At the National Press Club, the SANS Institute and GovExec Magazine held a superb two-hour session that broached the controversial, ill-defined and critical issues around Cyber War. It was an excellent discussion with true experts. It would have been worth it to go beyond the time limits, as we ran out of time well before we ran out of questions.
The participants were:
- Tim Clark – Gov Exec;
- Jim Lewis – CSIS;
- Shane Harris – Washingtonian Magazine;
- Rob Knake – Council on Foreign Relations; and
- Alan Paller – SANS Institute.
What follows is not a transcript but my paraphrased review of what was covered. I give my apologies to any other discussants if I did not do their comments justice.
Tim Clark opened with remarks on the importance of the issue of cyber war and associated subjects and stated that he was using three main sources: the 2008 CSIS “Report for the 44th President;” Dick Clark and panelist Rib Knake’s book Cyber War; and an article by DepSecDef Lynn in Foreign Affairs, “Defending a New Domain.”
(Note: Initials are used to cite comments)
Using the Buckshot Yankee breech of DoD from the Lynn article as a start point, Clark asked: What is an act of war in cyber space?
JL: Threshold for act of war is the same! Espionage is not an act of war.
SH: Agreed. This was espionage.
Can a cyber attack ever be as bad as a kinetic attack?
RK: Book was aimed at finding/defining what would constitute cyber war. Opponents would go asymmetrical (and cyber) up front to raise the pain level to keep the United States out. Attacks on the infrastructure sectors across the board could only be done by a Nation State.
Where are the key points of vulnerability in our cyber system?
AP: Where are the points of greatest risk is a better question. Vulnerability is everywhere (due mainly to poorly written code, from a standpoint of security). The Electrical grid is the biggest problem.
Is the DoD cyber system is at risk?
JL: So it is alleged.
RK: Yes, because it depends so heavily on open Internet.
For use of cyber tools in war, what are the offensive capabilities?
RK: In the attack on the Syrian nuclear facility, Israel took over the Syrian ADA system. Instead of jamming, this type of preparation had evolved into a hack. Not a big thing, just an upgrade of war Tactics, Techniques, and Procedures. In Estonia, it was different, no kinetic component, DDoS attack allowed war like effects without kinetic actions.
JL: (non-verbal reaction showed disagreement, but he did not make a comment)
The United States has offensive capabilities, but isn’t defense more important?
JL: “I no longer believe that.” Russians and Chinese are afraid of U.S. capabilities, (a western tech company once “punished” Chinese users of pirated software by turning off all their screens.) There is some degree of deterrence created by this fear. However, espionage and acts of war look a lot alike in their initial stages, and this leaves big possibilities for miscalculations and unintended consequences.
SH: There really is some degree of “MAD” effect. We are emphasizing defense/security, but…
JL: Chinese see Cyber security in the same way they see missile defense. It is not merely protective, but they believe we want it to allow us to strike others with impunity.
Is the United States more resilient?
AP: No, inconvenience still trumps security for us. We are not resilient.
Is the Electric Grid very vulnerable? Are there Logic bombs in the grid?
RK: Logic bombs are already inserted code that are triggered remotely or timed to go off. The grid is in fact connected to the Internet, more and more everyday.
AP: They say there is an air gap between their control systems and the Internet, but DHS’s control system CERT found 210 such connections in one company, and the advanced persistent threat is real.
JL: It is true that many nations have the ability to do such actions, but do not equate capabilities with intentions! He used the example of Russian strategic missiles; they have them, they are capable of hitting us, they are even aimed at us, but are they going to use them? No.
SH: It is not just Nation States but criminals too. This opens the threat of Cyber terror.
JL: Non-state actors do not have the capability, not equal to Advanced Persistent Threats. It is probably coming but not here yet.
Is attribution still impossible?
SH: No longer believe that it is completely true. Our guys probably can attribute some things pretty well.
Our Defensive Efforts, how good are they? Should we let private sector run it?
JL: Would you put the airlines in charge of our air defenses? No!
AP: We need to get to the point where we don’t just ID the problems, but you fix the problems. You can’t just tell the user to “be” more secure, but make those who manufacture hardware, software, operating systems and applications “bake security in.” Energize the vendors. We are actually beginning to make more secure stuff, but it is only beginning!
When should we get other government agencies motivated?
RK: Other organizations are under attack today. DHS is moving to help.
Albert Spear said that hitting the German Power Grid would have shortened World War II. Would hitting the power grid constitute war?
JL: If there is destruction, disruption and casualties, it is war. Cross domain.
How many attacks hit our system?
AP: Unknown because we don’t know how to define “attack.” We all get hit, but when is it an attack? Everyone gets hit, and some are substantial, many are unknown.
What is our greatest threat?
RK: Most dangerous threat is full out war, but the most likely is “economic warfare” – using espionage to steal our IP in massive doses
JL: The Chinese hit Google because they have so much stolen data. They needed better search engines to handle it!
How do we get the right, trained people into the fight?
SH: Don’t know, it will only happen where we get hit very seriously.
AP: It doesn’t help to develop a good system if you cannot populate it with the correct people. You need people who can actually “do” security, not just talk about it.
How about future / pending cyber legislation, will it pass?
JL: The legislators are frustrated with the pace of cyber security. Leading contender is combined bill from Reid’s office. Draft is done, but no one has seen it. It has organizational parts, acquisition reform, strengthens White House and DHS, includes foreign sanctions; it is a good bill. There is another one hidden in Defense Authorization bill which is not as good.
The session ended with thanks all around. It was a very good event.