Modernizing Authentication — What It Takes to Transform Secure Access
WASHINGTON -- Military officials readily admit that government information systems are subject to constant attack from hackers domestic and abroad, with some commissioned by authorities in enemy nations.
But at what point does that routine sparring become cause for escalation, to the point where the U.S. military might mount something that could fairly be considered a cyber offensive?
We're not there yet, but we may be getting close, according to panelists here at a presentation at the State of the Net conference, an annual tech policy event hosted by the Congressional Internet Caucus.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i"To me we're in the stage before warfare. We're in the stages of people poking around," said Jim Lewis, director of the Center for Strategic and International Studies. "I don't think we've seen a case of state versus state warfare."
But the extent to which the military should add cyber attack capabilities to its arsenal remains an unsettled question. Last year, the Pentagon announced plans to install a Cyber Command, but its implementation has been delayed in part due to questions raised by lawmakers over its ambitions for escalating offensive operations.
In the meantime, President Obama only last month tapped former Microsoft (NASDAQ: MSFT) chief security officer Howard Schmidt to serve as the administration's cybersecurity coordinator, filling a position he promised to create in May.
Wrestling to define cyber warfare
At a session later in today's conference, Schmidt said it is impossible to define cyber warfare, saying that one of his many priorities in bringing together military and civilian cybersecurity efforts would be to arrive at a practicable framework for the term.
Lewis readily admitted that war is a "squishy concept" in the cyber arena. At the same time, he remains a hawk on the subject, arguing that the military should not be constrained from launching a counter attack when a critical element of U.S. infrastructure comes under siege.
"I don't understand why the existing laws of war don't apply in cyber space," he said. "We have rules; we just need to figure out how to apply them."
But if Lewis is a hawk, then you can count Greg Nojeim, senior counsel at the Center for Democracy and Technology, as a dove by comparison. Nojeim worries about the absence of ground rules for executing cyber attacks, warning that the uncertainty over who has the authority to execute an offensive that stops somewhere short of a declaration of war -- and defies the traditional conventions of combat -- makes cyber warfare a risk not worth taking at this stage.
"The result I think is that we ought to be talking a lot more and focusing a lot more on the defensive side than on the offensive side," he said.
Nojeim in particular is concerned about a bill pending in the Senate that would give the president dramatic authority over private networks in the event of a major cyber attack, and allow the Commerce Department to gain access to cybersecurity logs in what could amount to a major breach of citizens' privacy.
But for all the talk of high-level attacks on government systems, Robert Holleyman, the president and CEO of the Business Software Alliance, offered some perspective.
"It's important that as we talk about the cyber warfare threats that we do not lose sight of the fact that the majority -- the vast majority -- of the malicious activity that's happening on the networks is not what we'd call warfare," Holleyman said.
Holleyman's group is the principal lobby representing the software industry as well as numerous hardware firms. He appealed for improved efforts on the part of the government to fund research and development projects focused on cybersecurity, and urged congressional passage of a federal data breach notification bill.
Do we need a cyber911?
Holleyman also proposed the creation of a sort of cyber 911 program through which businesses could alert government authorities when they detect an intrusion, in exchange for the promise of anonymity.
The panelists generally agreed that a more effective collaboration between the public and private sectors could aid in preventing or identifying the source of attacks, such as the recent strike against Google (NASDAQ: GOOG) that appeared to have emanated from China. But that cooperation is no easy feat, particularly when much of the high-level intelligence resides with the Department of Defense.
"One of the dilemmas here is a lot of this does occur in a classified space," Lewis said.