Despite what you may have seen on 24 or read in Tom Clancy’s novels, the United States is well behind much of the rest of the world in developing both defensive and offensive cybersecurity capabilities, and that’s a deficit that may end up costing us dearly in the long run, according to a longtime government security expert.
Paul Kurtz, a consultant who advised George W. Bush on cybersecurity issues and was part of the transition team for Barack Obama’s administration, said in a keynote speech at the Black Hat DC 2009 event in Washington that the government not only has failed to make much progress on a implementing a comprehensive defense strategy for the country’s networks, but it also has dropped the ball on developing offensive capabilities.
“The larger question is, what are the military capabilities we need to have? There’s a reluctance to have a public discourse on this, like there was with nuclear weapons,” said Kurtz. “We need to integrate cyber weapons to suppress the use of kinetic weaponry by our adversaries. We need a long-term strategic vision for the development of cyber weapons to disable our enemies’ strategic military capabilities. We haven’t had the discussions in that space. We don’t have the long-term thinking in place.”
Kurtz also stressed that any development of this kind must happen with the knowledge and consent of Congress. Secrecy on a project like this would doom it. “We can’t develop this in secret. We need the appropriate dialogue,” he said.
Time is of the essence on this project, Kurtz said. “We can’t sit back and not have the capability to defend ourselves. It’s too late. Our adversaries are already there,” he said. “It involves the academic community, government and industry. And the U.S. need not go it alone. What about NATO and some of these other organizations? We can involve them. Real thought needs to be given to this.”
Kurtz also was sharply critical of the lack of transparency and communication on cybersecurity issues during the Bush administration and said that a continuation of that black-box mentality could prove catastrophic. Communication and information sharing is vital to the response to any large-scale network incident, he said.
“ We must begin by addressing the issue of attribution. We need to be able to fuse intelligence with private sector information to determine where attacks come from. We do have the capabilities in hand to trace where attacks come from,” Kurtz said. “If you link what we know in the private sector with the intelligence community, you can come out with a declaratory policy that says we will look to connect the dots and fuse information through all the capabilities we have to better understand who is attacking the networks. That’s the beginning of a deterrent policy.”
Network operators, ISPs and other key players have complained for years that virtually all of the information-sharing efforts of this kind have been one-way conversations in which they give up their information and are then stonewalled by law enforcement and government agencies when they ask for data in return. Kurtz emphasized the need for that to end.
“We have to connect the dots in cyberspace. It takes me back to meetings in the White House situation room, when we’d have guys from the CIA and FBI up on different screens and we’d have the FBI guy saying that he can’t share information because it’s law-enforcement data,” he said. “With proper oversight, this can be done. We can have a relationship in place to fuse data. We’ve been there before, but we haven’t had our act together over the last several years. Until we do, it will be hard to be more active in sharing.”