Podcast: Play in new window | Download

There was lots of good discussion last time about cyber warfare, cyber security, and U.S. policy, but what most respondents seemed to miss was the international nature of the IT business — all the outsourcing and offshoring that we were told was so great — and its implications for U.S. security.  The upshot is that any U.S. cyber warfare czar will have to effectively function as a WORLD cyber warfare czar, a fact that neither Republican nor Democratic Administrations have yet been willing to embrace, at least in public.

Forget for the moment about data incursions within the DC beltway, what happens when  Pakistan takes down the Internet in India?  Here we have technologically sophisticated regional rivals who have gone to war periodically for six decades.  There will be more wars between these two. And to think that Pakistan or India are incapable or unlikely to take such action against the Internet is simply naive.  The next time these two nations fight YOU KNOW there will be a cyber component to that war.

And with what effect on the U.S.?  It will go far beyond nuking customer support for nearly every bank and PC company, though that’s sure to happen.  A strategic component of any such attack would be to hobble tech services in both economies by destroying source code repositories.  And an interesting aspect of destroying such repositories — in Third World countries OR in the U.S. — is that the logical bet is to destroy them all without regard to what they contain, which for the most part negates any effort to obscure those contents.

You can have 1000 safe deposit boxes with only three holding anything of real value, but that obfuscation is meaningless if the target is ALL safety deposit boxes.

To this point cyber security conferences tend to concentrate on intelligence (probing attacks to learn about a potential enemy, gather information and map defenses) and tactical deployment (using that intelligence information to blind, disable, or defend some network resources in what’s usually perceived as an encounter lasting hours).  There is little to no regard for strategic use of cyber warfare as in the India-Pakistan example or the nuking of source code libraries.  We don’t talk about it because it is too horrific, not because it can’t happen.

The result, of course, is that any major power has to be concerned about the cyber security of all its technology partners, which over the last decade has come to include a lot of Third World nations.  Try to do a security audit of Argentina or Bangladesh and see what nightmare is unveiled.  Yet this is exactly where major international companies are deploying more and more technical resources.

The military answer of course is to isolate network traffic, as many readers have suggested.  But how do you enforce that in other countries?  And how effective is it at all against a strategic attack on essentially commercial resources?  Not very.

This is not a battle but a war and wars take a long time to prepare for and wage.  As readers have pointed out we’re not just concerned with malware and viruses but even hardware-based attacks. Who knows if that flash memory from Malaysia or that router card from Taiwan is compromised?  Who CAN know?  And if you’ve found one hardware exploit in a product does that mean you’ve found all that are there?  Hardly.

One point of view is that this makes both old tech and traditional firepower more valuable.  Analog systems, for example, are unlikely to be compromised by digital exploits. And 2000-pound bombs are a pretty darned effective response to a cyber attack IF you can clearly identify the attacker and figure out where to drop the bombs.  Both effects tend to neutralize the effect of advanced systems, making Syria a more effective opponent against Israel, AND push superpowers toward brandishing their biggest guns — nuclear weapons.

So cyber warfare is internationally destabilizing in whole new ways with the world being dramatically less safe as a result.  This works mainly to the advantage of the bad guys.

Then there’s the Code God Effect — the potential strategic impact of a single programmer with commanding skills.  That very guy or gal who typically is the creative heart of an entire company (but they never admit it) because he is the equivalent of 100 average coders can be the secret weapon in a cyber war, too.  And the distribution of such megabrains is random enough that to say one or more aren’t working right now in North Korea would be a bad bet — one that a nation like the United States would be unwise to make.

We see the Code God Effect happening right now with publicized Chinese Internet incursions and those are just amateurs: the real damage is being done by much more skillful players we have yet to even detect.

What this means for any major power is that they aren’t as powerful as they think they are and that power is even less across borders.  There isn’t a U.S. agency I know of — ANY agency — that is prepared to win such a war against a clever and determined opponent of almost any size.

If the game is U.S. versus Albania, who wins?  I don’t know.

We need new tools and new weapons.  We need to find ways of changing the battlefield to negate opponents (this is HUGE), not just shooting back.  We need leadership that understands this.  Maybe President Obama understands it, maybe not.  He hasn’t demonstrated yet that he does, at least not to me.

Let’s hope that’s just part of an incredibly clever master plan.

Yeah, right.

Podcast: Play in new window | Download

Billy Mitchell was an iconoclastic American military airman from the early 20th century.  He was a firm believer in military air power and was ordered court-martialed in 1925 by President Calvin Coolidge for criticizing his military superiors over the issue.  My kind of guy. Gary Cooper played Mitchell in a 1955 movie, by which time everyone knew he had been right all along.  My fear is that when it comes to cyber warfare there is no Billy Mitchell today in Washington.

Cyber warfare was big news last week.  President Obama said he would name a cyber warfare czar to be a single point of contact on the issue for his Administration and that person would have direct access to the President.

If only that were true, but it isn’t, and the U.S. will be endangered as a result.

Billy Mitchell’s argument was that aircraft would come to play a huge role in modern warfare, supplanting battleships at sea and artillery on the ground. Air power was so important, Mitchell argued, that there should be a single air service to develop and deploy aircraft as needed in any war.  This still hasn’t fully happened, of course, though Mitchell’s work did directly lead to the creation of the U.S. Air Force in 1947 — 22 years and one world war after his court-martial for suggesting it in the first place.

The problem with Obama’s cyber czar is that the Administration is CALLING the position a priority but not MAKING it one.  The position has in some accounts been called a “member” of the National Security Council, but the czar is also said to “report” to both the Director of National Intelligence and to the President’s Senior Economic Adviser.  Well you can’t be ON the council and also REPORT to those guys — one of whom is on the council and the other is allowed to drop in if he feels like it.

In short, this is an NSC staff job.

Obama said the czar would have “direct access” to him, but didn’t say how.  At best I think they’ll pass in the corridor.

This is no czar.  That’s literally the case, of course, because nobody has yet been hired for the job.  But it is also the case that the job will — as the NSC is organized — not have the power needed to do what must be done.  Czars are dictators; this guy can only recommend and even then he’ll be recommending to people who may not then bother to inform the President.

If the cyber warfare czar is, in fact, a czar, the first thing he or she should do is give himself a promotion, which won’t happen.

In the meantime there are competing interests at the Department of Defense, the National Security Agency, the CIA, the Department of Homeland Security, the Department of Justice, and possibly elsewhere.  Each of these agencies is building its own cyber warfare capability, each with a different agenda both stated and real.  The stated agendas are to play either cyber defense or offense.  The actual agendas are to protect departmental turf from the new cyber warfare czar, to undermine him or her.

Let’s go back to Billy Mitchell for a moment and think about how the technology of aerial warfare came to be in his era.  Most of the military services developed their own air capability as lip service to the idea while actually protecting major — and antiquated — weapon systems.  The U.S. Navy bought some planes and built some aircraft carriers, but not at the expense of battleships.  Even when naval air power came to the fore during World War II it was almost an accident, since the only surviving capital ships in the Pacific after the attack on Pearl Harbor were aircraft carriers, the battleships having for the most part been destroyed.  So the Navy had to rely on air power since that’s the only power it still had.

They weren’t smart at all, just lucky.

It is rare in U.S. military history for a technological innovation to come down on our side.  That’s because as self-designated good guys we are generally playing defense and defense doesn’t usually get the cool new toys.  It’s only in the U.S. development of nuclear weapons that we got a jump on the rest of the world — a jump that put us firmly in control for half a century (now past).

We are woefully unprepared for cyber warfare mainly because the military doesn’t want to lose funding for its other weapons — weapons that are likely to be rendered unusable or, worse still, actually used against us in a cyber attack.

Yes, it is that bad.

The best position here is to make cyber warfare a real priority, give the cyber czar some actual authority, and have him or her report to the President.  Otherwise the lessons of Billy Mitchell will have been forgotten and our first cyber war could be our last.