Cyberwar is no longer an urban legend. From Estonia to Georgia to Israel, cyberwar has become a regular part of geopolitical struggles around the globe, and it promises to become a growing factor in future international conflicts.
Even skeptics have to admit that the economics behind cyber warfare are compelling. It’s inexpensive to mount a cyberwar. In comparison to traditional warfare, cyberwars are a bargain. You don’t need to fund and deploy specialized troops with expensive technology and weapons. You don’t need to worry about recruiting soldiers and keeping your supply lines open. All you need to disrupt your enemy’s communications and possibly its economy using a few people with specialized skills and Internet connections. In fact, you don’t even need to own all the assets deployed in a cyberwar.
You can recruit cyberwar soldiers among your citizens and allies and leverage their resources and skills, or you can recruit assets without their knowledge and leverage those “borrowed” resources in a botnet. With these techniques, you can amass the equivalent of supercomputer power, arm it with attack software, and point it at the weakest parts of your enemy’s infrastructure. Even a third world country, with access to the right intelligence and sophisticated specialists, can mount a campaign designed to deliver damage ranging anywhere from irritation to devastation.
Cyberwars so far have mostly delivered irritation, but in Estonia, we saw disruption with a serious economic impact. If the trajectory of cyber-warfare follows the evolution of cybercrime, then cyberwar attacks will quickly become more targeted, more sophisticated and more difficult to detect and defend against.
This is particularly worrying for the U.S., because the potential exists for far greater harm since both public and private sectors have become completely dependent on the Internet for daily business.
The immediate question we need to answer is: how can we win a cyberwar?
In traditional warfare, success often depends on early warning systems that signal the direction of an enemy attack. These systems focus on changes in patterns such as troop massing and communications changes. Winning cyberwars will require the equivalent of an early warning system that can detect these changes in patterns quickly and efficiently as well as the creation and implementation of strategies for success in a cyberwar.
At present, the U.S. government does not seem to possess a system with the sophistication to detect the early signs of a cyber attack. And, protection of critical assets once an attack is underway is even more problematic. To protect our cyber assets, the government needs to be able to know exactly where critical assets are located on the network. And while this seems like a simple matter, it is often a challenge for even the most sophisticated technology companies.
This scenario is made even more complex because many of our critical assets are the backbone of the Internet itself, and the majority of Internet infrastructure is in the hands of the private sector. This distribution of assets makes the Internet more resilient, but it also makes it a challenge to defend. A program that would create an early warning system for U.S. Internet assets would require a deep partnership between the public and private sectors, and any kind of security cooperation on this scale has yet to be achieved.
Finally, any successful war is fought under the command of a general who makes critical decisions on how and where to engage. In traditional combat situations, these decisions come from a command and control headquarters and are based on combat drills where responses are so practiced they become automatic even under combat stress. While the government has made strides recently by announcing a new military cyber command, and the Obama administration has announced a new cyberwar coordinator, we don’t yet have the equivalent of a cyberwar general who has the power to mobilize defenses against any attack. And even if we did, who would he or she call to protect assets that are in the hands of the private sector? And would the private sector, whose success has been determined by innovation and invention, be willing to take orders from the public sector when it is widely perceived to be far behind in the area of cyber security?
The reality of cyberwar leaves the US more vulnerable than we have ever been. Unless we work together to find a way to solve this looming problem, our critical business and government infrastructure will remain vulnerable.
It is encouraging that the new administration in Washington is giving cyber-security a high priority. Recent initiatives, such as Rockefeller-Snowe, acknowledge the scale of the problem, but propose sweeping changes industry leaders and privacy advocates will find it difficult to swallow. For now, the government would be best served by taking small steps toward regulation and working with private industry to create collective solutions.
* Abe Kleinfeld is President and CEO of nCircle, a security and compliance auditing solutions provider to Facebook, Safeway and others, and a 30-year veteran of the high tech industry.