Recently it was brought to my attention that Raytheon was seeking Cyber Warriors in answer to Presidents Obama’s call for cyber security response and change. When you consider that the resulting legislation storm has left us with a host of actions on the table and you have a perfect storm. David Ronfeldt recently published a substantive treatise on the state of the current debate discussing specifically a collaborative model for cyber defense. Considering the ramifications and past practices his position echoed by Michael Tanji in “We need a broker not a boss” is likely our only hope for success. Let me explain more in depth.
Information assurance and security, cyber security, computer security, systems threat reduction, information operations, computer network defense, computer network operations, or any other descriptor explains the tale of an issue in identity. The previous mentioned Raytheon cyber warriors advertisement for employees lists help desk as a position. The Raytheon add talks about cyber ninjas. Help desk is a cyber warrior? I’ve discussed in the past the idea of cyber soldiers and cyber warriors versus simple hooligans. Simply put the help desk is not going to be waging war unless the enemy is in the data center.
We are having issues identifying and staying true to a principle of what warfare is versus law enforcement versus business. Using the language of war for peacetime activities is fraught with risk. To be blunt I study cyber warfare as low intensity conflict. A model where the actions of state and non-state actors have the impetus and effects of war like results. Information operations as defined by JP 3-13 IO is an aspect of where cyber warfare tools (multiple use to be sure) can be used. However, it is only a shadow of the implications. Stretching a definition to get federal funding though is nothing new. When it comes to digital or computer communications though we have been here before.
The CSI/FBI computer crime statistics is one of the most quoted documents on computer crime. It even says so right on page 1. It also honestly says something is up in the statistics. In the past this has been attributed by various authors as either companies not wishing to provide details, crime definitions that are not understood, or various other sampling or reporting errors. Now consider this little gem. If one of the most quoted, rigorous, supported, basically standard documents and research systems on computer crime is puzzled by vastly different results (as well they should be) how can we even hope to talk about cyber warfare realistically? If the bread and butter of some of the largest government systems (FBI, DOD & NSA) seemingly can’t come together on common definitions when we are talking about fully legislated issues such as cyber crime how will we be able to discuss cyber warfare?
What has happened in the legislative halls and in the leadership circles fully supported by the blogger community and mass media is a massive switch. When you hear cyber warfare and somebody is talking about the Georgia/South Ossetia, Estonia, Iran, or North Korea examples they really don’t know what they are talking about. Though political purpose may be within the results of the non-state actors it is simple truth that nations currently cannot be at war with individuals. Even without the veil of computers when nations have to deal with real world non-state actors with real world evidence there are sticky legal issues. These acts such as the Estonia example can be crippling or debilitating but when you examine the facts they do not stand up to the concept of warfare. This international budgeting shell game or rigged game of three card Monty is really about the dollars.
Computer security has been a solved problem for a long time. The number of journal articles, industry white papers, and computer conference proceedings with tested tools is substantial. We can find in the literature described in detail the requirements for securing a system back in 1974. That is 36 years of computer security research, billions upon billions of tax dollars, and man millenniums of work effort that has resulted in little change. It is a moving target and we have to admit that security is not ever a done deal in the sense that it is perfect.
Computer security is about risk mitigation and mitigation means there is always the chance of loss. So in this we chase consistently an increasing set of requirements. When I first started computer security as a profession in the 1980s we hid the dial in phone numbers and wrote scripts to protect foreign log ins. The operating systems of today are much more secure out of the box, but often the maintenance is overlooked and has been for a long time. It isn’t sexy to do maintenance. Buying new equipment brings the vendor paid for lunches, rolling out sexy new applications cost money, and rarely are the maintenance costs considered. To be honest security sucks.
So why not roll out a new term and jump up and down pocketing the money? We’ll call computer security cyber warfare and fund it in the name of national security. Nobody will notice the total lack of war in cyber warfare as vendors provide shiny technology trinkets that don’t work. The brand new Air Force Cyber Command is not a combatant command it is a training command. What? The new Department of Defense cyber command will do all kinds of neat stuff and tacked onto the end of the description is something about offensive cyber operations. It is also not a combatant command and primarily organizational for defense of military networks. In this particular case by setting the NSA up as the controller and supporting element for all military networks creates a strange singularity of command and control which we will see has political ramifications.
What is very obvious though is we are still stuck thinking about cyber warfare as if it were computer security. This creates issues with the implementation and consideration of cyber warfare. Cyber warfare is a spectrum of capabilities from the soft power aspects of information operations through the hacktivism of political groups all the way up to systemic destruction of real world infrastructure through cyber means.
It is easy to trot out an expert like myself or even better somebody congress would recognize and have them tell the truth. Cyber warfare has the ability to kill millions of people, disrupt communications for weeks or even months, debilitate national military capability instantly, and then hide said expert from media scrutiny. What is harder is to explain that cyber warfare is not computer security. No military teaches defense only, teaches response only, or tells their soldiers to take a whack before responding. Maybe it is my Marine Corps heritage talking but the cliché is sound “The best defense is a good offense”. Politically maybe that is harder to sell though cloaking computer security in cyber warfare terminology seems strangely paradoxical.
There is clear and present danger in turning over large segments of the largest communications medium on the earth to the military in the name of security. This kind of power grab is ripe for abuse and the NSA has already been implicated in violations of the principles of democracy. Knowingly not taking action on possible criminal efforts to empower a federal agencies agenda is simply criminal not politics. The point though is moot. There is at this point no plan on how to secure the cyber infrastructure. If computer security is a solved problem but hasn’t been fixed anyways, and if cyber warfare is nothing but glorified language to define computer security then why are we turning all that over to people who shouldn’t be touching it and have a culture of not discussing anything about it? Maybe it is because their silence means we can hide it all better? This is especially true when that same agency has been saying they don’t want the job anyways.
National security is inextricably linked to commercial and government systems. All of the government infrastructure from secure networks to commodity connections run across some kind of commercial system. Whether the infrastructure is “air-gapped” or not the very nature of connectivity means at some point even if done by sneaker net the networks will communicate. This has resulted in silly and onerous actions by the department of defense that treats symptoms rather than the problems. In this mixed up environment computer security and cyber warfare have been artificially conflated together.
A strong organization is needed and a computer security professional is needed to secure government infrastructure. I would have to say I am not impressed with the past efforts of totalitarian and draconian computer security that ignores the most basic principles of computer security risk mitigation. The idea they are going to grab some whacked out silicon valley garage entrepreneur to run computer security efforts is only mildly amusing considering the ramifications. Getting the person to solve the problem from the same people who created the problem seems rather stupid to me. Government security professionals have mistakenly been handling computer security as a technology problem which is rarely true. Computer systems are human centric tools that require human solutions.
As I have said we can solve computer security when we are done soaking tax payers for more money and decide that it is time. Cyber warfare though is a new and growing realm of issues and problems that need defining and investigating. A cyber warfare professional is not going to be some well connected bureaucrat even if wearing generals stars. A cyber warfare professional is going to understand computer security, systems exploitation, strategic and tactical cyber warfare. A cyber warfare professional should be able to talk about the domestic and international legal issues of cyber warfare. This is a multi-faceted position where understanding of military, civilian, commercial and government sectors is required.
Cyber warfare is a wide spectrum of conflict and is possible with real world kinetic results. This is especially true if the attack is hybrid in nature. Cyber warfare almost by necessity breaks most of the traditional rules of armed conflict. If computer security were a solved problem then cyber warfare would be much more difficult. This is the balance of the technical implications of computer security versus cyber warfare. Regardless cyber warfare would still exist. Unfortunately calling everything cyber warfare is harming the discussion of real threats. We’ve been down this path before while discussing terrorism and the war on terrorism. A large part of the discussion we are having should be over defining exactly what we mean by cyber warfare. Until then we should as a community accept the criticism that hysteria has led the charge. This is especially troubling considering the actual, real world, threats to security that cyber warfare brings with it.