03.26.10
Cult of Cyberwar: I’ve already seen this movie
Everyone in the political class and mainstream media acts like the current news about cyberattack on the nation is unique.
It’s not.
There was a paroxysm on it back in 2003 when the first strategy to secure cyberspace was unveiled.
At the time, I was asked to comment on an old article addressing it in the National Academy of Science’s Issues in Science & Technology magazine.
Here’s the thing:
“Cybersecurity: Who’s Watching the Store?” is a very welcome appraisal of the nation’s de facto laissez-faire approach to battening down its electronic infrastructure. Authors Bruce Berkowitz and Robert W. Hahn’s examination of the National Strategy to Secure Cyberspace is timely and accurate in the assessment of its many shortcomings.
Less delicately stated, the strategy does nothing.
It is curious that it turned out this way, because one of its primary architects, Richard Clarke, had worked overtime since well before 2000 ringing alarm bells about the fragility of the nation’s networks. At times, Clarke’s message was apocalyptic: An electronic Pearl Harbor was coming. The power could be switched off in major cities. Cyber attacks, if conducted simultaneously with physical terrorist attacks, could cause a cascade of indescribable calamity.
These messages received a considerable amount of publicity. The media was riveted by such alarming news, but the exaggerated, almost propagandistic style of it had the unintended effect of drowning out substantive and practical debate on security. For example, how to improve after-the-fact, reactive, and antiquated antivirus technology on the nation’s networks, or what might be done about spam before it grew into the e-mail disaster it is now never came up for discussion. By contrast, there was always plenty of time to speculate about theoretical attacks on the power grid.
When the Bush administration’s Strategy to Secure Cyberspace was released in final form, it did not insist on any measures that echoed the urgency of the warnings coming from Clarke and his lieutenants. Although the strategy made the case that the private sector controlled and administered most of the nation’s key electronic networks and therefore would have to take responsibility for securing them, it contained nothing that would compel corporate America to do so.
Practically speaking, it was a waste of paper, electrons, and effort.
GEORGE SMITH
Senior Fellow
Globalsecurity
Pasadena, California
The most recent iteration of this is the Cybersecurity Act of 2009 which just passed in the Senate Commerce, Science and Transportation Committee.
I’ll talk about it in more detail in a future post, but a couple things immediately jump out. They revolve around what the Congressional committee is said to have ‘found.’
The ‘findings’ are simply requotes from the chieftains of the Cult of Cyberwar.
I’ve written about this repeatedly during the year and the Senate deviates not one iota from the script delivered by the cult. (For background see here on the practice in which only a few select ‘experts’ dominated the entire national discussion on the topic, as well as here and here more recently.)
The same people that comprise the Cult of Cyberwar make up the frontispiece of the legislation: Mike McConnell, James Lewis, Alan Paller and a partner of Richard Clarke’s, Paul Kurtz.
Here are the salient pieces:
Paul Kurtz, a Partner and chief operating officer of Good Harbor Consulting as well as a senior advisor to the Obama Transition Team for cybersecurity, recently stated that the United States is unprepared to respond to a ‘cyber-Katrina’ and that ‘a massive cyber disruption could have a cascading, long-term impact without adequate co-ordination between government and the private sector.’
Alan Paller, the Director of Research at the SANS Institute, testified before the Congress that ‘the fight against cybercrime resembles an arms race where each time the defenders build a new wall, the attackers
create new tools to scale the wall. What is particularly important in this analogy is that, unlike conventional warfare where deployment takes time and money and is quite visible, in the cyber world, when the attackers find a new weapon, they can attack millions of computers, and successfully infect hundreds of thousands, in a few hours or days, and remain completely hidden.’According to the National Journal, Mike McConnell, the former Director of National Intelligence [and the head salesman for Booz Allen Hamilton’s cybersecurity unit], told President Bush in May 2007 that if the 9/11 attackers had chosen computers instead of airplanes as their weapons and had waged a massive assault on a U.S. bank, the economic consequences would have been ‘an order of magnitude greater’ than those cased by the physical attack on the World Trade Center. Mike McConnell has subsequently referred to cybersecurity as the ‘soft underbelly of this country.’
The Center for Strategic and International Studies report on Cybersecurity for the 44th Presidency concluded that (A) cybersecurity is now a major national security problem for the United States, (B) decisions and actions must respect privacy and civil
liberties, and (C) only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will make us more secure. The report continued stating that the United States faces ‘a long-term challenge in cyberspace from foreign intelligence agencies and militaries, criminals, and others, and that losing this struggle will wreak serious damage on the economic health and national security of the United States.’This one above is deceptive because it’s James Lewis incognito. One wagers his name was not included so that readers will conclude their was more variety and depth to the research than there actually was. Lewis is cited a second time in the very next finding.
The selection of Congressional ‘findings’ is remarkable for how narrow-sourced it is.
The question is not whether or not the state of security on the Internet is fragile and often totally lacking. And because of this country’s daily transaction with it, the issue is deserving of serious work and attention. It is.
The more accurate observation is that the United States is a really big country with many, many cybersecurity experts in academia and in the private sector.
And they’re not present in this selection of staged material. The remedies and problems are described by a smaller number of people than the fingers on one hand. As a thought exercise, one can contrast this with the over year-long process of securing healthcare reform, and the national debate over it, such as it has been.
The failure of the first strategy to secure cyberspace was that the government took no role. It was designed to be this way.
Everything was left to the market. And Richard Clarke and James Lewis were two guys who were instrumental in that.
Now it’s seven years later and there’s much lip service paid to the realization that it was worthless. And so there is now an aim to make government conduct some kind of leading role.
However, the current state of the legislation is generally vague on how this is going to be done, or how it even departs from regular practice. Except for some trival areas, so far.
If one reads the bill closely there is also an insistence on “creating a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance).”
Only heaven and the staffers know what this means. However, when one talks about creating a ‘market’ for cybersecurity risk management, it sounds suspiciously like what exists now. Very little government role or regulation but cybersecurity risk management furnished by big corporate cybersecurity vendors, who assess and manage risk independently and according to what best suits their profit margins.
All for now.
The bill is here.