The following was excerpted from the U.S. Naval Instituteâs 2012 annual history conferenceÂ âThe History and Future Challenges of Cyber PowerâÂ at Alumni Hall on the grounds of the U.S. Naval Academy on Oct. 16.Â
The panel discussion focused on the cooperation between the public sector (the intelligence and military for the sake of this discussion) and a private sector that is often vulnerable to cyber warfare.
The segment was moderated by University of Maryland School of Public Policy Research Professor Dr. William Nolte, who reminded the audience just how much people are touched by computers and by extension potentially cyber warfare on a daily basis.
âI used to ask audiences like this, âHow many of you have used a computer today?ââ Nolte said. âAnd people caught on. The easier question is, âHow many have not used a computer today,â meaning how many of you have not driven a car, or in some cases turning on your stove? You use your iPhone certainly. And this event I think has really taken us all by storm.â
Participating in Nolteâs panel was Dr. Michael Warner, the command historian for U.S. Cyber Command of the U.S. Department of Defense. Warnerâs claimed that he is the only practicing âtrained historianâ in this field and explained his role a historian.
âFederal historians are those people who have to say to the boss, âSir, maâam — the problem is actually much harder than you realize and itâs much more complicated, too,ââ Warner said.Â âSo on that cheery note, that may be why there are so few federal historians because that is our job to bring this unwelcomed news to people.â
Warner noted some of the highlights of the militaryâs role in computer security going back to 1966. He explained that at one time it was thought to be a grand accomplishment in the 1970s that the National Security Agency had over 100 computers, which then comprised over five acres of floor space.
But as things progressed, he said that as pointed out in the 1972 declassified Anderson Report, the so-called Trojan Horse virus would be a threat to cyber security and as it turned out, it was correct years in advance.
The federal government seemed to begin taking cyber warfare seriously with the 1983 release of the movie âWar Gamesâ viewed by then-President Ronald Reagan, and inspiring a generation of hackers.
âApparently people at the time thought if they did this in their bedrooms at home, that Ally Sheedy would come over and drink Tab with them, too,â Warner said.
That he said was what led to executive action by Reagan, a so-called âHollywoodâ president. And led to where we are today, with much of that settled.
âIn short, the landscape, the paradox which we view these issues had been set for a very long time,â Warner said. âBy the time we got into arguing information warfare, information operations, computer security and cyber security in the 1990s, the paradigms had already been made, had already been set for us in the 1980s.â
Next up on the panel was Steven R. Chabinsky, the senior vice president of legal affairs and chief risk officer for the firm CrowdStrike. Chabinsky served in the Federal Bureau of Investigation as the chief of the cyber intelligence. At the FBI, he led the departmentâs efforts on terrorism, foreign intelligence, and criminal matters regarding cyber issues.â
Chabinsky gave a less-than-favorable outlook on the status quo, saying it might sound provocative but with regards to security, the current strategy leaves much to be desired.
âWe are following a failed security strategy when it comes to cyber,â he said. âAnd because it is so fundamentally failed in its inception, regardless of how much energy, effort or resources we put into it, we will not become more secure.â
Chabinsky remarked that there are playbooks in place for security and risk management, but they havenât been realized.
âIâm going to suggest to you we have not followed successful security models,â he said. âSo it comes as no surprise that every year our security falls further and further behind.â
He said there were three ways of going about tackling this issue â reduce the threat, reduce the vulnerability or reduce the consequences.
âClassically stated, the formula is risk equals threat times vulnerability, times consequences,â Chabinsky explained.
In his formula, if one of those components is zero, you zero out the formula, meaning that if you zero out the threat, then the vulnerability and consequences are no longer offer a risk, but he explained you typically canât get one of those areas to zero.
Chabinsky said this type of threat is analogous to a potential missile strike, in that New York City and Washington arenât threatened since potential threats know what consequence will come if they were to strike. And it isnât because the country is impenetrable to a strike. The same applies to this landscape, he explained.
And as he pointed out, all cyber security strategies focus on what he called vulnerability mitigation and the consequences have been secondary in mitigation efforts.
âThat model needs to reverse itself,â Chabinsky said. âThere is no way we are going to win a cyber-security effort on defense. We have to go on the offensive.â
Chabinsky went on to add an offensive tack begs the question if the private sectorâs cyber security efforts includes the right to defend property without first going to law enforcement.
âIt is universally accepted in the physical world that you have the right to defend property,â he said. âYou have the right to keep someone off your property or recover your property without going to law enforcement when necessary if proportionate.â
Next up on was William B. Nelson, the chief executive officer and president for the Financial Services Information Sharing and Analysis Center, Inc.
Nelson emphasized what the private sector was doing both on the civil action and in taking criminal action against threats. There had been some successes including Microsoft civil efforts against the so-called Rustock botnet that was behind 2 billion spam emails per day.
âWe think weâve had some success,â Nelson said noting they prefer to spin-down versus spin-up threats. âYour money is safe in your bank or credit union.â
Ruppersberger admitted that in Washington there was a partisan environment that âhas got to change,â but that it was his committee that was functioning in a bi-partisan manner under the helm of Michigan Republican Rep. Mike Rogers, the chairman and a former CIA officer.
Ruppersberger is part of the so-called âGang of 8,â which entitles him to access to intelligence matters others arenât, heightening his role as a legislator in this area.
He noted that trade secrets, compromised by outside threats, cost U.S. companies $300 billion in 2011. But what the federal government can do to help mitigate that threat is limited by law and he is attempting to change that legislatively with the Cyber Sharing Intelligence Protection Act.
âRight now federal law prohibits the intelligence community from sharing the classified cyber threat intelligence with companies.â
The aim he said was to create cooperation between tier one Internet providers like AT&T, Verizon, Comcast and Qwest.
However, despite the bi-partisan progress he said they made on the House side, the bill was threatened by the White House and eventually stalled out in the Senate. Ruppersberger said he hoped to get that effort back in order, but said it might not happen until after the upcoming election.