The challenge of providing a common defense in cyberspace
The release of the White House's National Cyber Strategy last month received little attention, but it marks a significant milestone with its recognition of the lawlessness of cyberspace.
The strategy states of adversaries: "They hide behind notions of sovereignty while recklessly violating the laws of other states by engaging in pernicious economic espionage and malicious cyber activities, causing significant economic disruption and harm to individuals, commercial and non-commercial interests, and governments across the world. They view cyberspace as an arena where the United States' overwhelming military, economic, and political power could be neutralized and where the United States and its allies and partners are vulnerable."
In his comments following the release of the strategy, National Security Advisor John Bolton said that the U.S. government is removing obstacles to use cyber weapons. In August, the Trump administration rescinded Obama's Presidential Policy Directive 20, which governed offensive cyber activities. While Bolton did not provide additional detail of classified activities underway, he said that the government's "hands are not tied as they were in the Obama administration."
Given the offensive activities by the nation's adversaries, we must re-evaluate our options and impose consequences, but we must also recognize the United States' inherent weaknesses in cyberspace. The U.S. and its allies -- including government agencies and treaty-based organizations like NATO -- are unorganized for battle in cyberspace today. If we were not critically dependent on networks to operate critical infrastructure and defend ourselves that would not be so troublesome. However, we can be brought and kept to our knees far too easily.
Despite 20 years of investment in security solutions, checklists, awareness and compliance, little progress has been made. The new cybersecurity strategy misses the point that there is not yet a common layer in place to fuse data in real-time on suspicious events, attacks and the ever-changing tactics of malicious actors.
A growing number of companies recognize three cyber realities. First, cyberattacks (like death and taxes) are inevitable. Second, security technology like firewalls, malware detection and defense driven by artificial intelligence (imagine the doomsday machine in "Dr. Strangelove" for the cyber age) are fallible. Third, the government is ill-equipped to defend us.
The third reality is perhaps the most difficult to comprehend but the most important to accept. Government organizations can't defend the private sector, given constraints on privacy, legal authorities, budget allocations and, most importantly, literal "light speed" attacks.
Unlike a "bolt from the blue" attack during the Cold War days where we had minutes react, today's cyberattacks happen instantaneously. The government may assist, but it will struggle to defend us, challenging one of the central goals stated in the Preamble of the U.S. Constitution: to "provide for the common defense."
However, there is hope. Leading private-sector companies are adopting a common means to organize, correlate and integrate data while respecting privacy and competitive issues. They recognize that organizing for defense in cyberspace starts with fusing data associated with suspicious events inside their own companies. In turn, they can integrate data from other companies regardless of economic sector.
The whole is greater than the sum of its parts, with individual companies reducing the time to detect and respond to events by having real-time access to events occurring elsewhere. Knowledge of such events accelerates investigation and enables unaffected companies to pre-emptively increase defenses to thwart attacks. At the same time, boardrooms are learning more about attack trends and the efficacy of security tools and threat feeds. Ultimately, the costs of conducting attacks are increased for adversaries which, at least, forces the less capable opponents from the cyber battlefield.
Government use of cyber weapons to strike back against adversaries is understandable, but before unnecessarily increasing the risk of miscalculation and escalation through a more liberal use of cyber weapons, government leaders should examine recent steps in the private sector that address massive vulnerabilities and inherent instability through collaboration among defenders.
The costs of miscalculation can be extremely high for the private sector and ultimately dramatically increase costs for both government and industry. Companies are prepared to lean forward and work with the government to redefine "common defense" for the cyber age.