“True wisdom comes to each of us when we realize how little we understand about life, ourselves, and the world around us.” – Socrates
Over the last few months I’ve been fortunate enough to attend events like the Aspen Security Forum and an intelligence conference co-hosted by the CIA and the George Washington University’s Center for Cyber and Homeland Security. Cyber is one of my passions so I was eager to hear straight from the horse’s mouth what the heads of the various intelligence agencies had to say about it. I’ve blogged about it before but my last active duty job was as the initial Department of Defense (DoD) lead for developing the role of the intelligence community in cyber operations. I worked the issue between August 1999 and the end of 2001. Of all of my military assignments, this was the hardest but ultimately most rewarding. Since I participated in two wars and numerous crises, that is saying a lot.
The relevance to my recent attendance at various conferences and forums is that a lot of the same issues we dealt with back then are still being debated and discussed today. These include but are not limited to:
There is still no universally agreed upon definitions on cyber war, cyber attacks, and so on among all of the world’s players to include the lawyers. Even the definition of what is a “war” can frequently get blurred. At one point in time, human beings chucked stones at one another and that would have been considered war. As Peter Singer and Allan Friedman point out in their book, Cybersecurity and Cyberwar What Everyone Needs to Know, the U.S. hasn’t formally declared war on another nation since 1942 when they declared it on Bulgaria. Yet since that time the U.S. has been involved in conflicts from Korea, the Cold War, Vietnam, Kosovo, Iraq, Afghanistan, and Syria.
Many take the position that to be qualified as “war” there has to be an element of violence in it. Joel Brenner, former head of counterintelligence under the Office of the Director of National Intelligence stated: “We in the U.S. tend to think of war and peace as an on-off toggle switch—either at full-scale war or enjoying piece. The reality is different. We are now in a constant state of conflict among nations that rarely gets to open warfare…What we have to get used to is that even countries like China, with which we are certainly not at war, are in intensive conflict with us.”
One of my favorite scenes in the movie Patton is when he is visited by a British General while fighting German troops in North Africa. Patton had been complaining to the British, who were in charge of the allied air forces for that campaign, that the German air forces were causing him severe problems. The British did not believe him and had replied to his concerns with scorn and insults. The visiting British General told Patton he was exaggerating and snootily said the allied forces did have air control. At that moment he and Patton came under air attack by German aircraft. There was obviously a disconnect between the British view of the situation and Patton’s.
I had this movie scene in mind as I listened to various senior government, industry, military, and academic officials discuss various cyber issues. In spite of recent high profile cyber attacks, there continues to be a big gap in the understanding of the nature and intensity of the cyber threat on national security between those on the front lines in industry and government and the general public. For example, each year the intelligence community puts out a threat assessment; but I do not think many are aware that since 2013, cyber has been ranked ahead of terrorism and named the number one security threat to the United States.
The understanding of, and bridging of this gap is one of the major issues facing this nation and the rest of the world today. It is difficult to discuss issues and find solutions to problems if all sides do not understand the nature and severity of the threat. If we do not solve this problem, then the necessary policies, laws, and strategies needed to address the problem will continue to move at a slower pace than the tactics and procedures of our cyber adversaries. Much work has been done in these areas but much remains to be done. Venues like these conferences and forums play an important role in educating the public on these and other critical issues.
Critics might say, the vast majority of cyber attacks are in the criminal sphere and have nothing to do with national security. That is correct but the military is heavily dependent on cyberspace for its daily operations, and if there is a problem, regardless of what group, individual, or nation state caused it, they along with many in business and the public could be impacted negatively.
One issue that illustrates my point is information sharing. I cite the encryption issue as exhibit number one. Speaking at the Aspen Security Forum in July, FBI Director James Comey spoke about ISIS’ tactics of using social media to recruit new members. Once they identify a potential candidate they switch to encrypted communications. As I understand it, this is one of the fall outs from the Snowden affair and the resultant allegations of abuse. People are concerned that their privacy could be violated so companies have developed a technology solution that Director Comey says “is end-to-end encrypted, so without the key at one of the two devices at the user end, you’ve no ability with a court order to intercept and look at that communication. So it’s the nature of the technology that’s stopping us”.
Addressing that same issue in Aspen, Director of National Intelligence, James Clapper remarked, “I certainly understand, believe me, both sides of the issue here on (inaudible) privacy and the impacts on commercial interest versus the need for national security or law enforcement investigations. And it’s just hard for me to believe though in this country, the United States of America, you know, the heart of innovation and technical ingenuity, we somehow can’t figure out a solution to this where somehow both interests are attended to. I don’t know what that is. That’s a dilemma for us.”
There is no doubt in my mind that at some point in time there will be a solution to this problem but it may take a crisis to make it happen.
What is the threat? It is my view that the U.S. is involved in an undeclared war in Cyber Space. Addressing Congress this year, James Clapper did not call it a war but he did say: “the reality is we’ve been living with a constant and expanding barrage of attacks for some time.”
During his talk at the Aspen Security Forum last month, Admiral Rogers, the Director of National Security Agency and the Commander of US Cyber Command stated “I believe that during my time as the commander of United States Cyber Command, I will be directed to deploy capability from U.S. Cyber Command to defend critical U.S. infrastructure either in anticipation of or in the aftermath a significant cyber event.”
A poll of attendees from various organizations was taken at the recent Black Hat cyber conference in Las Vegas. 64% believed they were potential targets by nation states. In his book A Fierce Domain: Conflict in Cyberspace 1986 to 2012, Jason Healy wrote:“For over 25 years, nation states and non-state groups have been using computer networks to strike, spy upon, or confound their adversaries. While many of these dust ups have been mere nuisances-more playground pranks than real battles, several incidents have become national security issues, which have placed militaries on alert and prompted warnings to heads of state, the U.S. President included.”
Privacy concerns dominated many of the discussions. The nature of the questions and follow on discussions made me wonder if everyone was working off of the same set of definitions on what constituted privacy. To better illustrate my point, I will end with a story about my first discussion with the FBI on information sharing during my time as DoD intelligence lead. I asked their representative why they were only sharing information on only about 40% of all cyber hacking incidents with the U.S. intelligence community but were sharing a lot of this same information with the media.
He told me there were two reasons for this. First, they had rules they abided by to protect their law enforcement and case building responsibilities and second there were laws that prevented the intelligence community from being informed because of privacy concerns of U.S. citizens. I replied that, as far as I was concerned, I did not need to know the name or other personal information, only that an incident had taken place. I would be looking for patterns and trying to determine whether a hack or attack was an isolated incident, or part of a larger pattern of activity. Additionally, since a lot of information on these cases was shared with media and public I did not see why the intelligence community could not also be notified. I only needed to know the technical details and the nature of the tactics and techniques used.
I also pointed out that while an initial investigation might suggest an incident originated within the U.S., it could really be coming from an overseas location. I also wondered if we could have a legal determination on whether an IP address was associated with a U.S. citizen. Once we both understood each others concerns and issues we were able to move forward and come up with solutions that abided by the law and did not violate the privacy of citizens.
I came away from these events a bit frustrated that we’re still working on the same cyber issues I faced years ago but I was certainly impressed by the efforts that are being made at every level by the military, government, private industry, and academia to address them. Guess you can say I believe solving these cyber issues is a possible dream.
The bottom line for me is education and the building of trust between the government, private sector and the general public is the key. During his recent talk at George Washington University’s event, CIA Director John Brennan stated: “CIA began this annual conference series last year with an event at Georgetown University. We did it because, like any other part of the U.S. government, the agency and our intelligence community partners must have the trust and confidence of the citizens we serve in order to carry out our mission. Earning that trust requires that we get out and explain our work, articulate our values, and lay out our fundamental motives and objectives. And the fact is, there are many aspects of our profession beyond the clandestine sphere that lend themselves to public discourse. So in addition to providing an opportunity to engage with the people we serve, this conference provides a forum from which we can benefit from outside views and gain a better perspective on the issues we confront.”
I would take the aforementioned Socrates quote and reword it as follows: True understanding of the cyber issues comes to each of us when we realize how little we each still understand about how cyber really affects our life, ourselves, and the world around us. In other words get your ego and pre-conceived opinions out of the way in order to have informed discussions on these issues and come up with solutions. Be open to realizing there are gaps in what you think you know and issues you don’t fully understand.
I believe that along with continued honest discussions, we can and will solve this and other cyber issues. We really don’t have a choice do we?