Cyber activities were in the news this week as Mandiant released a report claiming that China has been engaged in cyber-attacks on US targets, both private and public. Of course, this must mean that the sky is falling. My colleagues have written two posts on the subject, one detailing China’s potential strategies and one examining potential US strategies for countering cyber-attacks. If I may briefly steal from one of these posts, I will be focusing on the idea that, in the words of former top FBI cyber-attorney Steven Chabinsky,“There is no way we are going to win the cyber security effort on defense. We have to go on the offensive.”
Chabinsky is correct in his initial statement, but far off on his solution. It is imperative that the United States shift away from the idea that cybercrime can be prevented. Put simply, it cannot. There is no firewall that one can build that will be immune to attack. At best, one can buy a small window of safety until the first crack in the armor is found. The only way to attain safety would be unplugging from the network, which carries with it more costs than rewards. Additionally, protecting from future hacks may be difficult when potential hackers already have access to the system. In other words, hackers from all over the world are already up in your systems, observing your actions. This is not a palatable idea, but it is one to which the world needs to adjust.
It is also important to recognize that China is not the only offender. Everyone is getting in on the game. As far back as 2009 (and likely further, but this is not meant to be a comprehensive post) Russia, as well as China, were believed to have hacked in to US electric grids. But beyond foreign countries, it cannot be ignored that the United States is using cyber weapons offensively as well. There is evidence that the United States was directly involved in the creation and deployment of Stuxnet, and possibly Flame, against Iran in 2010. The cyber world is a veritable free for all. Then there are instances of non-state groups, such as Anonymous taking down the CIA’s web page.
What does all this mean? Does it mean nothing can be done and the world should resign itself to a cyberpocalypse? Emphatically, no. Firstly, it is crucial to distinguish between real threats and those which are not. Anonymous, for example, is simply not a significant threat to states. Taking down the CIA’s homepage may look bad to the world, but in reality it is similar to a teenager tagging a billboard with a can of Krylon. Visible, but not very threatening. Additionally, it is key to recognize organized versus unorganized groups. China, Russia, and the United States are organized states. Anonymous is hardly organized at all. It is a loose group of people who chat on 4chan and other like sites, mostly for the purpose of making extremely off-color jokes and looking at pictures of cats. “Groups” like Anon should not be ignored, but worrying about them to the same degree as state actors is absurd.
What type of system one is dealing with is a critical question as well. Hacking American nuclear facilities is much more dangerous than attacks on the New York Times. It may be possible to enhance obstacles to penetration to some critical infrastructure nodes, but in these specific cases it may be worth working on off-line solutions. Sure, it is entertaining when Iranian nuclear site computers start blasting AC/DC’s classic “Thunderstruck,” but it would not be nearly so entertaining were a hacker to take control remotely of a facility’s operating procedures. That problem is a whole order of magnitude larger than email passwords.
Beyond recognizing where real threats are, it is also important to enhance cooperation between agencies and businesses. In this way the United States (and others) can more effectively monitor what has been compromised and what has not. While it is wise to operate under the assumption that one has already been penetrated, not everything is being hacked all the time. Tracking intrusions more methodically can allow for better strategic thinking.
Neither of these suggestions offers a “solution” to the problem. They merely allow for better targeting of resources and ways to buy time. In the communications era one should be wary of easy fixes. Returning to Mr. Chabinsky’s comment, offense is not the right path forward. Certainly, offense may serve other policy goals, such as delaying Iranian nuclear progress in the case of Stuxnet, but it holds no solution for hacking attempts against the United States. In the case of China and Russia, an offensive posture will only encourage more of the same – a cyber-arms race if you will. As my colleague, Mr. Payne, states, “China has managed to increase tensions with its neighbors, failed to make strong inroads along its Western borders, and increased the suspicions of the world’s strongest nation.” This is a gain for US strategy and an attack would only level the playing field with dubious returns.
The world is not ending. Communications technology simply brings with it new challenges. The world should respond to these new challenges cautiously until the full dimension of the changes becomes known. Chabinsky is correct that defense is not wholly sufficient, but he is wrong that an offensive posture is the solution.
Please note that the views expressed in this piece do not represent the official policy or position of the National Defense University, the Department of Defense, or the U.S. government.