Much of the public discussion about threats in cyberspace has focused on cyber war, crime and short-term malicious activity for economic, political, or public relations gain. Too often each threat is seen as a discrete problem that is approached in a reactive manner geared to the intended targets. Instead, the problem should be viewed as a larger, interconnected issue – really, a continuum of malicious activity -- that requires a strategic and proactive approach by key government and private-sector stakeholders working together, both nationally and internationally.It is in the national security interests for an alliance between the United States and the European Union to address this problem forthwith. The current approach encourages tactical responses, with less attention being paid to some significant but less visible aspects of the longer-run challenges -- most importantly, the large-scale, systematic theft of intellectual property.
The current approach is also essentially defensive: most protective measures are being taken inside the networks and environments of the targeted organizations while the attackers are able to roam freely across the Internet, moving their command-and-control points between different locations and jurisdictions to avoid detection and attribution and exploiting the ability to take control of thousands of users’ computers and enlisting these “botnets” in their hacking operations. In other words, the balance of advantage lies with the attacker. This can only be changed favorably by a radical shift in what one might call “the rules of engagement” in his context. In both the U.S. and the EU, it is urgent to adopt a more proactive strategy that dramatically erodes the critical advantages of the attacker.
In this article, we consider the threat from a strategic perspective. One aspect of this is a focus of attention on the possibility of a devastating attack by a nation state or terrorist group with effects comparable to the attack on the World Trade Center in New York on September 11, 2001. The targeted attacks on the Georgia’s electronic infrastructure in 2008 during its war with Russia and the recent discovery of the Stuxnet worm in the industrial control systems of Iranian nuclear facilities are just two examples which illustrate this capability and intent. The threat of such attacks has reportedly led the Pentagon’s new Cyber Command to “seek authority to carry out computer network attacks around the globe to protect U.S. interests.” Recently, Deputy Secretary of Defense William Lynn recently wrote in Foreign Affairs about the significance of the threat, and the Department of Defense and Department of Homeland Securtiy announced that they had signed a Memorandum of Understanding to exchange cyber experts to increase coordination and enhance U.S. preparedness against the threat of cyber attack. White House Cybersecurity Coordinator Howard Schmidt has stated that his office is reviewing available legal authorities and remedies to ensure that they do not pose an obstacle to an effective U.S. response.
At the other end of the spectrum are the dramatic attacks aimed at political or publicity purposes and often by groups of amateur hackers. The recent use of “botnets” to mount “distributed denial of service” (DDOS) attacks on Amazon, Paypal, Visa, and other companies that had withdrawn their services from the Wikileaks organization succeeded in attracting publicity as a means of protest.
There are a number of other equally significant and strategically damaging types of threats that need to be given at least the same degree of consideration. One such area is cyber crime, where the number of groups, their sophistication and resources, and their evident success amount to an issue of strategic importance. It is not just the drain in national wealth measured in the losses incurred by banks and other organizations, but also the damage to the confidence of consumers in using online services, which in turn acts as a significant brake on economic growth and hence national prosperity. This growth in cyber crime is almost certainly linked to the fact that in cyberspace there are virtually no consequences for malicious activity. When one compares the reported frequency and magnitude of cyber crime with the number of persons caught (much less the small number convicted and jailed), it is clear that malicious actors have the upper hand. To redress the balance, more resources for investigations and prosecution are needed in nations around the world in order to provide the basis for a more effective legal construct and foundation for investigation and prosecution -- and for the ability to cooperate effectively against cross-border criminality.
Perhaps the most important, under-addressed component of the cyber threat is the targeted theft of intellectual property from major companies around the world. Dramatic public evidence of this threat occurred in December 2009 when Google was overwhelmed by attacks emanating from China: as reported four months after the fact by a New York Times article, the intruders were intent not just on harassment but were attempting (apparently successfully) to steal Google’s “crown jewels” -- specifically, “a password system that controls access by millions of users worldwide to almost all of the company’s web services, including email and business applications.” The attacks were so sophisticated that Google had to ask for help from the U.S. government, specifically the National Security Agency. In a subsequent speech at the Stratcom Cyber Symposium in May 2010, Deputy Secretary Lynn described the cyber threat targeting intellectual property as one of the “least discussed” of the four overlapping cyber threats facing the U.S. (the others being threats to military networks, the nation’s critical infrastructure and the supply chain). He referred to the exfiltration of “key parts of Google’s source code” that were part of a larger “sophisticated operation that also targeted dozens of other companies” and said that the U.S. defense industry “has similarly been targeted,” noting that “designs for key weapons systems have been stolen.”
The U.S. military cyber head, Cyber Command chief Army Gen. Keith B. Alexander earlier this year said while the Internet is a tremendous capability, it also is an enormous vulnerability. He noted that “approximately $300 billion… [of U.S.] intellectual property…is stolen over the networks per year” out of a total value of about $5 trillion. A knowledgeable European ambassador recently told one of the authors of this article that the threat to intellectual property is “very serious” and agreed that it has “national security significance” and that the U.S. and EU alliance must “take action” against the threat.
Little publicity has been given to such attacks in Europe, possibly because companies are understandably reluctant to reveal the incidence and extent of their IP losses due to likely adverse consequences from such disclosures. Baroness Pauline Neville-Jones, the UK Security Minister, recently stated that “companies are reluctant to share information on their losses because they fear exposing the attacks may damage their reputation. We need to find a way of dealing with that.”
The threat to intellectual property is less dramatic than a cyber attack on our infrastructure. But it may be the most significant cyber threat our nations face over the long term, given the span measuring the technological advantage and economic competitiveness of the U.S. and Europe. The U.S. Deputy Secretary of State, James Steinberg, recently told a meeting in Washington that companies who feel they have been victimized by attempts or actual thefts of their intellectual property should contact the Department, which can pursue complaints through the World Trade Organization (WTO). However, there does not appear to be a proactive effort by the Department or others in government to reach out to corporate America to solicit such information so there can be a coordinated effort to protect American interests. Major companies need to partner with governments to stem this threat and stay competitive in the global marketplace. The situation – and the potential remedial action -- appears to be the same in most European countries. What is needed is a U.S.-EU alliance to address this threat: in practice, this should take the form of a focused initiative led by key governmental and private-sector stakeholders that identifies strategic priorities of the problem and sets goal, objectives, and corresponding milestones in order that the effort can be resourced and its progress tracked.
The over-arching problem is that there are virtually no consequences for malicious activity in cyberspace. In the major capitals of the world we approach the problem of malicious activity like a crime problem – learn of an incident, catch and punish the criminal, warn the public, and repeat. If there is a growing frequency and impact of a particular kind of crime, the understandable reaction is to beef up the law enforcement effort, work harder to catch the bad guys, and punish them more. In this model, private companies and individuals have a role largely limited to being only a source of information about incidents. Instead, we have to analyze the problem strategically and proactively and bring together key government and private organizations. The private sector needs to be a true partner in this effort, not just largely a source of information about particular incidents.
One significant challenge in developing and implementing such a strategic approach is the current status of international cooperation. A report in 2010 by the U.S. General Accountability Office focused on cyber incident response, but its findings are equally applicable to the common challenge of the theft of intellectual property:
Although multiple [U.S.] federal agencies are parties to information-sharing or incident-response agreements with other countries, the [U.S.] federal government lacks a coherent approach toward participating in a broader international framework for responding to cyber incidents with global impact.
In responding to this ever-growing tumult of malicious cyber activity, the attention of policy makers has focused primarily on what can be termed a defensive response: hardening networks, locking down systems, enforcing rigorous processes for patching software, implementing more effective monitoring and compliance regimes. Effective cyber defence measures have a key part to play in terms of filtering out the low-level threats and increasing deterrence against the more sophisticated adversary by transforming the cost/benefit equation for the attacker. However, if we are to achieve a decisive shift in the balance of power in our favour, we need to go on to the offensive.
Melissa Hathaway, the author of the 2009 White House Cyberspace Policy Review, has spoken forcefully about the imperative to “drain the swamp” of malicious cyber activity and tilt the playing field in our favor by concerted action across the entire cyber security community: governments, corporations and the big servers. The goal would be to reduce, remove or ultimately destroy the assets of the attackers in cyber space. Clearly, one aspect of this can be effected through covert action to disrupt, degrade, or destroy their operations and is beyond the scope of this paper. There is also much scope for achieving strategic impact through overt action but, given the ease with which attackers can shift their operations from country to country, such overt counter-measures need to be concerted across national boundaries to be effective – a responsibility that falls mainly on cooperating governments.
Efforts to “drain the swamp” of malicious cyber activity, however important and helpful, will not alone address the problem of the online theft of intellectual property. The European and U.S. alliance needs to establish a public-private working group to develop and implement a comprehensive campaign to impede and block the current exfiltration of intellectual property. The key to success in this effort is close international collaboration across the full range of cyber security initiatives so that ultimately the attacker, even if not caught and punished, does not succeed in stealing a significant amount of information from any victim. It is also vital that the range of policies and activities are as closely aligned as possible and applied consistently across as many different jurisdictions as possible. The joint campaign should establish strategic priorities and goals, with corresponding milestones, resources and tracking to ensure implementation and to measure success.
A series of comprehensive threat briefings at senior level can begin this process but this needs to be followed by the establishment of ongoing and systematic sharing of threat intelligence and situational awareness between government and the key sectors of industry. Efforts to coordinate strategic actions should encompass the raising of awareness through the systematic sharing of threat intelligence and situational awareness across the international and public-private partnerships, and drive the development and implementation of active programs within nations to help companies determine if they are affected, how to disinfect, and how to manage risk effectively going forward. Government can work closely with the private sector to set voluntary benchmarks for companies to adapt to their sectors and individual ICT infrastructures to establish and implement effective ICT risk management programs. It is critical, though, that companies understand that they cannot manage their risk as an ICT island, they need to work closely with other companies and government on an ongoing base to share information and work collaboratively to adjust their defenses (people, processes, and technology) in real time. A conceptual model, “The Security Stack – a White Paper,” can be seen here.
A strategic assessment of the full range of cyber threats generates a new sense of urgency to develop an appropriate response. Whether or not we ever face a devastating cyber event, the large-scale theft of intellectual property and the often-associated activities of organized cyber crime groups are a reality now. They threaten to inflict ongoing, long- term damage to the national security and future economic prosperity of the U.S. and Europe.
Donald A. Purdy is Chief Cybersecurity Strategist for CSC based at CSC global headquarters in Falls Church, Virginia; he formerly headed the National Cyber Security Division and U.S. CERT at the Department of Homeland Security. British-based Nick Hopkinson is CSC’s Cyber Security Director (Europe-Middle East-Africa [North]): he formerly served as the Chief Information Office for GCHQ, a UK intelligence agency.