby making the administration look weak and ineffective.
Of the hundreds of thousands of daily cyber-attacks against the DOD, most cyber-attacks are by some pimple-faced young kid in his mothers basement. Nonetheless, the fact remains that a sizable amount of attacks have been found to be orchestrated by governments hostile to the US.
So, to me, it is not dishonest to warn against a persistent military cyber-threat, i.e., “cyber-war.”
This would not be the first time the administration is downplaying threats for political purposes. Mexican Army incursions along the US-Mexico border number in the hundreds and the administration excuses such incidents merely as the Mexican Army being “lost,” when in fact, they are escorting drug smugglers and are outfitted with GPS.
No-one is suggesting that there is no risk, or that there are no threats. I’m just curious when espionage became a de facto act of war. Threats do not equal risks either, and you have to ask whether declaring cyberwar is actually a proportionate response to likely vulnerabilities and consequences.
It’s also slightly weird that you can be so critical of the administration’s political position, yet so uncritical of the political agenda of the security agencies and the military.
My point was simply that there is a cyber-war going on and the current US administration appears, in my opinion for the purposes noted, not to accept that fact.
What is an act of war or a mere act of espionage is a good question. However, the sheer number of the attacks and the confirmed sources of these attacks indicate that a cyber-war is in progress, not just espionage.
How do we know the attack is coming from a hostile country rather than some angst-ridden teenage brat? How can we be sure that if we “hack-back” and blow up his screen we are actually striking at a state/non-state player possessing hostile intent? Well, we do have ways. . .hamstrung by archaic laws.
Regarding political agendas, curious you find my position “weird.” Personally, I may be weird (right, Rob?) but my position certainly isn’t without merit. You see, after decades of military service, from the field to touch with the White House, and after a little more than a decade of working outside the military and in DC, I’ve seen plenty of military agendas. Military agendas are not classically political in nature, as in partisan for party or movement.
As you know, life taking is not a game. It’s serious real world stuff and military leadership knows it. Their brother servicemen pay the price in blood for decisions they make, or recommend, in DC, and therefore, by rare exception only, military agendas are driven by efforts to buy the right kit, maintain what they have, train better and fight more effectively.
Intelligence agencies. Not as much direct experience, but enough to know that political appointees are subject to the winds of politics much more than the career intelligence agent or analyst. I respect deeply career intelligence men, not so much the politico’s.
Which leave the administration, current or otherwise. White House administrations are a fickle lot. Some come into power dedicated to doing what is right, some, not so much. Right now, not so much.
To be clear, when I say “. . . . in DC, and therefore, by rare exception only,. . . ” I mean it is rare that military leadership has nothing but the best in mind for the troops and nation, and are not driven by some sort of political or venal agenda.
Tim, what about the “dual-use” nature of electronic espionage? Can it even be classified as espionage? I can understand the duality of espi0nage/act of war in a cold war context (that is, locating America’s nuclear silos and capabilities is vastly different to pilfering a nuclear warhead). But in an electronic context, the line between such things is blurred, if it exists at all. After all, if someone can gain access to DoD networks, then they are theoretically in a considerable position of power to do damage or cripple America’s military. Going back to the cold war duality of espionage, it’s as if locating a nuclear silo is commensurate with being able to walk off with the warhead.
Unfortunately, we are fighting a war…rather anyone wants to admit it or not. If a terrorist group or hostile nation were attacking us with missiles everyday, we would call it a war. This is beyond a law enforcement issue, as many would like to suggest. Jim Lewis from CSIS has a great analogy – if a foreign power drove up to Pentagon, walked in stole boxes of data and destroyed the computers, we would react. In cyberspace, we chose to basically do nothing
Not true. The security agencies of many a state are doing an awful lot in cyberspace. The point Schmidt was correctly making is that espionage, in your example, does not necessarily constitute an act of war. Nor does cybercrime. Characterising everything as ‘war’ is incredibly unhelpful.
Sure, the US and its allies are indeed fighting wars – on terrorists and insurgents, last time I looked. I think we’d all admit that, and it would be bizarre not to. They are also conducting cyber operations in support of their foreign and domestic security objectives. But are ‘we’ now about to embark on a ‘war’ on identity theft, or cyberbullying, or anything untoward in cyberspace, just because it’s in cyberspace? That strikes me as a very circuitous and solipsistic argument. The rather unsubtle upshot of that argument is that it would effectively be a declaration of war upon China or Russia or whoever – do you think that’s useful?
You can’t fight a war (in the legal sense) against terrorists. The legal framework and force brought to bear simply aren’t applicable. A useful way of sidestepping this could be recognizing that groups (such as FARC or Al Qaeda) have areas where they can be called terrorists and areas where they can be called insurgents. Of course one of the problems with theories in general is that they can only partially define a subjective reality.
Considering the nature of the problem I’d argue that at most probably only a few thousand people* in the U.S could say if we actually are fighting a cyberwar, and if we are then who is winning. ‘Cyberwarfare’ has not been defined sufficiently in my opinion, the mechanics of fighting one are largely unknown to the public, and since the marks of such a war are mostly confined to the computers involved it isn’t easy for anyone not involved to find out about it – especially since one method of this type of attack is to prevent the victim from learning of it.
*That might sound like a large number, but that makes up a rather small percentage when you consider how many people work for the U.S government.
Cyberspace is like the sea, or space itself – we have far greater interests in maintaining open multilateral access to it than we could possibly have in disrupting it.
I am cheered by this and also by the SDR consultation paper that notably turns down the volume on “cyberwar”.