Cybersecurity and Cyberwar (28 page)

In the cyber world, there is justifiable concern that at least some elements of this combination are also present today. The National Academy of Sciences has reported that emerging technologies “greatly expand the range of options available to US policy makers as well as the policy makers of other nations,” which makes leaders often very itchy to take action. And yet, as the report continued, “Today's policy and legal framework for guiding and regulating the use of cyberattack is
ill-formed, undeveloped, and highly uncertain
.” Or, as James Mulvenon, president of the Cyber Conflict Studies Association, puts it: “Here's the problem—it's 1946 in cyber. So we have these potent new weapons, but we don't have all the conceptual and doctrinal thinking that supports those weapons or any kind of deterrence. Worse, it's not just the United States and Soviets that have the weapons—it's
millions and millions
of people around the world that have these weapons.”

What this means is that, akin to the Cold War, any great strategic advantages a nation is able to seize in a cyber arms race will be fleeting. The United States only had a window of four years before the Soviets were able to build their own bomb. That seemed incredibly quick at the time. By comparison, the proliferation of cyber weapons happens at Internet speed, so any window that first users had with weapons like Stuxnet has already closed.

This raises the question of whether some kind of stability like that during the Cold War will then set in. While the nuclear arms race put humanity on the precipice of disaster for almost a half century, once the two sides both had nuclear weapons, the balance of terror known as MAD took hold, and the great powers shied away from directly fighting each other. The problem is that, unlike in the Cold War, there is no simple bipolar arrangement, since, as we saw, the weapons are proliferating far more widely. Even more, there are no cyber equivalents to the clear and obvious tracing mechanism of a missile's smoky exhaust plume heading your way, since the attacks
can be networked, globalized, and of course, hidden. Nuclear explosions also present their own, rather irrefutable evidence that atomic weapons have been used, while a successful covert cyber operation could remain undetected for months or years.

Instead of trying to get MAD, the better lesson from arms races past may be that “Talk is cheap(er),” as defense analyst
Rebekka Bonner
has said. Arms races are relatively expensive. Indeed, she found that the United States alone spent almost $9 trillion on the Cold War arms race “that resulted in a net decline in national security.” While early efforts like the Baruch plan didn't work, it doesn't mean that efforts at arms control were not worthy. The whole time that nuclear weapons were building up during the Cold War, there were off-and-on attempts to build them down. These started with bold offers like the Baruch Plan and continued into everything from the Pugwash dialogues between nuclear scientists to the SALT and START arms control talks between world leaders. Not all met with success, but they were relatively costless. More importantly, they helped dampen tensions and ultimately set the table for the Cold War to end.

As we'll explore soon in
Part III
, the comparison to today highlights the glaring need for similar efforts. It is unlikely (and unverifiable) that the various players in this cyber arms race will just give up their capabilities in some new form of the Baruch Plan. But the basic choice is much like that back in the 1940s. One path is to be a “slave to fear,” solely to focus on the threats, and race to build up a capability to counter them, even if it likely won't deliver much security in the end. The other is to recognize the mutual risks that all the participants in cyberspace face from this new arms race and explore how we can be responsible stakeholders. The direction we take won't just shape this new twenty-first-century arms race, but also will shape the future of the Internet itself.

“Unlike most wars, the Cyber War will have no end, as the Internet along with the continued globalization of industries central to the development of a middle class, will create new battlefields to protect. The investment required to protect corporate America and the US Government will grow at almost exponential rates,
public and private partnerships will have to flourish, more and more existing defense companies will have to pivot, and the Merger & Acquisitions and investment opportunities will increase. If you wish to invest in the Cyber Arms Race, then this is
the conference for you
.”

This is from an invitation that we received to a conference in 2013. Where some see threats, others see opportunities. And maybe that should worry us all.

The rise of cybersecurity as an issue has gone hand in hand with a boom in the number of companies trying to make money from it. And there is a lot of money to be made. Indeed, the 2013 cybersecurity market in the United States alone was estimated to be $
65 billion
and projected to grow at a
6 percent to 9 percent
rate per year for at least the next five years. In only ten years, cybersecurity could be a $165 billion market. Other estimates already place the global scale of the cyber-industrial complex at “somewhere between
$80 billion and $150 billion
annually.”

What is notable is that this growth is happening at the same time that traditional defense budgets are going down. “In a barren global defence market the cyber security domain has provided a
rare oasis
” is how a leading defense industry magazine described the world of cybersecurity. And, like much else in cybersecurity, the boom is not just an American phenomenon. For instance, even in an environment of austerity and dramatic cuts across the UK government, the 2010 Strategic Defence and Security review recommended an increase in cybersecurity funding of $1.7 billion. As
Professor Peter Sommer
of the London School of Economics wrote, “In terms of the involvement of the big military companies, you have to realize that they are finding it extremely difficult to sell big, heavy equipment of the sort they are used to because the type of wars that we're involved in tend to be against insurgents. And so they are desperately looking for new product areas—and the obvious product area, they think, is cyber warfare.”

With these trends in play, traditional defense firms have taken three primary approaches to getting on board what they see as a cyber gravy train. Or, as we were told in the conference invitation, they are seizing the “
wealth of opportunity
” that awaits in “the migration from traditional ‘warfare' to “cyber war.”

The first strategy has been to expand their own internal cyber operations. Companies like Lockheed Martin and Boeing may be
better known for making jet fighters, but now they also run cybersecurity centers for defense ministries and other government agencies. Second, there has been a buying spree of the smaller cyber firms. Indeed, since 2010,
15 percent of all mergers
and acquisitions transactions completed by defense companies involved a cybersecurity target. Sometimes these have been military-oriented firms, while at others it has been military firms bringing in niche skills from other domains. BAE may be known for building Typhoon fighter jets and
Queen Elizabeth
class aircraft carriers, but it also paid almost $300 million in 2011 to become the proud owner of Norkom, a cyber fraud and
anti-money-laundering specialist
. Its competitor
Boeing has spent
over $1 billion buying up smaller cybersecurity firms in the last five years. Finally, there have been a series of corporate alliances. Boeing, for instance, doesn't just sell F-15 fighter jets to Japan, but also in 2012 inked a partnership with Sojitz, a leading Japanese conglomerate, in which the two megafirms agreed to help protect critical Japanese government, civil, and
commercial IT infrastructures
. As one report described, the outcome is that “Companies with cyber security relevant capabilities have seen financial worth increase almost on dot-com levels
witnessed in the late 1990s
.”

But with this growth comes some concern, especially in the role such firms seek in influencing public policy. In 2001, only four firms were lobbying Congress on cybersecurity issues. By 2012, it had risen to 1489 companies. The
Washington Post
even gave an article on the phenomenon the title “
Good News for Lobbyists
: Cyber Dollars.”

As
Ronald Deibert
, a cybersecurity expert who helped found the Information Warfare Monitor project, worries, “This not only creates a kind of feeding frenzy among defense contractors, but also propels the development of more refined techniques of monitoring, exploitation, and attack. This new cybersecurity market brings to mind Dwight Eisenhower's warnings of a looming ‘military-industrial complex.' When you have a major defense budget served by the private sector, a constituency is created that has enormous influence over policy, perceptions of threats, and strategic interests.”

This potential cyber-industrial complex now has vested interests in developing newer and better modes of both cyber defense and attack, which, of course, must go hand in hand, driving up the levels of threats and tensions in this space. Perhaps the more worrisome aspect has been the manner in which very real risks and
threats in cybersecurity have sometimes been mischaracterized. In a study called “Loving the Cyber Bomb” (a play on the old Cold War movie
Dr. Strangelove or How I Learned to Stop Worrying and Love the Bomb
), cyber experts at George Mason University found extensive evidence of threat inflation in Washington, DC, cyber discussions, most frequently by those with political or profit incentives to
hype the threats
.

As we've seen, such hype inflation ranges from the mischaracterization of unsophisticated attacks as war to full-blown falsehoods. A repeatedly cited example is the “cyber Pearl Harbor” attack carried out on the Brazilian power grid. This supposed episode was even featured in a 2009 episode of
60 Minutes
, with pundits positing that a series of power blackouts in Brazil had been caused by cyber blackmail. It turns out the blackouts were actually just non-cyber-related failures at a
single power supplier
.

The point here is not that cyberthreats are all just the work of a vast conspiracy or that “cyberwarfare is a meaningless buzzword coined by rapacious defense contractors,” as writer
Cory Doctorow
once put it. As we have explored, there are very real and very dangerous things going on in cyberspace, and, indeed, that is why we wrote this book. But these threats have to be put in their proper context and understanding. And part of that understanding requires us all to realize that there is now a lot of money to be made in the field. With that money comes the risk of bias and even hype.

The most important takeaway, then, is that we must avoid letting our fears get the better of us, or even worse, let others stoke our fears and thus drive us into making bad decisions. How we respond to this world of growing cyberthreats will shape everything from our personal privacy and the future of the Internet to the likelihood of regional crises and even global wars. So we better try to get it right. And that is what
Part III
is all about.

The proposal started out as an April Fool's joke, but many people still took it seriously.

Steve Bellovin, a computer network and security researcher, can claim to have literally written the book on firewalls, being one of the earliest researchers on how to repel what he called “
the wily hacker
.” On April 1, 2003, he issued a new proposal for an Internet-wide standard to ensure network security. Noting that the problem in cybersecurity was really just one of separating the bad traffic from good traffic, he proposed that each packet come with a new flag on it, a one-digit signifier that could be 1 or 0. “If the bit is set to 1,
the packet has evil intent
. Secure systems
SHOULD
try to defend themselves against such packets.”

Of course, the Internet's very structure has no way of enforcing “evil bit” settings, and there is no reason why an evildoer would set such a flag. That was the essence of the joke. Nonetheless, it is easy to look at all of today's problems with Internet security and wonder if there is a way to just start over.

Some argue that the threats the cyber age has brought are so “terrifying” that, as
Washington Post
columnist Robert Samuelson wrote, we should just “repeal the Internet. It is the technological marvel of the age, but it is not—as most people imagine—a symbol of progress. Just the opposite. We would be
better off without it
.”

To put it bluntly, such an idea is a nonstarter. Setting aside that a technology is not a law—it can't be “repealed” or uninvented—the notion of going back to the world right before the Internet makes as much sense as rebooting
Beverly Hills 90210
. The world has changed. We are now dependent on the Internet in everything from commerce to communications to, yes, even conflicts, while the modes and expectations of cyberspace have become woven into an entire generation's very worldview.

If we can't roll back time, others argue for something seemingly more modest, building a more secure section of cyberspace: a new region of peace and predictability set inside the supposed lawless Wild West of the Internet. This approach advocates creating trusted networks inside the Internet, which would solve the problems of anonymity and inability to limit access. The model might be applied only to the most critical infrastructure systems, such as power plants, or more the more frequent online targets, such as
consumer banks
.

A number of senior government leaders have pushed this “.secure” model. The concept has been described in different manners, but essentially argues that the current Internet and network architecture were not designed with enough security to meet today's threats, and a new part of the Internet should be created with just this in mind. General Keith Alexander, head of both the NSA and US Cyber Command, argued for a “
secure, protected zone
.” Similarly, the FBI's former Assistant Director Shawn Henry argued for a “new, highly
secure alternative Internet
.”