By Brett Williams
Assured access to cyberspace is a key enabler of national security, so the answer to the question in the title is: we should all care. Two of the defining characteristics of a strong, modern, industrial nation are economic prosperity and a credible defense. The ability to use cyberspace has become indispensable to achieving both of these objectives.
Business and finance executives, as well as senior defense leaders, rely on cyberspace for exactly the same thing—to get information, move information and use information to make better decisions faster than the competition. Despite the importance of cyberspace, there continue to be senior leaders in both the private and public sectors who find themselves ill-equipped to deal with critical cyberspace issues. It is not uncommon to find that these leaders are comfortable providing strategic guidance regarding operations, resource allocation and personnel management across all of their areas of responsibility with the exception of cyberspace. There tends to be a lack of shared understanding between senior personnel who know they need cyberspace to be successful and the technical staffs charged with securing the networks, services and applications that make the organization run. The danger with this dynamic is the potential for de facto delegation of critical decisions to technical experts who do not have the education, training or experience to serve as senior leaders.
Cyberspace is complex, hard to visualize and — to many people — an esoteric concept that they do not need to comprehend. The best way to approach cyberspace at the executive level is to understand that cyberspace adds a new dimension to both economic competition and politically driven conflict, but the existence of cyberspace does not require a fundamental change in our strategic approach to either. This is a difficult premise to accept because “experts” have done a great job of advocating that cyberspace can only be understood by the most technically advanced among us. Becoming overly focused on the technical dimension, however, creates strategic inversion where the most senior leaders become inappropriately engaged with the tactical and technical details to the detriment of effective decision-making. Our senior executives and leaders do need to get a lot smarter about cyberspace, but they do not personally need the skills to configure a router or break an encrypted password. This article provides an executive overview of five cyberspace topics that may be useful to stimulate further exploration by those charged with providing and sustaining economic prosperity and national defense.
What is it?
Words matter. Routine misuse of the word “cyber” is one reason we do not have a common framework for discussing cyberspace. Cyber should not be used as a verb nor should it be used as a noun that can stand on its own. Saying “cyber” should not automatically connote a cyberspace attack nor should it drive one immediately to assume that cyberspace activity is all about spying, espionage, crime or challenging our right to privacy. The term cyber is most useful as part of the compound word cyberspace and cyberspace is simply the man-made domain created when we connect all of the computers, switches, routers, fiber optic cables, wireless devices, satellites and other components that allow us to move large amounts of data at very fast speeds. As with the physical domains—land, maritime, air, space—we conduct a variety of activities in cyberspace to benefit individuals, commercial entities and governments. The key difference between cyberspace and the physical domains is that cyberspace is man-made and constantly changing. That characteristic offers both opportunities and risk.
Part of the global commons
Cyberspace should be classified as a dimension of the global commons. Viewing cyberspace as part of the global commons sets the stage for a number of useful analogies that facilitate the development of policy, domestic and international law, safe operating procedures, individual rights, commercial use, national interests and myriad other issues that we have worked through for the maritime and air domains. Establishing and enforcing accepted norms for operating on the high seas and in domestic and international airspace is a process that never ends. Technology changes, political interests evolve and competition for resources is continuous. Territorial rights in the South China Sea and debate on the use of remotely piloted aircraft for personal, commercial and government use are examples of how governance of the “legacy” global commons requires constant attention. Cyberspace requires an analogous governance mechanism to define and protect individual, business and nation-state’s rights. Some of the challenges to creating an accepted governance structure are the ubiquitous nature of cyberspace, the fact that access to cyberspace for good or evil can be cheap and non-attributable and, as opposed to the static nature of water and air, the cyberspace domain itself is in a perpetual state of change. We do not need to start from scratch with this work. In the maritime and air domains we have defined roles and responsibilities for all of the users and at times they intersect. Countering piracy is a good example. Individual boat owners and commercial shipping companies require the freedom to operate on the high seas. They are expected to take prudent measures to protect themselves, but at some point the threat exceeded the capability of the private sector and national naval forces stepped in to curb piracy off the African coast. There are clear analogies to the piracy problem when we define roles and responsibilities in cyberspace for individuals, private entities and states. Arguably, current concerns over government dominance of cyberspace are overblown. The fact is no single entity can control what goes on in cyberspace and we need both law enforcement agencies and military organizations to have access to cyberspace in order to protect and enable the free, legitimate use of the domain.
The opportunity for cheap, anonymous access to cyberspace creates an inviting environment for a broad spectrum of malicious activity. The threat commonly manifests itself in the form of cybercrime where individuals or specific companies suffer financial loss. More concerning is the opportunity to create a widespread effect that undermines faith and confidence across financial markets. An example of this occurred in April 2013 when a hacked Twitter newsfeed propagated a false report of an explosion at the White House. Within minutes, the U.S. stock market plunged, reflecting a “loss” of over $130 billion. While the index recovered rapidly, this incident provided a clear warning of our vulnerability to malicious cyberspace activity given the hyper-connected, information-driven nature of the business environment. What would happen if instead of a hacked Twitter account, a major business or financial firm found themselves the object of a destructive cyberspace attack that rendered thousands of computers inoperative?
There is a tendency to look at networks, systems, data and operators simply as revenue generators or costs that must be controlled. It is important to understand that there are actors who instead see all of these components as targets. First are the cyber criminals who are just after the money. Second are competitors who seek critical information or intellectual property that may give them an advantage. This threat is equally concerning to both the defense and non-defense sectors. Third is the insider threat; no matter how well you think you know your team, you must be vigilant. The fourth adversary is the one with the greatest potential to affect national security. This is the state-sponsored adversary who seeks to weaken a government strategically by attacking critical infrastructure or essential components of the national economic system. The state-sponsored attacker may have access to resources that can overwhelm almost any private or government sponsored defense capability. Cyberspace attack is appealing to this fourth class of adversary because it provides an asymmetric, low-visibility avenue of approach and many of the targets are likely unprepared since they do not even consider themselves targets. The threat is real, growing and in many cases underestimated or not even observed. Raising the level of threat awareness without succumbing to the hype of a “cyber holocaust” is a balance that senior leaders must strike.
Ensuring freedom of access for legitimate use
Effective cybersecurity is hard, expensive and we don’t do it very well. Our approach to cybersecurity should start with the assumption that legitimate use of the domain will always be challenged and there are defined responsibilities for individuals, corporations and the state. In the physical world we expect people to lock their doors at night, be wary of their surroundings and know who it is they are trusting to safeguard things that are important to them. Businesses are expected to expend resources to protect things like your money or your personal records. And the state is expected to direct law enforcement and defense activities to ensure the health and safety of its citizens. All of these concepts apply to cyberspace. We are currently challenged to execute this interdependent defense concept in cyberspace due to a variety of technical, policy and privacy issues all of which we will eventually resolve. Something we can and should do now is establish is a three-component security approach.
The first component consists of the usual safeguards like anti-virus, firewalls, data encryption and user training and compliance. We put a lot of effort into these programs and yet we are still attacked. The reason is there will always be breakdowns in network security implementation, users who click on malicious links, insider threats and determined high-end adversaries who can overcome the best defenses. The fact is the attacker has the advantage in cyberspace. The second component can be referred to as active defense. Active defense consists of “hunting” in your networks for threats that have gotten past the baseline security measures. Active defense is used solely on essential networks, data and systems and only works if cued by intelligence information that allows the hunt teams to focus on specific adversaries that have the capability and intent go after the vulnerabilities most important to you. Hunting uses heuristics and big data analytics to identify anomalous behavior that may indicate an adversary is in the network. The third component of cybersecurity is closely controlled and authorized, at least in the U.S. It consists of operations throughout cyberspace using either law enforcement or military authorities to seek out malicious actors, warn the potential victims and provide the option to take proactive actions to stop the attack. It is important to note that neutralizing an attack does not and should not be limited to cyberspace alone. The government has a wide variety of diplomatic, information, military, economic and legal tools to coerce the attacker and it needs to use all of them. Additionally, there are commercial and private sector entities that have used a variety of legal mechanisms to deter or stop attacks before they affect critical systems.
This third component of cybersecurity raises a number of challenging policy issues both domestically and internationally, but if one considers the advantage the attacker has over the defender in cyberspace it becomes quickly apparent that building higher castle walls is not going to stop all the arrows. We have to be willing to go after the archers. Doing so sets the stage for deterrence. The principles of deterrence for cyberspace are no different than those outlined by Brodie, Schelling and others 50 years ago. We have to define red lines and be willing to enforce them. We must be resilient enough to survive the first salvo. Most importantly, our adversaries must know that we can impose unacceptable costs in a variety of ways and that, if our core interests are threatened, we are willing to do so.
Senior leadership for cyberspace
Expanding the portfolio of our senior leaders so they can provide effective strategic direction regarding cyberspace operations is an immediate imperative. The most successful senior leaders have the ability to deal with complex problems that have no single, simple solution. These leaders are successful not because they know how to do everyone’s job. They are successful because they know their people, they understand what each part of the organization does to generate success and they have sufficient understanding of all component functions to know when something needs their detailed attention. When it is necessary to “deep dive” on a problem, good leaders have the ability to interact with the experts and make a decision. These tenets of successful executive leadership apply to cyberspace as well. One of the goals of this essay was to generate interest in developing appropriate executive-level cyberspace expertise.
Cyberspace is everywhere and even though we cannot see it or touch it, it is fundamentally important to all of us. No matter what your role in society, the ability to use cyberspace provides incredible opportunities along with risks. Hopefully, this article has provided some additional perspective and offered encouragement for informed debate and dialogue on an increasingly important aspect of national security.
Maj. Gen. Brett Williams is the Director of Operations, J3, U.S. Cyber Command. The opinions expressed here are solely those of the author and do not reflect the position or opinions of the Department of Defense.