WEDNESDAY SEPTEMBER 21, 2011

The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive
Cybersecurity,Technology,InformationTechnology,Defense,Crime PeterW.Singer,Director,21stCenturyDefenseInitiative NoahShachtman,NonresidentFellow,ForeignPolicy,21stCenturyDefenseInitiative GovernmentExecutive

AUGUST15,2011

Foreverybigpolicyissue,there'susuallyaparallelthatcanbefoundinthepast.AsMarkTwainonceputit, "Historydoesnotrepeatitself,butitdoesrhyme." Theproblemforpolicymakers,though,isidentifyingwhichtuneitexactlyisthattheyarehearing.Whileapplying lessonsfromthepastcanbeausefulanalytictool,wefrequentlyuneartholdanalogiesthatmaynotbetheright fitforthenewproblemweface.Indeed,mostoftenweturntothesongsweknowbest,theoneswehummedin ouryouth,whenothersmaybemoreapt.Forinstance,seniorAirForceofficersduringtheVietnamWarclungto astrategicbombingcampaignmoresuitedtotheirearlyexperiencesbombingNaziGermanythanaThirdWorld insurgency,whileinturn,therecentdebateaboutAfghanistankeepsechoingbacktobabyboomerconcerns aboutwhethera21stcenturywarwouldbe"Obama'sVietnam." Today,thehitmakersofWashingtoncouldbemakingasimilarmistakewhenitcomestocybersecurity,tryingto jamanewissueintothewronghistoricframework.Thenewrhythmsofonlinecrime,spyingandstatecraftare unfamiliar.So,perhapsnotsurprising,they'returningtoanoldparallelthattheyspentmostoftheirprofessional livesworkingon:theColdWar. ColdWar,WrongWar Againandagaininpolicycircles,cybersecurity'sdynamics,threatsandresponsesareconsistentlycomparedto thetechnologyofnuclearweaponsandthestandoffbetweentheUnitedStatesandSovietUnion.FormerNational SecurityAdviserBrentScowcroft,forinstance,describestheColdWarandcybersecurityas"eerilysimilar,"while journalistDavidIgnatiussummeduphismeetingswithtopPentagonofficialsina2010articletitled"ColdWar FeelingonCybersecurity." EventhenetworksecurityfirmMcAfeeissusceptibletosuchtalk."Webelievewe'reseeingsomethingalittlelike acyberColdWar,"McAfeeVicePresidentDmitriAlperovitchsays.Thisattitudeculminated,perhaps,withwhat

isreportedtobeintheclassifiedversionoftherecentDefenseDepartmentcyberstrategy,whichannounceda newdoctrineof"equivalence,"arguingthatharmfulactionwithinthecyberdomaincanbemetwithparallel responseinanotherdomain.Swapinthewords"conventional"and"nuclear"for"cyber"and"kinetic"andthenew doctrineisactuallyrevealedtoessentiallybetheold1960sdeterrencedoctrineof"flexibleresponse,"wherea conventionalattackmightbemetwitheitheraconventionaland/ornuclearresponse.ThePentagon'sCyber CommandandBeijing'sPeople'sLiberationArmy'sThirdArmyDepartmentnowfillinfortheoldStrategicAir CommandandtheRedArmy'sStrategicRocketForces. TheproblemisthatthesongisnotthesameandthehistoricfittotheColdWarisactuallynotsoneat. Cyberspaceisamanmadedomainoftechnologicalcommerceandcommunication,notageographical chessboardofcompetingalliances.TheColdWarwasacompetitionprimarilybetweentwosuperpowers,with politicalleadershipanddecisionmakingclearlylocatedinWashingtonandMoscow,eachthecenterofanetwork ofalliedtreatiesandclientstates,andaThirdWorldzoneoverwhichtheycompeted.Bycontrast,theInternet isn'tanetworkofgovernments,butthedigitalactivitiesof2billionusers,travelingacrossanetworkownedbyan arrayofbusinesses,mostly5,039Internetserviceproviders,thatrelyalmostexclusivelyonhandshake agreementstocarrydatafromonesideoftheplanettotheother,accordingtoBillWoodcockandVijayAdhikari intheirarticle"SurveyofCharacteristicsofInternetCarrierInterconnectionAgreements"fromPacketClearing House.TheColdWaralsowasawarofideasbetweentwocompetingpoliticalideologies.Themajorityofthe Internet'sinfrastructureisinthehandsoftheseISPsandcarriernetworks,asistheexpertisetosecurethat infrastructure.Theideasatplaysometimestouchonideology,buttheyalsorangefromissuesofprivacyand humanrightstoTwitterpostsaboutJustinBieber'snewhaircut. Thisdisconnectgoesmuchfurther.ThebarrierstoentryforgainingtheultimateweaponintheColdWar,the nuclearbomb,werequitehigh.Onlyafewstatescouldjointhesuperpowers'atomicclubandneverinnumbers thatmadethesesecondtiernuclearpowerscomparabletoU.S.andSovietforces.Bycomparison,theactorsin cyberspacemightrangefromthrillseekingteenagerstocriminalgangstogovernmentsponsored"patriotichacker communities"tothemorethan100nationstatesthathavesetupmilitaryandintelligencecyberwarfareunits. Theissuesincybersecurityaremoreofforensicsandattributionandsubtleinfluencethanoldfashioned deterrence.Thus,theideaofmakingoldschoolnuclearandcyberattacksequivalentmayhaveacertainappeal, butinthecyberrealmyoumaynotknowwhoattackedyouorevenwhenandifyouwereattacked.Takethe Stuxnetworm,whichwasallegedlydesignedtohandicaptheIraniannuclearprogram.IttooktheIranians(aswell asmostcybersecuritycompanies)severalmonthstorealizetheywereunderattack,andevennowthesourceof thatattackisbasedmoreonforensicbacktrackinganddeductionthanonanyobvioussource,suchasan intercontinentalballisticmissile'slaunchplume. ThereisoneColdWarparallelthatcouldholdtrue,however.Manyoftoday'sdiscussionsofcybersecurityin Washingtonarereminiscentofthebizarredebatesovernuclearweaponsinthe1940sand'50s,inwhichhypeand hysteriarangedfreely,realworldversionsofDr.Strangeloveweretakenseriously,andhorriblepolicyideaslike theArmy'sPentomicdivision(whichwasorganizedtousenuclearartillery,asifitwerejustanotherweapon)were actuallyimplemented.As"LovingtheCyberBomb,"arecentstudybyactualcyberexpertsatGeorgeMason University'sMercatusCenter(asopposedtothemanyColdWarriorswhonowhaverebrandedthemselvesas cyberexperts)found,thereisamassiveamountofthreatinflationgoingoninWashington'sdiscussionofonline dangers,mostfrequentlybythosewithpoliticalorprofitmotivesinhypingthethreats.It'sanewversionoftheold

"missilegap"hysteria. MindtheGap Theresultofthisfundamentalmisunderstandingisthatinthepress,acyberattackcouldunquestioninglybe portrayedasamassivepixilatedmushroomcloudloomingovereveryAmericancity(asthecoverofthe Economistmagazinehadit).InWashington,malwarecouldbedescribedas"likea[weaponofmassdestruction]" (Sen.CarlLevin,DMich.)ableto"destroyoursociety"(Scowcroft),meaningitshouldbelookedatas"an existentialthreat"(Adm.MikeMullen,chairmanoftheJointChiefsofStaff).Buttherealityisthatevenanallout cyberconflictwouldn'tcomparetoaglobalthermonuclearwarthattrulydidthreatentoendlifeonEarth.Norhas therebeenaHiroshimasizedpreludeyet.Forexample,themuchvauntedRussianattackonEstoniain2007was aconcerntothecountry'sgovernment,whichsawitswebsitesblockedanddefaced,butitbarelyaffectedthe dailylifeofmostEstonians. InGeorgia,Russiancyberattacksin2008tookdownsomeexternalfacinggovernmentwebsitesforafewdays, butthesewerepeanutscomparedwiththeactualdamagecausedbyactualRussianmissilesandbombsinthe accompanyingwar.Indeed,theverynextyear,a75yearoldwomanwasabletooutdotheentireRussian cyberwarfareapparatususingamereshovel.Outhuntingforscrapmetal,sheaccidentallycutacableandtook outallofneighboringArmenia'sInternetservice.Yet,nolocalorglobalcatastropheensuedfromthefarmore effectivephysicalactionsofthissocalled"spadehacker." Similarly,the2009attacksagainsttheUnitedStatesandSouthKoreaarerepeatedlycitedasexamplesofwhata stategovernment(NorthKoreaisusuallyclaimedinthisinstance)candototheUnitedStatesinthisrealm,but theactualresultwasthatthewebsitesofNasdaq,theNewYorkStockExchangeandTheWashingtonPostwere intermittentlyinaccessibleforafewhours.Thewebsitesrecovered,andmoreimportant,theseinstitutionsand thosethatdependonthemwerenotirrecoverablylostasifarealweaponofmassdestructionhadhitthem. Theproblemwiththreatinflationandmisappliedhistoryisthatthereareextremelyseriousrisks,butalso manageableresponses,fromwhichtheysteerusaway.Massive,simultaneous,allencompassingcyberattacks onthepowergrid,thebankingsystem,transportationnetworks,etc.alongthelinesofaColdWarfirststrikeor whatDefenseSecretaryLeonPanettahascalledthe"nextPearlHarbor"(anotheroverusedandillsuited analogy)wouldcertainlyhavemajorconsequences,buttheyalsoremaincompletelytheoretical,andthenation wouldrecover.Inthemeantime,arealnationalsecuritydangerisbeingignored:thecombinationofonlinecrime andespionagethat'sgraduallyunderminingourfinances,ourknowhowandourentrepreneurialedge.Whilewould becyberColdWarriorsstareattheskyandwaitforittofall,they'regettingtheirwalletsstolenandtheiroffices robbed. Roughly7millionAmericansreportedthattheysuffereddirectlyfromcybercriminalactivitylastyear,while accordingtotheBritishgovernment,onlinethieves,extortionists,scammersandindustrialspiescostbusinesses anestimated$43.5billionintheUnitedKingdomalone.Internationally,thesenumberstotalinthehundredsof billionsofdollars,creatingahugedragontheglobaleconomy.TheyalsoareslowlyreducingtrustintheITand innovationindustrythatpoweredmuchofAmerica'seconomicgrowthoverthelasttwodecades(allthemore importantduringamanufacturingdecline).Thesecompromisesofcriticalintellectualpropertythreatento underminethelongtermadvantagestheUnitedStateshasenjoyedineconomictrade.TakethesocalledNight

Dragonattacks,whichliftedcorporatesecretsfromWesternenergycompaniesjustbeforetheyweretobid againsttheChineseonmajoroildeposits.Theresult:billionsofdollars'worthofbusinesslostoverthenextfew years.Suchespionageevenhasstrucksmallbusinessesallthewaydowntotinyfurniturecompanies.The problemalsohitsnationalsecurity.LookatthecompromiseofU.S.officials'emailaccountsbyChinabased hackersanddiplomaticcablesbyWikiLeaksrevealinginternalsecretsandjeopardizingexternalalliances.Orlook attherepeatedpenetrationofLockheedMartinCorp.,makeroftheF35JointStrikeFighterthelargestweapons programinPentagonhistory.Terabytesofunclassifieddatarelatedtothejet'sdesignandelectronicssystems werestolen.Theselostbytesrepresentbillionsofdollarsinresearchanddevelopmentandyearsoftechnologic advantagegone,makingiteasiertocounter(orcopy)ourlatestwarplane.Andasasignofthingstocome, securitytokens,allowinginfiltratorstopassascompanyemployees,laterweretakenaswell. ThePirateCode IfthemostaptparallelisnottheColdWar,thenwhataresomealternativeswecouldturntoforguidance, especiallywhenitcomestotheproblemofbuildingupinternationalcooperationinthisspace?Cybersecurity's parallels,andsomeofitssolutions,liemoreinthe1840sand'50sthantheydointhe1940sand'50s. MuchliketheInternetisbecomingtoday,incenturiespasttheseawasaprimarydomainofcommerceand communicationuponwhichnoonesingleactorcouldclaimcompletecontrol.Whatisnotableisthattheactors thatrelatedtomaritimesecurityandwaratseabackthenparallelmanyofthesituationsonournetworkstoday. TheyscaledfromindividualpiratestostatefleetswithaglobalpresenceliketheBritishNavy.Inbetweenwere statesanctionedpirates,orprivateers.Muchliketoday's"patriotichackers"(orNSAcontractors),theseforces wereusedbothtoaugmenttraditionalmilitaryforcesandtoaddchallengesofattributiontothosetryingtodefend farflungmaritimeassets.IntheGoldenAgeofprivateering,anattackercouldquicklyshiftidentityandlocale, oftentakingadvantageofthirdpartyharborswithlooselocallaws.Theactionsthatattackermighttakeranged fromtradeblockades(akintoadenialofservice)totheftandhijackingtoactualassaultsonmilitaryassetsor underlyingeconomicinfrastructuretogreateffect. DuringtheWarof1812,forexample,theAmericanprivateerfleethadmorethan517shipscomparedwiththe U.S.Navy's23and,eventhoughtheBritishconqueredandburnedtheAmericancapitalcity,causedsuch damagetotheBritisheconomythattheycompellednegotiations. Iftherearecertainparallels,whatthenarethepotentiallessonswemightadapttothesituationtoday,otherthan attemptingtohanghackersfromtheyardarm? Maritimepiracyisstillwithustoday.Butit'sconfinedtotheshoresoffailedstatesandonarelativelyminuscule scale(roughly0.01percentofglobalshippingisactuallytakenbymoderndaypirates).Privateering,theparallelto themostegregiousattackswehaveseeninthecyberrealm,hasnotonlyfallenoutoffavorasamilitarytactic,it longagobecametaboo.WhileprivateeringmayhavewontheWarof1812fortheUnitedStates,by1856,42 nationshadagreedtotheDeclarationofParis,whichabolishedprivateering,andduringtheCivilWar,President Lincolnnotonlyrefusedtorecruitplunderersforhire,butalsoblastedtheConfederatesasimmoralfordoingso themselves.Remember,twogenerationsearlier,employingthesehijackershadbeenacornerstoneofAmerican navalstrategy.Bythe1860s,itwasn'tsomethingcivilizedgovernmentsdidanymore.

Thewaythischangecameaboutisinstructiveforcybersecurityandglobalrelationstoday.Muchlikethesea, cyberspacecanbethoughtofasanecosystemofactorswithspecificinterestsandcapacities.Responsibility andaccountabilityarebynomeansnaturalmarketoutcomes,butincentivesandlegalframeworkscanbecreated eithertoenablebadbehaviorortosupportgreaterpublicorder. Inclampingdownonpiracyandprivateeringatwoprongedapproachwasadopted,whichwentbeyondjust shoringupdefensesorthreateningmassiveattackastheColdWarriorswouldhaveit.Thefirststepwastogo aftertheunderlyingmarketsandstructuresthatputtheprofitsintothepracticeandgreasedthewheelsofbad behavior.LondondismantledmarketsfortradingpiratebootypiratefriendlycitieslikePortRoyal,Jamaica,were broughtunderheel,andblockadeswerelaunchedonthepotentatesthatharboredthecorsairsofthesouthern MediterraneanandSoutheastAsia.Today,therearemodernequivalentstothesepiratehavens.Forexample,the networksofjust50Internetserviceprovidersaccountforaroundhalfofallinfectedmachinesworldwide, accordingtoastudypreparedfortheOrganizationforEconomicCooperationandDevelopment.Justthreefirms process95percentofthecreditcardtransactionsforthebogusdrugsadvertisedbyspammers,accordingto researchpresentedattheIEEESymposiumonSecurityandPrivacyinMay.Whenoneparticularlynoxious hostingcompanyMcColoCorp.ofSanJose,Calif.wastakendown,thevolumeofspamworldwidedroppedby 70percent.Withoutthesupportofthesecompanies,onlinecriminalenterprisescan'tpracticetheirillegalaction, whichnotonlycleanstheseas,butalsomakesiteasiertoidentifyanddefendagainstthemoreseriousattacks oninfrastructure.And,muchlikethepiratefriendlyharborsofold,thosecompaniesandstatesthatallow cybercrimealegalfreepassaregenerallyknown. Thislinkstothesecondstrategy:buildingnetworksortreatiesandnorms.AsJaniceThompsonrecountsinher seminalstudy,Mercenaries,PiratesandSovereigns(PrincetonUniversityPress,1996),maritimehijackers(and theirstateapprovedcounterparts)becamemarginalizedasnationsassertedgreatercontrolovertheirborders,and establishedamonopolyonviolence.Throughoutthisperiod,awebofbilateralandmultilateralagreementswas establishedthataffirmedtheprinciplesofopentradeovertheopenseas.Fewofthesedocumentsexplicitly abolishedpiracynorweretheyuniversallyaccepted.Buttheypavedthewaytoaglobalcodeofconductthat eventuallyturnedpiratesfromacceptedactorsintointernationalpariahs,pursuedbyalltheworld'smajorpowers. Theyalsoestablishedthatanyrespectformaritimesovereigntywouldcomeonlywhenanationtook responsibilityforattacksthatemanatedfromwithinitsborders. ThecyberparalleltodayagainismoreinstructivethantryingtorepeatColdWararmslimitationtalks,as proposedinafewrecentthinktankpolicyreports.(GoodlucktryingtocountbotnetsasiftheywereICBMsites!) Rather,whatisneededisthegradualbuildupofaninternationalagendathatseekstocreateastandardofonline behaviorthatguaranteeslawfulcommerceandholdsaccountablethosewhotargettheWeb.Thesharedglobal expectationoffreedomoftheseasshouldbeparalleledbyasharedglobalexpectationoffreedomofInternet trade.Ifyouknowinglyhostorabetmaritimepiratesorprivateers,theiractionsreflectbackonyou.Thesame shouldbetrueonline.Buildingthosenormswillmotivatebothstatesandbigcompaniestokeepabettercheckon individualhackersandcriminals(thepirateequivalent).Italsowillweakenthevalueofoutsourcingactionto patriotichackersandcontractors(thelatterdayprivateersusedsooftenbystateslikeRussiaandChina).Andit willhelpcreateamoredistinctlinebetweencivilianandmilitaryconductandtargets,amajorconcernofU.S. cyberactors. Inadditiontoencouragingthisnewaccountability,policymakersalsocanpursueconfidencebuildingstrategies

thatcouldhaverealpayoffs.Backintheearly1800s,forexample,theRoyalNavyandnascentU.S.Navy constantlypreparedtofighteachother.Buttheyalsocooperatedinantipiracyandslavetradingcampaigns.That cooperationhelpedunderscoreglobalnorms,aswellasbuiltgreatertrustbetweenthetwoforcesthathelped mitigatethetruedangerofactualmilitaryconflictduringseveralcrises.Similarly,theUnitedStatesandChinawill certainlycontinuetobolsterourcyberdefensesandevenoffenses.Butthisshouldnotbeabarriertotryingto buildgreatercooperation.Inparticular,wemightlaunchaninitiativetogoafterwhattheChinesecall"double crimes,"thoseactionsincyberspacethatbothnationsrecognizeasillegal. Theunderlyingpointhereisthatinnavigatingtheemergingissueofcybersecurity,policymakersaregoingto havetobemorethoughtfulthanblindlytryingtoapplythelessonsfromtheirownpersonalpast.While cybersecurityisacruciallygrowingissueofbotheconomicandsecurityimportance,thetorturedcyberColdWar parallelsoftheiryoutharenotasfruitfulastheirwidespreadusewouldseem.Indeed,theyarelessusefulthana lesserknownmaritimehistoryofpastcenturies. Butfortheseandanyotherhistoricparallels,thereisalimit.Weshouldusesuchmetaphorstoopennew horizonsandperspectives,notcreatenewbarriers.Indeed,asMarkTwainalsosaidinacorrectivetohisidea thathistory"rhymes,"thereis"butonesolitarythingaboutthepastworthremembering,andthatwasthefactthat itispast."