Posted By LongTabSigO • [September 10, 2012]
On Sunday (9 September), the NY Times published an editorial regarding cybersecurity. The opening few sentences:
"Cybersecurity efforts in the United States have largely centered on defending computer networks against attacks by hackers, criminals and foreign governments, mainly China. Increasingly, however, the focus is on developing offensive capabilities, on figuring out how and when the United States might unleash its own malware to disrupt an adversary’s networks. That is potentially dangerous territory.
Such malware is believed to have little deterrent value against criminals who use computers to steal money from banks or spies who pilfer industrial secrets...."
The editorial is, in and of itself, fine. It gives a brief background and raises the usual concerns. However, I sense an ulterior motive: this appears to me as teeing up a rationale for the President to take action on cybersecurity via executive order in the absence of Congressionally approved legislation.
Read the whole thing here: http://www.nytimes.com/2012/09/10/opinion/a-new-kind-of-warfare.html?_r=2
Given the cacophony of threat assessments, panic, use of hyperbolic terms like "Cyber 9/11" or "Cyber Katrina", etc, there have been calls for legislation mandating cybersecurity action, both in within the Government at all level and in the private sector. Several bills before Congress were offered and failed for one reason or another. While there is a true threat, understanding it and, more importantly, directing national level solutions is a tricky thing, There have been calls for the President to act unilaterally via Executive Order. It is an option i'm sure he finds tempting, both as a practical matter as well as one of asserting executive branch power.
(a good background story is here) http://www.businessweek.com/news/2012-09-08/obama-weighs-executive-order-to-defend-against-cyber-attacks
The good sense of the US Senate in employing sloth here is important. The need to "do something now" cannot easily be undone once it is figured out what ACTUALLY should be done. In the interim, companies will either be handcuffed by rules that impose unfair constraints, or will never keep up with the real threat - rendering them useless. Better at this point to let companies figure it out as they go; in a sense: Cyber Darwinism. (NB: Although i'm loathe to prefix any word with "cyber", in this case it may be apt.)
From a different standpoint: What this editorial, and many like it, fail to deal with is that the problem is not so much from a rational actor state like China or Russia. We have protocols (diplomatic and other) that enable some sembleance of reasonableness should something untoward occur. The wild card in this are the less rational state actors (with Iran on the more than less side) to third party, non-state actors, transnational terrorist organizations and small but competent (or well-funded) fringe groups.
It's in this area where the set of laws/common practices/and rational sense are far less useful - or completely incapable of helping.
What bugs me most about much of the thinking in cybersecurity is that from a military standpoint, "offensive" and "defensive" efforts are both simultaneous and parallel. That is...where offense happens and where defense happens are not in the same place/venue/IP scheme (however you consider this).
So it should not come as a surprise that (1) there is a need to look at offensive capabilities, and (2) defensive actions must remain of paramount concern.
What continues to be lacking in this debate is the question of "national will". What is it we as a Nation will (finally) tolerate as unacceptable, and to what length will we go to assert our sovereignty. The current answers are (1) apparently, quite a lot, and (2) not very far beyond talking.