The following was excerpted from the U.S. Naval Institute’s 2012 annual history conference “The History and Future Challenges of Cyber Power” at Alumni Hall on the grounds of the U.S. Naval Academy on Oct. 16.
The panel discussion focused on the cooperation between the public sector (the intelligence and military for the sake of this discussion) and a private sector that is often vulnerable to cyber warfare.
The segment was moderated by University of Maryland School of Public Policy Research Professor Dr. William Nolte, who reminded the audience just how much people are touched by computers and by extension potentially cyber warfare on a daily basis.
“I used to ask audiences like this, ‘How many of you have used a computer today?’” Nolte said. “And people caught on. The easier question is, ‘How many have not used a computer today,’ meaning how many of you have not driven a car, or in some cases turning on your stove? You use your iPhone certainly. And this event I think has really taken us all by storm.”
Participating in Nolte’s panel was Dr. Michael Warner, the command historian for U.S. Cyber Command of the U.S. Department of Defense. Warner’s claimed that he is the only practicing “trained historian” in this field and explained his role a historian.
“Federal historians are those people who have to say to the boss, ‘Sir, ma’am — the problem is actually much harder than you realize and it’s much more complicated, too,’” Warner said. “So on that cheery note, that may be why there are so few federal historians because that is our job to bring this unwelcomed news to people.”
Warner noted some of the highlights of the military’s role in computer security going back to 1966. He explained that at one time it was thought to be a grand accomplishment in the 1970s that the National Security Agency had over 100 computers, which then comprised over five acres of floor space.
But as things progressed, he said that as pointed out in the 1972 declassified Anderson Report, the so-called Trojan Horse virus would be a threat to cyber security and as it turned out, it was correct years in advance.
The federal government seemed to begin taking cyber warfare seriously with the 1983 release of the movie “War Games” viewed by then-President Ronald Reagan, and inspiring a generation of hackers.
“Apparently people at the time thought if they did this in their bedrooms at home, that Ally Sheedy would come over and drink Tab with them, too,” Warner said.
That he said was what led to executive action by Reagan, a so-called “Hollywood” president. And led to where we are today, with much of that settled.
“In short, the landscape, the paradox which we view these issues had been set for a very long time,” Warner said. “By the time we got into arguing information warfare, information operations, computer security and cyber security in the 1990s, the paradigms had already been made, had already been set for us in the 1980s.”
Next up on the panel was Steven R. Chabinsky, the senior vice president of legal affairs and chief risk officer for the firm CrowdStrike. Chabinsky served in the Federal Bureau of Investigation as the chief of the cyber intelligence. At the FBI, he led the department’s efforts on terrorism, foreign intelligence, and criminal matters regarding cyber issues.”
Chabinsky gave a less-than-favorable outlook on the status quo, saying it might sound provocative but with regards to security, the current strategy leaves much to be desired.
“We are following a failed security strategy when it comes to cyber,” he said. “And because it is so fundamentally failed in its inception, regardless of how much energy, effort or resources we put into it, we will not become more secure.”
Chabinsky remarked that there are playbooks in place for security and risk management, but they haven’t been realized.
“I’m going to suggest to you we have not followed successful security models,” he said. “So it comes as no surprise that every year our security falls further and further behind.”
He said there were three ways of going about tackling this issue – reduce the threat, reduce the vulnerability or reduce the consequences.
“Classically stated, the formula is risk equals threat times vulnerability, times consequences,” Chabinsky explained.
In his formula, if one of those components is zero, you zero out the formula, meaning that if you zero out the threat, then the vulnerability and consequences are no longer offer a risk, but he explained you typically can’t get one of those areas to zero.
Chabinsky said this type of threat is analogous to a potential missile strike, in that New York City and Washington aren’t threatened since potential threats know what consequence will come if they were to strike. And it isn’t because the country is impenetrable to a strike. The same applies to this landscape, he explained.
And as he pointed out, all cyber security strategies focus on what he called vulnerability mitigation and the consequences have been secondary in mitigation efforts.
“That model needs to reverse itself,” Chabinsky said. “There is no way we are going to win a cyber-security effort on defense. We have to go on the offensive.”
Chabinsky went on to add an offensive tack begs the question if the private sector’s cyber security efforts includes the right to defend property without first going to law enforcement.
“It is universally accepted in the physical world that you have the right to defend property,” he said. “You have the right to keep someone off your property or recover your property without going to law enforcement when necessary if proportionate.”
Next up on was William B. Nelson, the chief executive officer and president for the Financial Services Information Sharing and Analysis Center, Inc.
Nelson emphasized what the private sector was doing both on the civil action and in taking criminal action against threats. There had been some successes including Microsoft civil efforts against the so-called Rustock botnet that was behind 2 billion spam emails per day.
“We think we’ve had some success,” Nelson said noting they prefer to spin-down versus spin-up threats. “Your money is safe in your bank or credit union.”
Ruppersberger admitted that in Washington there was a partisan environment that “has got to change,” but that it was his committee that was functioning in a bi-partisan manner under the helm of Michigan Republican Rep. Mike Rogers, the chairman and a former CIA officer.
Ruppersberger is part of the so-called “Gang of 8,” which entitles him to access to intelligence matters others aren’t, heightening his role as a legislator in this area.
He noted that trade secrets, compromised by outside threats, cost U.S. companies $300 billion in 2011. But what the federal government can do to help mitigate that threat is limited by law and he is attempting to change that legislatively with the Cyber Sharing Intelligence Protection Act.
“Right now federal law prohibits the intelligence community from sharing the classified cyber threat intelligence with companies.”
The aim he said was to create cooperation between tier one Internet providers like AT&T, Verizon, Comcast and Qwest.
However, despite the bi-partisan progress he said they made on the House side, the bill was threatened by the White House and eventually stalled out in the Senate. Ruppersberger said he hoped to get that effort back in order, but said it might not happen until after the upcoming election.