There was lots of good discussion last time about cyber warfare, cyber security, and U.S. policy, but what most respondents seemed to miss was the international nature of the IT business — all the outsourcing and offshoring that we were told was so great — and its implications for U.S. security. The upshot is that any U.S. cyber warfare czar will have to effectively function as a WORLD cyber warfare czar, a fact that neither Republican nor Democratic Administrations have yet been willing to embrace, at least in public.
Forget for the moment about data incursions within the DC beltway, what happens when Pakistan takes down the Internet in India? Here we have technologically sophisticated regional rivals who have gone to war periodically for six decades. There will be more wars between these two. And to think that Pakistan or India are incapable or unlikely to take such action against the Internet is simply naive. The next time these two nations fight YOU KNOW there will be a cyber component to that war.
And with what effect on the U.S.? It will go far beyond nuking customer support for nearly every bank and PC company, though that’s sure to happen. A strategic component of any such attack would be to hobble tech services in both economies by destroying source code repositories. And an interesting aspect of destroying such repositories — in Third World countries OR in the U.S. — is that the logical bet is to destroy them all without regard to what they contain, which for the most part negates any effort to obscure those contents.
You can have 1000 safe deposit boxes with only three holding anything of real value, but that obfuscation is meaningless if the target is ALL safety deposit boxes.
To this point cyber security conferences tend to concentrate on intelligence (probing attacks to learn about a potential enemy, gather information and map defenses) and tactical deployment (using that intelligence information to blind, disable, or defend some network resources in what’s usually perceived as an encounter lasting hours). There is little to no regard for strategic use of cyber warfare as in the India-Pakistan example or the nuking of source code libraries. We don’t talk about it because it is too horrific, not because it can’t happen.
The result, of course, is that any major power has to be concerned about the cyber security of all its technology partners, which over the last decade has come to include a lot of Third World nations. Try to do a security audit of Argentina or Bangladesh and see what nightmare is unveiled. Yet this is exactly where major international companies are deploying more and more technical resources.
The military answer of course is to isolate network traffic, as many readers have suggested. But how do you enforce that in other countries? And how effective is it at all against a strategic attack on essentially commercial resources? Not very.
This is not a battle but a war and wars take a long time to prepare for and wage. As readers have pointed out we’re not just concerned with malware and viruses but even hardware-based attacks. Who knows if that flash memory from Malaysia or that router card from Taiwan is compromised? Who CAN know? And if you’ve found one hardware exploit in a product does that mean you’ve found all that are there? Hardly.
One point of view is that this makes both old tech and traditional firepower more valuable. Analog systems, for example, are unlikely to be compromised by digital exploits. And 2000-pound bombs are a pretty darned effective response to a cyber attack IF you can clearly identify the attacker and figure out where to drop the bombs. Both effects tend to neutralize the effect of advanced systems, making Syria a more effective opponent against Israel, AND push superpowers toward brandishing their biggest guns — nuclear weapons.
So cyber warfare is internationally destabilizing in whole new ways with the world being dramatically less safe as a result. This works mainly to the advantage of the bad guys.
Then there’s the Code God Effect — the potential strategic impact of a single programmer with commanding skills. That very guy or gal who typically is the creative heart of an entire company (but they never admit it) because he is the equivalent of 100 average coders can be the secret weapon in a cyber war, too. And the distribution of such megabrains is random enough that to say one or more aren’t working right now in North Korea would be a bad bet — one that a nation like the United States would be unwise to make.
We see the Code God Effect happening right now with publicized Chinese Internet incursions and those are just amateurs: the real damage is being done by much more skillful players we have yet to even detect.
What this means for any major power is that they aren’t as powerful as they think they are and that power is even less across borders. There isn’t a U.S. agency I know of — ANY agency — that is prepared to win such a war against a clever and determined opponent of almost any size.
If the game is U.S. versus Albania, who wins? I don’t know.
We need new tools and new weapons. We need to find ways of changing the battlefield to negate opponents (this is HUGE), not just shooting back. We need leadership that understands this. Maybe President Obama understands it, maybe not. He hasn’t demonstrated yet that he does, at least not to me.
Let’s hope that’s just part of an incredibly clever master plan.