By Shawn Woodley – The United States faces mounting insecurity in cyberspace where foreign intelligence services, criminal organizations, and publics can penetrate and compromise critical government and corporate networks. Vulnerabilities in cyberspace have been consequential to military and privately operated systems where sensitive information has been extracted, circulated, or manipulated. Critical infrastructures, including electrical, communications, and transportation networks are known to have serious vulnerabilities. Until a comprehensive and actionable national strategy for cyber-security is developed, the US will remain vulnerable to a host of information security challenges.
Many activities that did not exist when cyberspace was dominated by the US and its allies have emerged, exploiting the anonymity and legal ambiguities of cyberspace. The Department of Homeland Security (DHS) reported 37,000 successful intrusions into US government networks in 2007, up from 24,000 the previous year, while the Department of Defense (DOD) reports that the military’s Global Information Grid experiences more than three million daily scans for vulnerabilities. Congressional leaders have warned that intrusions have resulted in “massive amounts” of data theft and cite that China is now in a position to “delay or disrupt the deployment of America’s military forces around the world.” Researchers at DHS highlighted the vulnerability of the North American power grid in an experiment proving that a generator can be remotely sabotaged. Further, US intelligence officials report that the presence of software enabling spies to shut down the US power grid is pervasive. The Chairman of the Joint Chiefs of Staff and other senior Pentagon officials have cited cyber-security as the single greatest threat to American security and have produced a classified report detailing the depth of that threat.
Sensitive research, recently including submarine and satellite technology, has been extracted from the computer networks of government contractors then subsequently traded and sold on information black markets. Nearly half of Computer Security Institute (CSI) survey respondents reported virus activity on their networks, insider abuse, and laptop theft which weaken information security at these firms. Twenty percent of CSI respondents reported that compromised computers on their networks were used as proxies remotely activated to execute simple cyber attacks against third parties. The high occurrence of compromised computers may account for many of the cyber attacks reported to originate in the US and China.
A simple low-level cyber attacks has very low barriers to entry and can have an impact highly disproportionate to the actual number of attackers. Cyber attacks against Estonia and Georgia, likely perpetrated by a relatively small number of Russian organized criminals and nationalist youth groups, temporarily crippled critical infrastructures of those countries. The incidents gave rise to concerns about the preparedness of institutions like NATO in dealing with the non-attributable and legally ambiguous phenomenon. In terms of economic losses, Organization for Security and Cooperation in Europe estimated that cyber crime costs the global economy $100 billion a year in fraud and lost business while the FBI reported it costs $50 billion a year to the American economy alone.
The development of a national cyber defense strategy is complicated by the problem of attribution and limited strategic cohesion. Attributing the source of an attack is neither timely nor sufficiently accurate as the use of compromised computers as proxies for cyber attacks conceals the actual origin of an attack. This technical challenge would make a response policy based on retaliation or deterrence ineffective. Citing the need for a national cyber-security strategy joining elements of DOD and DHS strategies, experts have called on the Obama administration to create a White House post that would centralize strategy. Outside of government, promoting public awareness and business best practices could help to secure sensitive information on government contractor networks and lower overall economic losses.
An information sharing arrangement between sensitive private firms and government agencies would enhance their ability to respond to sophisticated new cyber attacks. The collaboration would have to protect classified government data while accommodating business trade secrets and public image interests. Internationally, frameworks for policy formation and coordination have been developed by the UN’s International Telecommunication Union and the Organization for Economic Cooperation and Development. The Council of Europe’s Convention on Cybercrime, which begins to address the legal issues surrounding international cybercrime, has been ratified or signed by forty four countries and has guided legislation in an additional sixteen countries. NATO has begun implementing a cyber defense policy securing its communication and information systems and has made recommendations to member states to strengthen their national networks.
Reports to the US Congress and European Parliament consistently cite the need for a cohesive, comprehensive, and practical cyber-security strategy. A multilateral response should address organized criminal and foreign state activities as well as insecure private networks and low public awareness. The US has the opportunity to lead in the conceptualization of a comprehensive national and international strategy to secure cyberspace.
Shawn Woodley is a Communications intern with the Stimson Center.