New study says an offense-defense strategic framework must be adopted to combat cyber threats
By Doug Page
11/11/2010
Sailors assigned to U.S. Navy Cyber Defense Operations Command monitor,
analyze, detect and respond to unauthorized activity within U.S. Navy
information systems and computer networks. (Photo by Mass Communication
Specialist 2nd Class Joshua J. Wahl)
Related Resource:
. <http://www.bepress.com/jhsem/vol7/iss1/22/> Leaving Deterrence
Behind: War-Fighting and National Cybersecurity
In 2004, the origins of a massive cyber espionage ring were traced back to a
team of Chinese government-sponsored researchers in Guangdong Province. The
hackers were able to steal information from U.S. military labs, NASA, the
World Bank and others.
In 2006, the State Department admitted it had become a victim of a cyber
attack. The hackers worked their way around the State system, breaking into
U.S. embassy computers throughout Asia, eventually penetrating some domestic
systems as well.
Also in 2006, a computer attack against the Commerce Department's Bureau of
Industry and Security network crippled the agency, forcing it to discard
hundreds of computers. The attacks were believed to originate on Chinese
servers.
In 2009, the Obama Administration released its initial effort to address
cyber-aggression, which mainly focuses attention on the organizational and
bureaucratic decision-making infrastructure necessary to achieve
cyber-security, while providing a few general guidelines about goals and
means.
It does not, however, address the more fundamental question of strategic
approach. A recent Journal of Homeland Security and Emergency Management
paper suggests that it's time to resolve the core issue of what organizing
principle should drive the nation's cyber-security policy.
"The past three U.S. administrations have struggled to develop a
comprehensive cyber-security policy," said the paper's author, University of
Cincinnati political scientist Richard Harknett. He said much of that
struggle is the result of the sheer complexity of the problem, but also
results from an unwillingness to accept the fundamental strategic context of
cyber-security.
The paper provides an analysis first of what strategic framework should not
guide national cyber-security. Harknett said the strategy of deterrence was
and remains fundamental to the nuclear environment and over the past 60
years has become the anchor of strategic thinking in the United States.
"But strategy must be tied to the fundamental conditions of a strategic
environment and the fundamentals of cyberspace undermine deterrence," he
said. "It's unsustainable."
Harknett told Homeland1 that the conditions actually require the capability
to defend vigorously and continuously and, at times, to engage offensively.
"Cyberspace is really a war-fighting environment, not a deterrence
environment," he said. "If you have strong defenses and strong
retaliatory/offensive capabilities, you might reduce incentives for attack,
what I call deterrence residuals, but the construct is being good at
defending and attacking, not relying on deterring."
The first step to get where we need to be, he said, is to simply acknowledge
the reality of cyberspace.
"Accepting that deterrence might only work in certain strategic environments
and that cyberspace is not one of them is the necessary first step to
developing a sustainable and effective national cyber-security strategy,"
Harknett said.
It appears the government is still leaning toward reaction and deterrence as
a strategy, however. In October, the departments of Defense and Homeland
Security joined forces to achieve military and civilian cyber-security.
Deputy Defense Secretary William Lynn said during an Oct. 14 Pentagon
Channel interview, "What we're doing in our defense cyber-strategy is
developing appropriate responses and defenses" for each type of cyber
attack.
