MINNEAPOLIS – Lawmakers and politicians trying to equate cyberwar with a kinetic battle are misguided in putting the two on equal footing, said former National Security Agency general counsel Stewart A. Baker today in his keynote at the Cyber Security Summit.
“Cyberweapons are not like nuclear weapons and the thought that they’re better if you’re fighting a war is disconcerting because there’s no taboo in using them,” Baker said in his speech at the event here.
Baker, a partner with D.C. law firm Steptoe & Johnson, shared what he believes to be the Capitol Hill perspective on cybersecurity. He discussed a number of concerns, misconceptions and views of the legislative landscape that add up to a muddled view of cybersecurity in D.C. that lives against a complicated backdrop of competing domestic and international priorities.
The cyberwar discussion, for one, can be overwhelmed with hyperbole; the cyberwar-nuclear weapon equation is one such area. Nukes have been positioned as a deterrent in the 69 years since the end of World War II, and Baker said a concerted effort is made on some fronts in Washington to equate them with cyberweapons because the potential devastation to water, energy and communication infrastructure is similar.
Baker pointed out as an example that an attack such as Stuxnet, which put a dent in Iran’s nuclear program, exploited a weakness in the same programmable logic controllers running in power plants, refineries, water plants and other critical industries in the United States.
“An attacker could break all of that at once,” Baker said. “It would be like New Orleans after Hurricane Katrina—minus the National Guard rescues. It would be impossible to engage in civilian life. That is the vision of cyberwar.”
The lack of international oversight over the use of so-called cyberweapons such as Stuxnet and other advanced attacks has been discussed for years. There are no established rules of engagement and the laws governing war don’t cover cyberespionage. Baker said. That, however, isn’t stopping some groups from testing fortifications—Baker pointed to the bank DDoS attacks of late 2012, early 2013, calling it a demonstration of an enemy’s capability against the U.S. While the attacks were largely attributed to a group protesting an anti-Muslim movie on YouTube, Baker hinted that Iran may have been behind the attacks.
“It was a routine demonstration of their capability, and it was a way of testing the limitations of the U.S., and we took it,” Baker said, adding that if the U.S. indeed used kinetic force against Iran, that they could do worse. “The idea that you can’t use cyberweapons in a civilian context has already been undermined by states that actually use them. The likelihood that we can establish a norm against using them in order to protect civilian populations is limited. The likelihood of that stopping an escalation is remote. We need to face up to the prospect that cyberwar, when it comes, will be ugly and will harm civilians in a dramatic fashion.”
In the meantime, a cocktail of regulation and liability may nudge private and public sector organizations responsible for critical infrastructure, in particular, into doing the right thing. Baker said financial regulators, for one, are using the new NIST framework to press the financial services industry into adopting more aggressive defensive policies. One offshoot may be that telecommunications providers may be forced to up their security games at the insistence of financials who have longed for enhanced detection from communication providers.
“We’re halfway through a cycle of nudging carriers into providing full suite security capabilities,” Baker said. “The FCC chair [Tom Wheeler] said in vague terms that he expects a robust response or regulations may be forthcoming.”
Meanwhile, Congress, Baker said, has been mandating new security measures on the Department of Defense and its various contractors, frequent victims of targeted attacks from nation states. There are new rules, for example for the supply chain and even protecting unclassified information stored on DoD systems, as well as breach notification mandates. As for further liability, Baker said the sundry state data breach notification laws are the driver here, many of which are the precursor to fruitless class-action suits.