ARLINGTON, VA–In order to address the fundamental questions surrounding the concept of cyberwar and what it might mean for both the government and the enterprise, the United States should develop a skunk works-type think tank comprising highly skilled private-sector security experts as well as operational and policy experts from the government, a former deputy Secretary of Defense said.
Franklin Kramer, who served in the Clinton administration, said Tuesday that because the concept of using computers as weapons is still so new, policy makers and security experts don’t even know which questions to ask, let alone what the correct answers are. As a result, the public and private discourse both in Washington and in other countries has been focusing on the sensational elements–cyberwar, cyber-espionage, anything with cyber as a prefix–rather than the questions of when and how such tactics might be deployed and what that would mean for the people on both sides.
“We’ve only really begun to think about this. It’s new,” Kramer said in his keynote speech at the Black Hat DC conference here. “There’s no clarity on the problems to solve or the solutions. We need to bring policymakers like me and techies like you together in a wonk-geek coalition to enlarge the problem spaces that we each work on.”
To that end, Kramer proposed the establishment of a so-called skunk works, a loosely organized group of experts in both the technological and geopolitical aspects of the problem who would collaborate on figuring out how to address the various technical and policy issues created by advent of state-sponsored cyber attacks. A big part of the problem set that this group would need to address, Kramer said, involve weaknesses in private networks and systems such as the power grid. The electrical utilities, along with systems running the financial infrastructure, for example, are considered prime targets for both state-sponsored attacks and individual attackers.
“Our man-made systems have always been fragile. We could have a power system with significant attacks against it, but the system as a whole is good enough,” he said. “Good enough is not a bad goal. If you can keep a massive attack contained to the level of a brown out, that’s good enough. We’re all counting on [the grid] and it certainly seems open to attack. Stuxnet showed the vulnerability of the grid mechanisms. It seems the offense is pretty well ahead of the defense. It’s fair to say that there’s a concern that the grid is at high risk. We don’t have the infrastructure that’s designed to defend against a massive attack by a determined adversary. “
Kramer used Stuxnet and other recent attacks such as the Aurora operation against Google and others and the ZeuS malware as examples of incidents that seem to cross the very fuzzy line separating normal online crime from state-directed or sponsored attacks. Such attacks, he said, make it quite difficult for experts to determine how to proceed with a response, both in terms of a technical response and a political one.
“The cyber domain is not easily controlled or just like everything else we’ve had. There’s an ease of entry and that means we could see non-state actors enter,” he said. “Cyber can be easily used and that might mean it’s used to easily and too quickly and contained war might not be possible. And the ease of entry and lack of defense means that we’re less likely to dominate. The U.S. has become used to dominating the battlespace. It’s uncertain whether we can in the cyber area and that changes the calculus.”
The think tank proposal that Kramer talked about is not an entirely novel one. Such partnerships between government agencies and private-sector experts or groups have been attempted any number of times in the last decade, with little to show in the way of concrete results. However, most of those efforts have been driven by agencies such as the Department of Homeland Security and tend to be highly structured.
Kramer’s plan relies on a more informal structure in which participants collaborate on various specific problems, rather than on data sharing or smiliar efforts.
“It would have the advantage of significant brain power from both the private sector and policy insights from the government,” Kramer said. “It’s too difficult to do wholly inside the government or outside of it.”