Cyber War: The Next Threat to National Security and What to Do About It (33 page)

Our cyber war agenda must include regulation that requires the Tier 1 ISPs to engage in deep-packet inspection for malware and to do so with the highest standards of privacy protection and oversight. The ISPs must be given the legal protection necessary so that they do not have to fear being sued for stopping viruses, worms, DDOS attacks, phishing, and other forms of malware. Indeed, they must be required to do so by new regulations.

In order for the Department of Homeland Security to fulfill its role in the Defensive Triad, we must create a reliable and highly qualified component, perhaps a Cyber Defense Administration. The Cyber Defense Administration should be responsible for overseeing the deep-packet inspection system that the ISPs will run. It should also be responsible for monitoring the health of the Internet in real time, take over responsibility for regulating cyber security of the power sector from the Federal Energy Regulatory Commission (FERC), and provide a focal point for law enforcement activities related to cyber crime. The Cyber Defense Administration’s most important role, however, would be to manage the defense of both the dot-gov domain and critical infrastructure during an attack.

The administration could provide the ISPs with known signatures of malware in real time, in addition to being a vehicle for the ISPs sharing what they themselves discover. The existing National Communications System, a four-decade-old office that worked on telephone availability in emergencies, and which was recently merged into the new National Cybersecurity and Communications Integration Center (NCCIC, but pronounced “
en
-kick”), could provide the ISPs with an out-of-band communications system that could pass these malware signatures. The Cyber Defense Adminis
tration could draw on the expertise of the Pentagon and intelligence agencies, but the National Security Agency must not be given the mission of protecting domestic U.S. cyber networks. As uniquely skilled as NSA’s experts are, they and their agency suffer from a public distrust exacerbated by the warrantless wiretapping ordered by Bush and Cheney.

Beyond regulating the ISPs, the other area of regulation needed is the electric power grid. The only way to secure the grid is to require encryption of commands to the devices running the system, along with authentication of the sender, and a series of completely out-of-band channels that are not connected to the companies’ intranets or the public Internet. The FERC has not required that, but it did finally issue some regulations in 2008. It has not yet started to enforce them. When it does, do not expect much. That commission completely lacks the skills and personnel needed to ensure that electric power companies disconnect their controls from any pathway that a hacker could use. The mission of auditing the electric companies’ compliance should also be given to the Cyber Defense Administration, where the expertise could be built and where the overly chummy relationship with the industry exhibited by the FERC would not get in the way of security.

The Cyber Defense Administration should also assume the cyber security responsibility for the myriad civilian federal departments and agencies, all of which are now forced to try to do cyber security on their networks. Also, consolidating in the proposed Cyber Defense Administration what is now done on cyber security by the Office of Management and Budget and the General Services Administration would increase the probability of achieving a center of excellence that could manage security on the government’s own civilian (not Defense) networks.

3. CYBER CRIME

Because cyber criminals can become rental cyber warriors, we need as the third agenda item to reduce the level of cyber criminality that is plaguing the Internet. Cyber criminals have begun to penetrate the supply chains for both computer hardware and software manufacturers to inject malicious code. Instead of just using widely available hacking tools, cyber criminals are now starting to write their own specially designed code to beat security systems, as was the case in the theft of millions of credit card numbers from T.J. Maxx in 2003. These trends point to the growing sophistication of cyber criminals, and may indicate that the criminal threat could grow to become as sophisticated as the state-level threat. That suggests we need to increase our efforts to combat cyber crime.

Today both the FBI and the Secret Service investigate cyber crime, with help from Customs (now called Immigration and Customs Enforcement, or ICE) and the Federal Trade Commission. Yet companies and citizens across the country complain that their reports of cyber crime go unanswered. The Justice Department’s ninety independent prosecutors scattered around the nation often ignore cyber crime because individual cyber thefts usually fall below the $100,000 minimum necessary for a federal case to be authorized. The U.S. attorneys are also often computer illiterate and do not want to investigate a crime where the culprit is in some other city or, worse yet, another country.

The President could assign the FBI and Secret Service agents who cover cyber crime to the proposed Cyber Defense Administration, along with attorneys to prepare cases for the Justice Department. A single national investigatory center within the Cyber Defense Administration, coordinating the work of regional teams, could develop the expertise, detect patterns, and engage in the international
liaison needed to increase the probability of arrest to the point where it might begin to be a deterrent. Today law enforcement in the U.S. does not begin to deter the world’s cyber criminals. Today cyber crime does pay. To make it stop paying, the U.S. would need to make a substantially greater investment in federal law enforcement agencies’ cyber crime capability. We will also have to do something about cyber crime sanctuaries.

In the late 1990s, international criminal cartels were laundering hundreds of billions of dollars through “banks” in a variety of mini-nations, usually island states, as well as several larger sanctuary nations. The major financial powers got together, agreed on a model law criminalizing money laundering, and told the sanctuary states to pass the law and enforce it. If they didn’t, the countries were told that the major international financial nations would all stop clearing their local currencies and halt financial transactions with their banks. I had the pleasure of conveying that message to the Prime Minister of the Bahamas, where the law was promptly passed. Money laundering did not disappear, but it got a lot harder because there were fewer reliable sanctuaries. The signatories of the Council of Europe Convention on Cyber Crime should do the same kind of thing to cyber crime sanctuaries. Together they need to tell Russia, Belarus, and the other scofflaws that they either have to start enforcing laws against cyber crime or there will be consequences. One of the consequences would be to limit and inspect all Internet traffic entering nations from the scofflaw sanctuaries. It’s worth a try.

4. CWLT

The fourth component of the agenda to address cyber war should be the equivalent of the Strategic Arms Limitation Treaty (SALT) for cyber war, a Cyber War Limitation Treaty, or CWLT (pronounced
“
see
-walt”). The U.S. should coordinate the proposal with its key allies in advance of suggesting it at the United Nations. As the name implies, it should limit cyber war, not seek some global ban on hacking or intelligence gathering. SALT and its follow-on Strategic Arms Reduction Treaty (START) not only accepted intelligence collection as an inevitability, they relied upon it and called for “noninterference” with it. Those treaties explicitly protected what they called “national technical means.”

When arms control worked well, it had begun somewhat modestly and then expanded its scope in subsequent agreements as confidence and experience had grown. CWLT should begin by doing the following in an initial agreement:

• establish a Cyber Risk Reduction Center to exchange information and provide nations with assistance;
  
• create as international-law concepts the
  obligation to assist
  and
  national cyber accountability
  , as discussed earlier;
  
• impose a ban on
  first-use
  cyber attacks against civilian infrastructure, a ban that would be lifted when (a) the two nations were in a shooting war, or (b) the defending nation had been attacked by the other nation with cyber weapons;
  
• prohibit the preparation of the battlefield in peacetime by the emplacement of trapdoors or logic bombs on civilian infrastructure, including electric power grids, railroads, and so on; and
  
• prohibit altering data or damaging networks of financial institutions at any time, including the preparation to do so by the emplacement of logic bombs.
  

Later, after experience with CWLT One, we could examine whether to expand its scope. We should begin with a no-first-use ban on cyber attacks against civilian targets, rather than an outright ban, because nations should not be disingenuous when they sign
obligations. Nations that are engaged in a shooting war or have been the victims of cyber attack will probably employ cyber weapons. Moreover, we do not want to force nations that have been the victim of cyber attack to retaliate with kinetic weapons because of a ban on cyber attacks. The proposal does not preclude initial cyber attacks on military targets. Nor does it rule out preparation of the battlefield against military targets, because proposals to do so raise complex trade-offs and would overburden CWLT One. Nonetheless, lacing each other’s military with logic bombs is destabilizing and we should say publicly that if we discover it happening to us we would consider it as a demonstration of hostile intent.

Non-state actors will be a problem for cyber arms control, but CWLT should shift the burden of stopping them to the states party to the convention. Nations would be required to rigorously monitor for hacking originating in their country and to prevent hacking activity from inside their territory. They would be required to act promptly to stop such activity when notified of it by other nations through an international Cyber Threat Reduction Center. That Center would be created by the treaty, paid for by signatories, and be staffed at all times by network and cyber security experts. The Center could also dispatch computer forensics teams to assist in investigations and to determine whether nations are actively and assiduously investigating reported violations. The treaty would include a concept of
national cyber accountability
, making it a treaty violation if a nation did not stop a threat when notified by the Center. It would also include the
obligation to assist
the Center and other signatories.

The treaty will also have to deal with the attribution problem, which is not just a matter of nations organizing their citizen hacktivists. The hacktivist problem might be addressed by the provisions in the treaty we have just discussed. Attribution is also a problem because nations route attacks through other countries and sometimes actually initiate them from another nation. The Center could
investigate claims by nations that they were not the source of an attack, and it could issue reports to allow the member states to judge if there had been a treaty violation by a particular state. If there had been a clear violation, the states party to the treaty could issue sanctions. The sanctions could range across a spectrum from, at the low end, denying visas or entry to specific individuals, to denying Internet connectivity to an ISP. At the higher end, nations could limit international Internet and telephone traffic flows for a country. The Center could put scanners on the points where traffic from the country came into other nations. Finally, of course, nations could refer the problem to the United Nations and recommend broader economic and other sanctions.

The treaty and the Center would only be concerned with cyber war. It would not become an international regulatory body for the Internet, as some have proposed. Burdening CWLT with that possibility will ensure that it is opposed by many interests in the U.S. and elsewhere. CWLT will not, by itself, stop attacks on civilian targets, but it will raise the price of trying them. The advent of CWLT as an international norm will also send a message to cyber warriors and their government masters that firing off a cyber attack is not the first thing that you do when your neighbor state has made you mad. Engaging in offensive cyber war against another country would become, after CWLT, a major step. Using it against a civilian infrastructure target would be a violation of international law. Nations that signed the CWLT might put in place good internal controls to prevent their own cyber warriors from starting something without proper authorization.

5. CYBERSPACE AT MIDDLE AGE

The fifth element of fighting cyber war is research on more secure network designs. The Internet is now forty, entering midlife, yet it has not changed much from its early days. Yes, bandwidth certainly has grown, as has wireless connectivity, and mobile devices have proliferated. But the underlying design of the Internet, which was done without any serious thought to security, is unaltered. Although many software glitches and security issues were supposed to have disappeared when Microsoft replaced its earlier buggy operating systems with Vista and now Windows 7, problems persist with all of the most ubiquitous software programs.

When I asked the head of network security for AT&T what he would do if someone made him Cyber Czar for a day, he didn’t hesitate. “Software.” Ed Amoroso sees more security issues in a day than most computer security specialists see in a year. He has written four books on the subject and teaches an engineering course on cyber security. “Software is most of the problem. We have to find a way to write software which has many fewer errors and which is more secure. That’s where the government should be funding R&D.” Hackers get in where they don’t belong, most often because they have obtained “root,” or administrator status, through a glitch they have discovered in the software. There are two research priorities created by that phenomenon. We have to do a better job of finding the errors and vulnerabilities in existing software, which is a matter of testing in various ways. But at the same time we need to find a process for writing new applications and operating systems from scratch with close to zero defects.