Saturday, October 13, 2012

Ready Player One - By James Andrew Lewis

It was bound to happen. The Senate fumbles and the House proffers only magical solutions for cybersecurity. The task of improving cybersecurity reverts to the executive branch, but the Department of Homeland Security does not inspire confidence. So the Department of Defense (DOD) is given a larger role in protecting cyberspace -- a responsibility that Defense Secretary Leon Panetta finally claimed in an important speech he delivered Oct. 11, "Defending the Nation from Cyber Attack." Panetta may have said that the Pentagon will only play a "supporting role," but make no mistake: When it comes to cybersecurity, the center of action just shifted.

Given the feeble state of U.S. cyberdefenses, an astute antagonist could use cyberattacks to disrupt critical services and information. This is a standard military doctrine for America's likely opponents. An expanded role for the DOD makes sense when the United States is so vulnerable -- not only from sophisticated opponents but, surprisingly, from less advanced countries that may be more aggressive and less able to calculate risk.

The driver for immediate action is Iran. "Iran has also undertaken a concerted effort to use cyberspace to its advantage," Panetta said. His speech laid the dots alongside each other without connecting them, but many sources in and out of government suggest that Iran was likely responsible for the disruptive attacks on Aramco and RasGas that the secretary mentioned. Iran may also have been behind recent denial-of-service attacks against U.S. banks. Iran has discovered a new way to harass much sooner than expected, and the United States is ill-prepared to deal with it.

The specifics of Iranian involvement are murky, but there is a general consensus that Tehran was either witting or supportive of the attacks. Iran has been working to acquire cyberattack capabilities for years -- well before Stuxnet -- and those who believe that the allegations of Iranian involvement are true do not believe the recent attacks were in retaliation for that piece of malware, which disrupted Iran's centrifuges. If anything, some speculate they were a reaction to the new U.S. sanctions. A more active Iran creates a new layer of problems in cyberspace that the United States cannot wait for Congress to address. An initial problem is how to credibly signal to Iran to refrain from further attacks. Panetta's speech was an attempt to do so. There is a message for Iran that, while indirect, is unlikely to miss.

This is not "cyberdeterrence," a term that makes little sense. The United States has one of the world's most powerful cyberforces, and it did not deter Iran, nor can it deter espionage and crime. Deterrence doesn't work because the United States can't make a credible threat. Against Iran, what would it be? More sanctions? A naval blockade? An airstrike? Even if the United States made these threats, Iran would be unlikely to assess them as credible. The Iranians know U.S. cybercapabilities better perhaps than any other country, and the threat of cyber-retaliation appears not to have frightened them. What Panetta is offering is not deterrence but prevention and preemption.

Panetta laid out a number of steps to harden defenses. Investing in new technology is a traditional American solution to defense problems. The secretary's most significant remark about new technology is that "we're seeing the returns on that investment" in the form of better attribution. Anonymity will offer less protection to attackers and may make some reconsider an attack. If nothing else, better attribution offers improved targeting.

More importantly, Panetta defined an active role for the DOD in cyberdefense, something that has been under discussion since 2009. An early question asked was, if NORAD can defend U.S. airspace, why can't Cyber Command defend cyberspace. The answer is to use the National Security Agency's unparalleled signals-intelligence capabilities and relationships to intercept incoming malicious traffic and define when and where it is legal for the agency to do so. The National Security Agency (NSA), with the right authorities, could block many future attacks.



No comments:

Post a Comment