September 1, 2009  

The role of a ‘cyber czar’

While cybersecurity has been much in the news lately, the magnitude of the problem is still greatly underestimated and significantly misunderstood, particularly around theft of intellectual property and the resulting economic threat to the nation. In this area, we have suffered a “cyber-Pearl Harbor” except that this time, the enemy has quietly sneaked into all the ships and opened the underwater valves. At the moment, the water is about ankle deep.

There remain significant questions not only on what the role of the cyberczar should or should not be, but also how effective any person can be, given the breadth of issues he will face in trying to secure the nation’s military, civil government and commercial networks. That person will have to take on:

• Complex systems engineering problems.

• Sensitive public policy challenges.

• Military command and control interoperability issues.

• Assured continuity of operations for civilian government systems at all levels.

• Protection of commercial intellectual property.

• Operational sustainability of critical national infrastructures.

There are no simple solutions, and the problems will require historic, collective government-industry collaboration. To succeed, the cyber czar will need the power of the federal purse, the mantle of diplomatic authority and inside access to the White House. He will have to be a big-picture planner and a credible voice to industry. Among myriad duties, the czar will have to address four overarching tasks.

1. Protect the U.S.: Assess and set the architecture to protect government networks.

Cybersecurity threats come in three flavors: hackers, crooks and foreign invaders, all of whom have vastly different motives and capabilities, but all of whom are becoming increasingly sophisticated in their abilities to further their objectives. The hackers are in the game for the thrill of it. They work to disrupt things because they can. They are easier to identify and defend against, but they do, on occasion, create significant problems. We all incur costs to mitigate their attacks — costs that will likely escalate with time, as will the level of disruption the attacks cause. A good example is the recent denial-of-service attacks perpetrated on the Web sites of such U.S. government agencies as the U.S. Treasury, the Federal Trade Commission, the State Department and the White House. While these attacks were more about nuisance and harassment than anything more malevolent, there was nonetheless a cost to assess damage, get the sites back online and, more importantly, analyze the sources and potential for future attacks.

Crooks are pretty easy to understand. They are in it for financial gain, and are becoming well organized, technically capable and increasingly global.

At the top of the pecking order, however, are the organized intelligence operations of our foreign adversaries. They are pretty formidable in terms of their capabilities.

Securing the nation’s information infrastructure against these three types of attackers is a global problem and requires not only a public-private collaboration but, within the federal realm, cooperation between civilian and military agencies, and internationally between nations. Among the delicate issues to be sorted through are:

• Privacy vs. security.

• Centralized control vs. autonomy.

• Domestic interests vs. international relations.

• Standardization vs. customized solutions.

Even before delving into network specifics, a consensus will have to be reached for defining the network itself and legal and policy boundary conditions. How much of the Internet will be subject to federal or global actions? What about private intranets used within military installations or by military entities? Army Assistant Deputy Chief of Staff Maj. Gen. Gregory Schumacher said: “Similar to commercial infrastructures, the military’s network environment is one with many layers — beginning at the individual level and moving through the cyberpersona layer, the network layer, a physical layer, and a geographic layer. It is further complicated by the fact that a single site can be accessed by multiple users; or one individual can have multiple domains.”

2. Assess foreign policy and be the cyber-policymaker.

On the national and international front, the case for the U.S. taking the lead in terms of diplomacy and laws is made more obvious by two statistics:

• The FBI now ranks cybercrime as the third-greatest threat to U.S. national security, after nuclear war and weapons of mass destruction.

• There were 37,000 cyberattacks in the U.S. in 2007 — up 800 percent from 2005, according to a recently published estimate that cited data from the Department of Homeland Security (DHS).

According to the cybersecurity analysis report “Tracking GhostNet,” released by the SecDev Group, a Canadian think tank, capabilities of such countries as China are well-known in this area, but there are others. These represent the most serious threats to our future because they have multiple objectives, are well-financed, are staffed with the best and brightest people in their nations (many trained in the U.S.), and have the tools and research capabilities to sustain their operations over time, making them very difficult to counter. If you believe the GhostNet report that the Chinese are a particular problem and will continue to penetrate U.S. networks, we also must recognize that they are a principal creditor. The cyber czar is going to have a difficult time balancing national security interests with national financial interests and international relations on that issue.

We have already seen what an attack on the electrical grid could do to disrupt our lives, and it is not much of a stretch to imagine the havoc that a large-scale simultaneous attack on electrical distribution, water systems, flood control and financial systems would create. Cyberwarfare of this scale is probably the most asymmetric threat we face, and the Internet is the ultimate asymmetric warfare tool available today. Protecting against this problem is no simple task.

3. Focus on the protection of commercial intellectual property and commercial infrastructure.

The thought of an attack on our nation’s electrical grid certainly stirs our fears, but what about the more insidious problem of intellectual property theft? This is a more far-reaching problem, much harder to detect and defend against and, unfortunately, a much more effective strategy against the U.S. Here again, organized foreign intelligence agencies are the major problem. While cybercrooks have been known to steal soft-drink formulas and pirate music for personal gain, what about the theft of all our major technologies? Every company in the U.S. and in the world that produces anything of economic value is a target. While theft of a soft-drink formula is a clear economic problem, theft of critical aircraft or missile technology is a strategic threat. The capability to perpetrate that type of theft requires a sophistication level beyond what the simple hacker can mount. Virtually every company that has technology of interest has been cyberattacked, or will be.

To illustrate the problem, let us take a hypothetical example and investigate its possible ramifications. Jet-engine technology is a good place to start. The research that has gone into developing today’s jet engines began in 1930 with the patenting of the initial concept. Industry has been investing in the technology since that time. We can only imagine the total investment, but it has to be in the billions of dollars. If someone wanted to start a jet-engine business today from scratch, they would have to replicate that research and development, or they could just steal it and start on even par with the companies that have spent time and money developing their products. If a country thought jet-engine technology was important to its future, it could have its intelligence agencies focus on penetrating the networks of manufacturers and steal digital drawings, manufacturing process documentation, test procedures, quality-assurance procedures and any other data that would give them the formula for making jet engines.

While the theft of that amount of data is not as easy as I have implied, and jet-engine manufacturers clearly have defenses in place, sophisticated intelligence collection agencies have effective ways to penetrate these defenses. They may not be able to steal the entire “recipe,” but they most certainly can get much of it. Now imagine that a country with a reasonably broad industrial base has stolen the intellectual property associated with everything from combat boots to nuclear weapons technology and can put its manufacturers instantly into the business of competing with U.S. companies. Also imagine that its workers get paid pennies on the dollar compared with U.S. technology workers, and you can begin to appreciate the magnitude of the problem.

A collective resolve to address the problem is required. The isolated efforts of individual nations, industry groups or companies will be ineffective against 21st century intellectual property crime. A few examples illustrate the scope of this problem:

• According to the Office of the U.S. Trade Representative, intellectual property theft costs American corporations $250 billion a year.

• The costs of intellectual property theft are not solely economic. The public’s health and safety is also affected by intellectual property thieves who can make huge profits from selling cheap counterfeit versions of products that are not as effective or reliable as the legitimate products.

• U.S. Customs and Border Protection estimates that 750,000 American jobs have been lost because of counterfeiting.

• The U.S. Chamber of Commerce Global Intellectual Property Center estimates that intellectual property in the U.S. is worth as much as $5.5 trillion and accounts for about half of U.S. exports, which drives about 40 percent of U.S. economic growth. The impact of intellectual property theft on the U.S. economy is irrefutable.

• Research from the nonprofit U.S. Cyber Consequences Unit indicates that the destruction from a single wave of cyber-attacks on critical infrastructure could exceed $700 billion, or the equivalent of 50 major hurricanes hitting U.S. soil at once.

4. Strengthen collaboration between government and industry to foster cyberinnovation, and then fund it.

If the nation is to prevail, information sharing between federal agencies and commercial companies as well as collaborative innovation and network protection are absolute necessities.

The two most important tools in the cyber czar’s kit for supporting and protecting technological innovation may well be the president’s ear and the power of the checkbook. The evolving Smart Grid electric-power effort illustrates just one possibility for a cyber czar to influence network security by wielding a checkbook.

The American Recovery and Reinvestment Act, for example, gives federal agencies leeway in allocating $4.5 billion for Smart Grid projects. The law also contains other funding provisions that can support smart upgrades to the electrical grid, such as $6 billion to the Energy Department to cover loans through the Innovative Technology Guarantee Program, which supports renewable energy and transmission technologies development.

Add to that the research and development funding that resides in the Defense Advanced Research Projects Agency, DHS and other government agencies, and you can see that funding for technology development is wide-reaching. What would be the cyber czar’s role here? To ensure that while a portion goes to innovation, so too must a portion go to protecting the cybersecurity of the resulting technology.

Addressing these problems encompasses setting priorities associated with technology investment, improving policy and process change, sponsoring new legislation, improving interagency cooperation (at all levels of government), negotiating international treaties and fostering a level of government and industry collaboration heretofore unseen. It will require balancing the nation’s security needs with operational and fiscal realities.

Our technology lead is critical to our future. Take it away, and we are destined to be an also-ran in the world order. The cyber czar will have the opportunity to affect significantly that outcome. It is clear whoever takes this role will either become immortalized for his accomplishments or vilified for his failures.

STANTON SLOANE is president and CEO of SRA International and has diverse experience in private industry, international business and the military.