Shotgiant: NSA hacking ‘revelations’ undercut US strategic narrative (again)

Snowden keeps on rolling, much to the unease – and occasional disgust – of the US and its allies. As it does so, there’s a distinct sense of exasperation even amongst folks who really aren’t gunning for the US or the UK (in particular). Were they really acting in such a way that were their cover to be blown, they would be left with serious egg on their faces? Were they OK with that? Why the serious disconnect between policy and practice? Or, at the very least, why the apparent inability to minimise the visible gap between what the US and allies say they stand for, and what they actually do?

In a sense, there’s little new here: this is the stuff of political scandals ancient and modern. Iran-Contra springs to mind as a modern example of elements of the state apparatus acting in institutionally-condoned contravention of extant legislation and overt policy. There are many, many more and one should not point the finger at the US as the sole – or even worst – perpetrator of double-standards in state activities.

The US may, however, lay claim to being perhaps the most self-defeating. Partly this is due to its status as global hyperpower – anything it does must inevitably be viewed in light of its unique position amongst states. When the loudest voice in the room says one thing and does another, everybody heard it the first time around and remembers what it said. Moreover, opponents are usually only too keen to throw those words back in its face.

So, another exposure in The New York Times, another day. Another opportunity to say, wtf? Or, in conspiracy circles, ‘I told you so’, an utterance generally intended to justify past speculation rather than reasoned argument. This time, it seems that the National Security Agency (NSA) has been up to no good in the networks of Chinese telecoms giant, Huawei.

The problem is not so much that the NSA has been infiltrating a foreign company in the furtherance of the national interest – that much seems normal in a way unthinkable five years ago. The real issue is that Huawei is the company consistently identified in Congress and media as a national security threat to the US – on account of its unproven hacking activities with respect to US networks. Rather inevitably, the US ends up looking like a hypocrite at worst, or strategically incompetent at best.

I’ve written before that it might serve Huawei’s interests to be more open about its business practices, thereby allaying Western suspicions about its links to the Chinese military. In some ways, Huawei has done just that. For example, it has had to allow GCHQ a strong hand in the management of its UK facilities, surely not an easy pill for any private company to swallow. But while Huawei has seen that some compromise is necessary to further its interests, both the US and UK have continued to voice their concerns about the company, specifically framing it as a security threat and making it difficult for the company to do business, in the US particularly.

What the NYT report (also Der Spiegel) shows is that one NSA operation, Shotgiant, has been around since at least 2010. This was tasked with finding links between Huawei and the People’s Liberation Army (PLA), the conclusions of which enquiry we do not know. Over this same period, policy-makers and Congressional committees tore strips off Huawei for its alleged activities: hacking into sensitive private and public sector networks, copying data, impacting US competitiveness, and so on. This might be true – no evidence has been produced to support these arguments or to counter them – but what is apparent is that while Huawei has been accused of such things, the most technically competent agency in the US has actually been doing more-or-less the same.

We can argue about whether the NSA technical operations themselves were in the national interest, or if Huawei is ‘guilty’ or not, or whether the Snowden/NYT/Guardian/Greenwald axis is traitorous/etc, but none of these sideshows is particularly relevant to the main event: the US has been caught with its hand in the cookie jar again. Yes, you can condemn Huawei’s alleged activities as illegal corporate espionage and justify NSA actions as legitimate operations in the defence of the national interest but to the rest of the world that’s splitting hairs and an argument that won’t, for the most part, be heard. The Chinese are, for example, emphatically not blameless in this area but that’s not what people are likely to – or even want – to hear.

What is – or perhaps should be – one of the chief lessons of Snowden and, to a certain extent, Manning/Wikileaks, is that justifying covert US military and intelligence operations post facto is a tricky business. When your private actions compromise your public words, you’re in trouble. We common folk have a name for this: hypocrisy.

When what you do damages your reputation because it undermines your strategic narrative, perhaps you either reconsider your narrative or think again about what you do. Preferably, both. Or does the US simply not care? Perhaps hypocrisy is the narrative.

Of course, that’s a naive view of the business of international relations. Or is it?

clausewitz webz

23 Reasons Why Cyber Strategy is Bunk

Well, that’s not quite what he said at all but Martin Libicki has some words of wisdom for anyone still looking for the ‘digital Clausewitz’, or any similar mould-breaking, genre-defining strategist for the ‘information age’.

In a new article for Strategic Studies Quarterly, Libicki suggests ‘Why Cyber War Will Not and Should Not Have Its Grand Strategist’ [pdf]. He makes three key points about why we should not be looking for a ‘cyber’ equivalent of the ‘classics’ of Mahan, Douhet or, indeed, Clausewitz:

First, the salutary effects of such classics are limited. Second, the basic facts of cyberspace, and hence cyber war, do not suggest that it would be nearly as revolutionary as airpower has been, or anything close. Third, more speculatively, if there were a classic on cyber war, it would likely be pernicious.

On the first, it’s not always a strategist’s fault if those who follow him misrepresent him somehow in word or deed. Basil Liddell Hart laying responsibility for the ‘progressive butchery’ of World War I at the feet of Clausewitz is a case in point. Libicki rightly notes, however, that the ‘classics’ of strategy – land, sea, or air – quite often serve greater heuristic functions than they do guides to action. The danger lies, writes Libicki, ‘when such thinkers are cited as authorities [and] their arguments are converted into answers, at least in the minds of their adherents’. We have to be careful, therefore, in transposing tenets of the classical strategic canon into ‘cyberspace’.

The second point is largely an explanation for the first. Libicki presents a nuanced argument for why cyber war/fare is significantly less revolutionary than it is often presented, a position also taken by several writers of this parish. I won’t rehearse those arguments here, except to say that Libicki is onto something fundamental here: success in the ‘fifth domain’ is often unpredictable, which makes it a very risky proposition, tactically, operationally and strategically. Says Libicki, ‘Everything appears contingent, in large part, because it is’. Hardly the basis for a grand theory of cyber war, he reasons.

The third point stems from the second. If information environments are currently evolving so fast, yet we get locked into ways of viewing them based on past classics of strategy, the effects could be distinctly ‘pernicious’. To summarise a subtle argument in brutal fashion, the strategic utility of cyber war is over-rated but its complexities are under-appreciated. Getting rail-roaded into traditional modalities is ‘misleading, even harmful’, especially if cyber war is sufficiently un-strategic to warrant such a treatment in the first place. The search for a ‘cyber Clausewitz’ is not only potentially counter-productive but essentially pointless.

Libicki’s not arguing for a non-strategic approach to ‘cyber’ but he does offer a compelling argument for why war-fighters and politicians should be wary of expecting too much of this novel medium. We should not await or desire, he argues, the emergence of a strategic colossus because, in the main, there’s no need.

In concluding, Libicki writes:

Furthermore, there are good reasons to believe that its contribution to warfare, while real, is likely to be modest, while its contribution to strategic war is a great deal easier to imagine than to substantiate.

What say you?




New National Security Council Meets Today

Newsflash time. Making good on his pre-election promises, the new Conservative Prime Minister David Cameron will be chairing the first meeting of the new National Security Council today, the Ministry of Defence has announced:

The inaugural meeting of a National Security Council, which will discuss the situation in Afghanistan and Pakistan, will be chaired by Prime Minister David Cameron today, Wednesday 12 May 2010.

The National Security Council (NSC) being established by the Prime Minister will oversee all aspects of Britain’s security and the council will also be reviewing the terrorist threat to the UK at its inaugural meeting this afternoon.

The Prime Minister has appointed Sir Peter Ricketts (Permanent Under-Secretary at the Foreign and Commonwealth Office) as his National Security Advisor, a new role based in the Cabinet Office.

Sir Peter will establish the new National Security Council structures, and co-ordinate and deliver the Government’s international security agenda.

The council will co-ordinate responses to the dangers the UK faces, integrating at the highest level the work of the Foreign, Defence, Home, Energy and International Development Departments, and all other arms of government contributing to national security.

The council will be chaired by the Prime Minister. Permanent members will be the Deputy Prime Minister, the Chancellor of the Exchequer, the Secretary of State for Foreign and Commonwealth Affairs, the Home Secretary, the Secretary of State for Defence, the Secretary of State for International Development and the Security Minister.

Other Cabinet Ministers, including the Secretary of State for Energy and Climate Change, will attend as required. The Chief of the Defence Staff, Heads of Intelligence Agencies and other senior officials will also attend as required.


Strategy, Security and Defence Trade-Offs

The comments of SecDef Gates regarding future US military operations, force structure, ethos, and so on, have been much in the news of late. On this side of the pond, with few concrete signs of who’s going to run the country for the foreseeable future, thoughts are turning once again to what the forthcoming defence review might look like.

The Royal United Services Institute is holding a one-day conference next month, The Future Defence Review: Time for Trade-Offs: SDR 2010, which looks to be asking most of the right questions:

Whether SDR 2010 will be a strategic defence review or a security and defence review, the current fiscal constraints dictate that the UK is at a watershed moment in its strategic history. In setting out parameters for a review, the Defence Green Paper addressed the UK’s global position and national priorities. In the coming months of the defence review, however, as a consequence of the financial crisis the UK government may find itself forced to make trade-offs over critical national strategic principles and priorities. This conference will debate such trade-offs which, among others, may include:

  • Retaining appropriate national autonomy in defence capabilities versus providing capabilities to make a contributory commitment to coalition operations. This raises issues such as whether some capabilities are relevant to both tasks, and at what point along the scale of balance between either option there are capability consequences for one option or the other. A fundamental issue within this particular trade-off is the extent to which political desires to protect sovereign capacity may be limited by the realities of the financial circumstances
  • Developing defence capability to support enduring and sustained engagement in interventions versus capabilities optimised to deliver strategic and operational agility. This trade-off could take the form of a ‘today’ versus ‘tomorrow’ or continental versus maritime trade-off
  • Prioritising ‘home’ commitments (including contributions to NATO and European Union operations close to Europe, as well as domestic national priorities) versus interventions further afield on the international stage, ‘away’ from such domestic priorities
  • Sustaining sovereign defence industrial capacity versus increasing collaboration with – or buying ‘off-the-shelf’ from – overseas partners. A critical issue here is any risk to the security of supply
  • Maintaining forces with sufficient readiness levels versus force regeneration in times of crisis – in the latter case understanding the difference between ‘regeneration’ by surging capability from within the existing force structure, and the challenges (and risks) of ‘reconstitution’ after giving up a capability
  • Focusing on commitments of national obligation, and the demands for national autonomy, versus operations of choice, and examining the extent to which capability options are defined by matters of obligation and to which obligation defines the need for national autonomy in capability

The conference also will address the question of whether the current political circumstances and requirements for fiscal consolidation will see the generation of a review which – in terms of its timescale, priorities and consequences – is inevitably tactical rather than truly strategic. This raises the question of whether a quick review dealing with the short term and driven by financial considerations will precede a more substantial review – and perhaps a more regular series of reviews – over a longer time-scale.

What would you add to this list? Have you any comments on the RUSI agenda? You know that the Ministry of Defence pays close attention to this blog, so perhaps here’s a chance to throw a few more thoughts and opinions into the ring, for policymakers and practitioners to chew over in the months ahead.


What Prospects For Cyberdeterrence?

Cyberdeterrence is – in addition to being an annoying neologism – one of those esoteric subjects that a surprisingly large number of people have been trying to get their head around for years. Deterrence as effect and strategy has been hampered by the lack of a big ‘cyber’ stick – no Apaches, no nuclear warhead – and no clear idea about the legality of offensive or retaliatory computer network operations (CNO), the collateral effects these might have, problems of attribution, and how to have a declaratory policy given these issues and many more.

Rather than bore readers more interested in kinetic operations with further details of the inner workings of this field, I’ll just give a flavour of the discussion given two pieces I saw yesterday.

My Forbes colleague Richard Stiennon wrote a piece for The Firewall yesterday in which he had the following to say about cyberdeterrence:

I suggest that rather than focus on creating a balance of mutual assured destruction such as existed during the protracted Cold War, a more appropriate response to cyber threats is to increase the costs for the attackers by improving defenses.

Students of nuclear strategy will immediately recognise this form of ‘deterrence by denial’. Specifically, this is ‘pre-event’ deterrence by denial, in which the marginal cost of maintaining a defensive measure is less than the marginal cost of investing in offensive measures sufficient to provide a successful attack. That’s a wordy way of saying that if your defences are good, adversaries will eventually give up trying to attack as they can’t afford the arms race to achieve success.

However, this is precisely the approach a new paper claims cannot work. In Leaving Deterrence Behind: War-Fighting and National Cybersecurity, Richard Harknett and colleagues argue that adversaries do not give up:

Relying on deterrence by denial … must be distinguished from temporary deflection of attacks through superior defense. An attacker that is continually probing, but does not launch a full attack because they cannot get around a strong defense, is not an attacker being deterred; it is an attacker being frustrated and contained (defended).

This is because, the authors assert, cyberspace is an ‘offense-dominated security environment’, and they apply offence-defence theory (à la Stephen Biddle) to show this. They conclude that even robust defences

will be undermined eventually as the offense-dominant nature of the environment will allow the attacker to innovate technically, tactically and operationally with some prospective success.

Attempts at deterrence, such as are hinted at in the US Cyberspace Policy Review (2009) [pdf], should therefore be abandoned. They counsel the following:

The inherent characteristics of cyberspace require adoption of a full war-fighting posture that moves out of the fifty-plus year comfort zone of deterrence as the dominant strategic anchor. We must organise thinking about managing cyber-leveraged war so that damage is contained and reduced. Counter-intuitively, these futuristic threats require us to adopt the historical posture of traditional warfare. This does not mean we must accept a perpetual state of war in cyberspace. Importantly, as the ubiquity of cyber grows societally across the globe, effective norms against cyberaggression will become increasingly important in reining in unacceptable forms of behavior in this new realm of human interaction. But, in facing down threats to national security, the United States must organize itself around the reality of war preparation and fighting, rather than the hope of avoidance, as the principle upon which cybersecurity will be advanced.

This is a rather bleak assessment that will find favour with those, like John Arquilla, who favour a war footing for cyber operations, particularly against terrorists. It also reflects a particular sector of US national security thinking that makes claims to be realist but has so far failed to actually make a solid claim to reality. I don’t doubt the logic of the authors but I do get slightly uneasy when I see the ‘teenagers in their basement’ trope wheeled out in support of these arguments. In this case, the insurgent drone intercepts are also mentioned as examples of the threat environment, a situation that would have been avoided by better defensive measures, i.e. encryption of video feeds from UAVs.

That said, Harknett – who knows his onions – and his co-authors (see also their earlier stab at this issue) have made a bold move. I’m not sure that the Obama administration would be very vocal about this strategic shift were they to adopt it, although it would only require, as Harknett et al point out, the dropping of a single word from the 2009 policy review. I’m also not sure that this wouldn’t be throwing the baby out with the digital bathwater.

Other authors, like Richard Stiennon and John Robb, suggest that all options remain on the table. Others, like James Lewis, point out that the pre-eminent cyber-offensive power, the US, currently derives little deterrent effect from those capabilities, which is problematic for a no-holds-barred strategy. For some, state-level deterrence is a function of existing kinetic capabilities – you hack us, we bomb you. That’s fine for all-out cyber attacks but what of espionage, etc, goes the riposte to that view. Also, some of the activities listed under Harknett’s ‘cyberaggression spectrum’ are addressed by a range of civil legal and non-legislative measures, although these deterrence regimes are usually not very effective [pdf].

What is clear is that Cold War nuclear-strategic thought cannot simply be applied to deterrence in information environments. This much is recognised by all parties to this debate, save for a few remaining crusty generals. I suspect, in time, that the US military will be accorded pretty much whatever freedom they wish to operate in cyberspace, against a range of military and non-military ‘threats’. I can only imagine what that will look like in policy terms. It may be as straightforward as dropping the ‘D-word’ and letting the lawyers sort out the rest.


Standing Up a Cyber Command

The BBC has a useful piece on US preparations for cyberwar, Meet USCybercom: Why the US is fielding a cyber army. All four armed services have created single units for cyber operations under the USCYBERCOM umbrella: 24th Air Force, 10th Fleet, and Marine Corps Cyberspace Command are all operational. The US Army Forces Cyber Command is a little behind, but may be activated by October 2010. For an idea of how the US Army views its role in this operational environment, check out its new Cyberspace Operations Concept Capability Plan, 2016-2028 (February 2010, pdf).

US Cyber Command itself is waiting for Senate confirmation of LTG Keith Alexander, currently head of the National Security Agency (NSA) and Chief of the National Security Service (NSS), as head of the command. Given his likely appointment soon, and budgetary approval, USCYBERCOM will be ready to roll.

I recommend reading through the article, as it sets out from interviews the rationale behind the creation of this new command. Also, the single best source on the web for information regarding this topic is Bruce Carleton’s USCYBERCOM Watch. Active since last October, Bruce has kept an eagle and dispassionate eye on developments in this field, and is essential reading for anyone interested in how a massive organisation like the US military creaks and groans as it reorients and reorganises to operate in cyberspace. It’s actually quite striking how quickly it is managing to do this, despite the bureaucratic and fiscal constraints upon it.

Update, 17 March: There’s more info on the preparations for US Cyber Command at defpro.news.


Words Matter, Says UK Office of Cyber Security

Some commenters took me to task a bit for my recent assertion here at KoW that the US is not in the midst of a cyberwar. My argument – one I’ve consistently made over the last year or so, including again in an op-ed for The Guardian earlier this week – is that words matter when it comes to describing risks and threats, and they frame the debates thus engendered. Crucially, of course, they help shape the responses of politicians and practitioners tackling the situations in which they find themselves.

This is not a particularly controversial stance and I find myself a bit baffled why some people might find it odd that I think declaring a de facto cyberwar against Russia and China, amongst others, might not be a particularly useful line to take. Perhaps my detractors are right but the deputy director of the UK Office of Cyber Security (OCS), Air Commodore Graham Wright, seems to agree with me.

Computer Weekly reports that the government is developing a “‘national lexicon’ of cyber English”, which tortured phrase describes the OCS attempt to stem some of the more lurid reports filtering from security agencies into the international media. Specifically, Air Cdre Wright is quoted as follows:

“We talk about the numbers of attacks we suffer … Attack is where you degrade, deny, disrupt or destroy something. But there are times when we need to be very explicit. Was this really an attack or was it theft?

“Most of what people refer to as ‘attacks’ are the exfiltration of data, which is theft or espionage,” he said. “I haven’t seen any reports of attack. Everyone always reports an attack. In most cases it is not an attack, its theft and crime, its stealing data.”

The OCS hopes a national cyber lexicon would end inexact reports of cyber attacks while clarifying language the UK could use when talking to Nato partners about the actual but as yet unrealised possibility of cyber attacks by foreign powers.

Obviously, Wright is talking more about the tactical /operational level here but it doesn’t surprise me at all to hear that the OCS is trying to pick its way carefully through some tricky terminological territory before fleshing out its response regimes. Just as it matters at this level to be precise about the actions in question, so too does it matter at the strategic level. Whilst I understand the perspectives of some who feel that the White House, in dampening claims of global cyberwar, is playing a political game, are we also going to suggest that Air Cdre Wright is doing the same?

Update: Apologies – the first published draft of this went out with some dodgy HTML. Should be fixed now.


No Cyberwar, Says White House Official

There’s a lot more going on behind the scenes, of course, but White House Cybersecurity Coordinator Howard Schmidt has this week done the world a big favour by deflating the rhetoric of cyberwar being perpetrated by certain elements of the US security community.

Last weekend, Mike McConnell, ex-Director of National Intelligence, and currently vice-president of Booz Allen Hamilton, wrote an inflammatory op-ed in the Washington Times, declaring that the US was fighting – and losing – a cyberwar. He called for massive security investment, a re-engineering of the internet, and drew a number of spurious conclusions from a disparate range of examples to support his argument. Ryan Singel took him to task in an excoriating piece at Wired, which laid bare the inconsistencies and self-interest at the heart of McConnell’s statement.  I get the sense that Singel had basically had enough of the American public being taken for a ride, and his post for one of the internet’s most respected media outlets may well mark a significant point in cybersecurity discourse.

Two days ago, Schmidt took the time to talk with Singel and to make his own mark on the debate:

Howard Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United States is caught up in a cyberwar that it is losing.

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

This is a serious rebuttal to the claims of those like McConnell who explicitly support a return to Cold War thinking – and spending – and will hopefully be backed by the Obama administration in both words and deeds. I’m not going to get into why we shouldn’t expect too much on that front now, but it’s very encouraging that the senior US cybersecurity administrator is making it clear that cybersecurity measures should not be predicated on the incorrect assumption that the US is on a war footing in cyberspace; it’s not. There are live issues of espionage and crime, as Schmidt points out, but a dishonest appeal to fears of persistent military threat is not a sound basis for good policy, domestic or foreign.


We Say Cyber, You Say Cyber

“Space is big, You just won’t believe how vastly, hugely, mind-bogglingly big it is. I mean, you may think it’s a long way down the road to the chemist’s, but that’s just peanuts to space.” So advises The Hitchhiker’s Guide to the Galaxy, a book much beloved by men of a certain age, and it’s a comment that could just as well apply to cyberspace.

Calling it anything in the singular seems an overly optimistic terminological bounding. Referring to it as ‘cyber’, as political and military types are wont to do, is an absurdly curt moniker for something that acts through global networks rather than even constituting a thing in and of itself. ‘Cyber’ is a big field though, and where one’s proclivities lie dictates how one reacts to issues of concern.

For example, Bruce Carleton of USCYBERCOM Watch wrote of recent happenings in his chosen field (the clue’s in the title of his blog), “This week was pretty quiet.” By comparison, Steven Bucci of Security Debrief, an industry blog, wrote of a “Wild Week in the World of Cyber”! Both know of which they speak but it does depend where you shine your light in ‘cyber’ whether you find much of note.

It’s not only what you find, but what you want people to see. Two recent stories show how differently cybersecurity-as-national-security is being played out in Whitehall and Washington, for example.

Yesterday, The Register published details of an horizon-scanning document prepared by the Cyber Security Operations Centre (CSOC) for the Cabinet Office. CSOC is one of the two new units called for in last June’s Cyber Security Strategy, and is based at GCHQ in Cheltenham. It is due to become fully operational next month and will gather and disseminate intelligence on network threats to national security and industry partners. In the document, CSOC notes that a “successful cyber attack against public services would have a catastrophic impact on public confidence in the government, even if the actual damage caused by the attack were minimal.” Part of the preliminary work of CSOC, and of the Office of Cyber Security to which it reports, is to determine how best to develop appropriate policies and strategies to combat cyber threats, not least of which is how to relate to the public and media. Discussions are behind closed doors and, whilst opposition politicians decry their apparent silence, they have actually been very busy considering how best to handle the public aspects of cybersecurity.*

Meanwhile, in the US, and trailed here last week, prominent securocrats have taken it upon themselves to engage in a CNN-sponsored exercise, Cyber ShockWave, intended precisely to do what CSOC rightly concludes a real cyber attack might do, i.e. spook the public. Indeed, former Clinton press secretary Joe Lockhart, who acted as presidential adviser during the simulation, was reported in the Washington Post as follows:

[Lockhart] said it was immaterial whether the attack was an act of war; it had “the effect” of an act of war… Lockhart said that people would be scared by the simulation but that “that’s a good thing.” Only then, he said, would Congress act.

The results of the simulation – that the US is unprepared for a major sci-fi cyber scenario – were never in doubt. If such a televised exercise were carried out in the UK it would be interpreted as a very political attempt to exert pressure on the administration and critiqued on that basis, as would its War of the Worlds tone, replete with Wolf Blitzer moderating the action from the White House National Security Council control room. I don’t think non-US viewers can see the program online from CNN but YouTube is your friend, and it can also be seen in full here. Oddly, it was accompanied by a banner saying, “This Program Is A Simulated Exercise”. Surely, that should be “This Program Is About A Simulated Exercise”?

All this is to say that cybersecurity as an element of national security and a subject of political concern seem to be playing out very differently in the US and its main European ally. Whereas the UK is cautious in projecting concern into the public domain, some elements of the US hierarchy seem very determined to make this a public issue of the highest priority. The discourse is different, and is being mediated in starkly contrasting manner.

*Disclaimer: I attended an OCS workshop in January 2010.


Blunt: UK Silent on Cyberwar

In the new online issue of Defence Management Journal, Shadow Minister for Home Affairs and Counterterrorism Crispin Blunt MP takes aim at the New Labour government’s approach to cybersecurity and concludes that things are moving too darned slow. Notwithstanding the imminent general election (our own SecDef Ainsworth says May 6), are Blunt’s gripes unfounded or not?

Cyber security is one of those issues that intimidate politicians. It is a highly technical field with a wall of jargon that is a barrier to understanding. It is, however, increasingly important to our national security and there is no excuse for our government having been slow to grasp this. It is an issue that everyone has to take seriously and politicians who aspire to have responsibility for the nation’s security must do so more than most.

Has Labour been slow? It’s hard to tell. Last June’s Cyber Security Strategy (CSS) seemed to have been well-timed and, although I’ve heard it described as a ‘policy to have a policy’, it came only a month after the US Cyberspace Policy Review. Last November, Blunt toddled off to Washington to see what the mighty Yanks had been up to and he seems very impressed:

The United States began work on cyber security and cyber defence under President George W Bush and the issue has now been given even greater political emphasis by the Obama administration, which has put it at the centre of its deterrence and security policy.

Part of the US response has been to create a Cyber Command within the Pentagon. Information systems have become essential tools with which to support conventional forces, correspondingly, cyber warfare has become an essential part of every nation’s armoury. If you cannot support your tanks, aircraft and ships with a cyber capability, you are likely to lose a conflict against an adversary that can. Much has been made of the revolution in military affairs flowing from the digitisation of the battlefield; it is essentially a force multiplier. If you cannot defend your networks and disrupt your opponent’s you will be minus that battle winning capability. For most of the 20th Century, air supremacy or at least superiority was an essential tool. Cyber superiority is likely to play a similar role in the 21st Century.

The US has not only grasped this – as we should note, so have the Chinese – but is also thinking deeply about the full spectrum of cyber attacks, from individuals’ identity theft through to espionage and the capability to disrupt a nation’s critical national infrastructure.

Not only the Chinese, Mr Blunt, but also dozens of other states, including Russia, France, and Israel. Why single out China? Zeitgeist, perhaps? He could also have mentioned the UK here but that would have weakened the following criticism:

The UK is proceeding at a more leisurely pace, our cyber security strategy, a diluted version of President Obama’s, was published at the end of June. It has taken three months to establish the new Office of Cyber Security and it will not be fully operational until March 2010. Work in this area is much more urgent than this timetable suggests.

A ‘diluted version’? Well, it didn’t have so many appendices, and it didn’t suggest concentrating responsibility for cybersecurity at No.10, so in that sense, yes, it could be construed in that way, although I prefer to look at it as a British document, not one that was drafted in DC and tweaked for local use.

Second, the Office of Cyber Security (OCS) and its sister the Cyber Security Operations Centre (CSOC) are very busy, if quiet. Both organisations were promised in the June CSS and there have been questions in the House since about their status, resources, remit, etc. By contrast, one of the few concrete recommendations of Obama’s cyber review was to appoint someone to coordinate the huge cybersecurity program outlined in the document. After six months of serious wrangling, this only happened just before Christmas 2009, with the appointment of Howard Schmidt as US ‘cyber czar’. See, Mr. Blunt, things can move even slower in the US.

Cyber security doesn’t respect national borders and international cooperation is essential. The criminalised part of the cyber threat has been addressed in the Council of Europe Convention on Cybercrime. This was submitted for member states ratification in 2001, as an open convention it was ratified by the US in 2006 but, over eight years on, the UK has yet to complete the ratification process.

That is a good point, and I haven’t heard too many mutterings about changing the situation either. It’s worth pointing out that Russia and Turkey have yet to even sign it, and the list of non-ratifying countries is long: Belgium, Czech Republic, Georgia, Ireland, Spain, Sweden, Switzerland…

Although an important step, this Convention does not address national security. As cyber warfare capability gains the potential to bring modern nations to a standstill, this is a glaring gap that has to be filled. All states, including those we have a sometimes difficult relationship with, have too much at stake not to cooperate in this area. We can all unwittingly harbour groups who will attack other states electronically. This was a casus belli (justification for acts of war) when Afghanistan played host to al-Qaeda [was it?]. With the damage that can now be caused by successful electronic attack, this threat must be managed. A new Geneva Convention on cyber warfare is required. This is but one area on which the UK’s cyber security strategy is almost completely silent. Greater urgency and commitment is needed in our response to cyber security, particularly in securing an international legal framework on cyber warfare.

Silent, except for the bit where it says, “The UK is committed to working multi-laterally to develop a strong rules-based international system to promote economic growth and development, as well as mitigate the risk of another state acting to damage our economic well-being in a way that poses a threat to our national security.” It would be silent on a Geneva Convention-style suite of protocols, as these relate to the humanitarian treatment of the victims of war. I think Blunt chose the wrong historical analogy here, unless he really is talking about collateral damage.

I’m not sure this is even worth electioneering on. The Tories have already made it clear that they wish to introduce a Cyber Threat and Assessment Centre (CTAC), which looks to be a more offensive version of CSOC, and will lay “the foundations for the development of a National Operations Centre able to respond to cyber events”. This will presumably be tied into the new War Cabinet National Security Council and Secretariat, also announced in the January National Security Green Paper. Personally, I’m glad government is taking a few months to check out its options in what the Tories themselves call an ‘international and multifaceted’ operating environment. Better that than going off half-cocked in pursuit of whichever chimera has just hove into view this week.