I spent a lot of time debating with myself if I should wade into this topic. Early in my analyst career I loved to talk about national cybersecurity issues, but I eventually realized that, as an outsider, all I was doing was expending ink and oxygen, and I wasn’t actually contributing anything. That’s why you’ve probably noticed we spend more time on this blog talking about pragmatic security issues and dispensing practical advice than waxing poetic about who should get the Presidential CISO job or dispensing advice to President Obama (who, we hate to admit, probably doesn’t read the blog). Unless or until I, or someone I know, gets “the job”, I harbor no illusions that what I write and say reaches the right ears.
But as a student of history, I’m fascinated by the transition we, of all nations, face due to our continuing reliance the Internet to run everything from our social lives, to the global economy, to national defense. Rather than laying out my 5 Point Plan for Solving Global Cyber-Hunger and Protecting Our Children, I’m going to talk about some more generic issues that I personally find compelling.
One of the more interesting problems, and one that all nations face, is the inherent conflicts between the traditional roles of those that safeguard society. Most nations rely on two institutions to protect them- the military and the police.
The military serves two roles: to protect the institution of the nation state from force, and to project power (protecting national assets, including lines of commerce, that extend outside national boundaries). Militaries are typically focused externally, even in fascist states, but do play a variable domestic role, even in the most liberal of democratic societies. Militaries are externally focused entities, who only turn internally when domestic institutions don’t have the capacity to manage situations.
The police also hold dual roles: to enforce the law, and ensure public safety. Of course the law and public safety overlap to different degrees in different political systems.
Seems simple enough, and fundamentally these institutions have existed since nearly the dawn of society. Even when it appears that the institutions are one and the same, that’s typically in name only since the skills sets involved don’t completely overlap, especially in the past few hundred years. Cops deal with crime, soldiers with war.
The Internet is blasting those barriers, and we have yet to figure out how to structure the roles and responsibilities to deal with Internet-based threats. The Internet doesn’t respect physical boundaries, and its anonymity disguises actors. The exact same attack by the exact same threat actor could be either a crime, or an act of war, depending on the perspective. One of the core problems we face in cybersecurity today is structuring the roles and responsibilities for those institutions that defend and protect us. With no easy lines, we see ongoing turf battles and uncoordinated actions.
The offensive role is still relatively well defined- it’s a responsibility of the military, should be coordinated with physical power projection capacity, and the key issue is over which specific department has responsibility. There’s a clear turf battle over offensive cyber operations here in the U.S., but that’s normal (explaining why every service branch has their own Air Force, for example). I do hope we get our *%$& together at some point, but that’s mere politics.
The defensive role is a mess. Under normal circumstances the military protects us from external threats, and law enforcement from internal threats (yes, I know there are grey areas, but roll with me here). Many/most cyberattacks are criminal acts, but that same criminal act is maybe national security threat. We can usually classify a threat by action, intent, and actor. Is the intent financial gain? Odds are it’s a crime. Is the actor a nation state? Odds are it’s a national security issue. Does the action involve tanks or planes crossing a border? It’s usually war. (Terrorism is one of the grey areas- some say it’s war, others crime, and others a bit of both depending on who is involved).
But a cyberattack? Even if it’s from China it might not be China acting. Even if it’s theft of intellectual property, it might not be a mere crime. And just who the heck is responsible for protecting us? Through all of history the military responds through use of force, but you don’t need me to point out how sticky a situation that is when we’re talking cyberspace. Law enforcement’s job is to catch the bad guys, but they aren’t really designed to protect national borders, never mind non-existent national borders. Intelligence services? It isn’t like they are any better aligned. And through all this I’m again shirking the issues of which agencies/branches/departments should have which responsibilities.
This we need to start thinking a little differently, and we may find that we need to develop new roles and responsibilities and we drive deeper into the information age. Cybersecurity isn’t only a national security problem or a law enforcement problem, it’s both. We need some means to protect ourselves from external attacks of different degrees at the national level, since just telling every business to follow best practices isn’t exactly working out. We need a means of projecting power that’s short of war, since playing defense only is a sure way to lose. And right now, most countries can’t figure out who should be in charge or what they should be doing. I highly suspect we’ll see new roles develop, especially in the area of counter-intelligence style activity to disrupt offensive operations ranging from taking out botnets, to disrupting cybercrime economies, to counterespionage issues relating to private business.
As I said in the beginning, this is a fascinating problem, and one I wish I was in a position to contribute towards, but Phoenix is a bit outside the Beltway, and no one will give me the President’s new Blackberry address. Even after I promised to stop sending all those LOLCatz forwards.