Preparing for Warfare in Cyberspace

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nytimes.com/2015/04/28/opinion/preparing-for-warfare-in-cyberspace.html


The Pentagon’s new 33-page cybersecurity strategy is an important evolution
in how America proposes to address a top national security threat. It is
intended to warn adversaries — especially China, Russia, Iran and North
Korea — that the United States is prepared to retaliate, if necessary,
against cyberattacks and is developing the weapons to do so.

As The Times recently reported, Russian hackers swept up some of President
Obama’s email correspondence last year. Although the breach apparently
affected only the White House’s unclassified computers, it was more
intrusive and worrisome than publicly acknowledged and is a chilling
example of how determined adversaries can penetrate the government system.

The United States’ cybersecurity efforts have typically focused on
defending computer networks against hackers, criminals and foreign
governments. Playing defense is still important, and the Obama
administration has started to push Silicon Valley’s software companies to
join in that fight. But the focus has shifted to developing the malware and
other technologies that would give the United States offensive weapons
should circumstances require disrupting an adversary’s network.

The strategy document provides some overdue transparency about a military
program that is expected to increase to 6,200 workers in a few years and
costs billions of dollars annually. Officials apparently hope talking more
openly about America’s plans will deter adversaries who view cyberattacks
as a cheap way to gather intelligence from more destructive operations.

The cyberthreat is “increasing in severity and sophistication,” Defense
Secretary Ashton Carter said last week. Recent attacks — Russian intrusions
against the Pentagon, State Department and White House as well as North
Korea’s 2014 attack on Sony Pictures — have driven home that point. One
worry is that investing in offensive tools and planning could militarize
cyberspace and create a new front for conflict. More than a dozen other
countries are making similar investments.

The new strategy, though overly broad in some of its language, begins to
lay out the conditions under which the United States would use
cyberweapons. Detecting and fending off routine attacks on American assets,
like theft of intellectual property, would be the responsibility of private
companies, which control 90 percent of the cybernetworks. In complex cases,
the Department of Homeland Security would be responsible for detecting
attacks and helping the private sector defend against them.

The government would have a “limited and specific role” in defending
against the most serious attacks (estimated at about 2 percent of all
attacks), described as involving “loss of life, significant damage to
property, serious adverse U.S. foreign policy consequences or serious
economic impact on the United States.”

At first, the government would use network defenses, and law enforcement
agencies like the F.B.I. would respond. Then, if ordered by the president,
the military could conduct operations to counter “an imminent or ongoing
attack against the U.S. homeland or U.S. interests in cyberspace.”

It is essential that the laws of armed conflict that govern conventional
warfare, which call for proportional response and reducing harm to
civilians, are followed in any offensive cyberoperations. With so many
government agencies involved in cybersecurity — the National Security
Agency, the Department of Homeland Security, the Central Intelligence
Agency, the F.B.I. and the Pentagon — the potential for turf fights and
duplication is high.

The new strategy is the latest evidence that President Obama, having given
up on Congress, is putting together his own response to the challenge.
Since this is a global issue, still needed are international understandings
about what constitutes cyberaggression and how governments should respond.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!