Sunday, May 31, 2015

America's Passive-Aggressive Cyber Stance

James D. McFarlin

In the years since WWII, America has protected its national interests and supported its allies through projecting power across the globe in the four domains of land, sea, air and space.

But in today's newer, fifth domain of cyberspace, America projects a confusing passive-aggressive posture that neither deters its aggressors or comforts its allies.

The picture of U.S. proactive cyber intelligence posture has been stripped and hung out in full disclosure via the National Security Agency documents misappropriated by Edward Snowden, currently encamped and employed in Russia. In terms of setting the U.S. on its heels in cyberspace, president Vladimir Putin could not have created a more savory scenario had he designed it himself. Or perhaps he did.

Snowden's headline-grabbing depiction of America's cyber information-gathering activities was a gift to Islamic terrorist regimes of monumental proportions. New communications codes and channels were set. Revised methods for avoiding U.S. intelligence surveillance were put into effect. All flashed into immediate use, most likely via U.S. social media tools such as Instagram and Twitter.

News of U.S. intelligence actions enraged some of America's European allies, in particular those who felt they were on the receiving end of espionage activities best designed for use against potential assailants. Additionally, U.S. tech firms rushed to distance themselves from involvement, seeking to protect their own global business interests,

However, in protecting its own interests, the level of U.S. inaction is a paradox. 

Each year, hundreds of billions of dollars of intellectual property, including advanced weapons systems plans, are stolen by China's cyber military groups. In 2014, nearly 525 million personal and financial records were stolen from U.S. institutions by Russian and other cyber crime syndicates. More than 80 million personal records were appropriated from Anthem Health alone.

The latest heist? From the files of the Internal Revenue Service. This theft is in spite of the fact that the IRS has been warned for years over their lax and ineffective cyber security procedures. The IRS response? Those American citizens who had their tax records stolen were offered a free year of credit monitoring, so they could be informed - after the fact - when their identities were used to establish lines of credit, obtain loans, or perhaps open credit and debit card accounts.

The U.S. inexplicably allows attacks on American corporate, military and government networks to occur without retribution. Further, this posture is not expected to change. In a presentation at Stanford University in April on the Department of Defense 2015 National Cyber Strategy, defense secretary Ashton Carter informed private enterprise that as far as cyber security is concerned, "You are on their own."

This lack of commitment to cyber defense is poised to take a further fall. On June 1, the provisions of the post-9/11 Patriot Act setting up the monitoring of telephone call metadata for tracking terrorist activity are expiring. These protections do not appear to have the support in congress or the White House for renewal.

The lapse of these measures places America's intelligence agencies in the defensive position of relying on third party telephone companies and a panel of judges to provide information on potential threats against the United States. According to national security experts, such limitations seriously degrade U.S. national defense capabilities.

Where can this path lead? Although the security of the post-WW II world has vanished from current view, our future may already be written.

Following 9/11, U.S. intelligence agencies were widely faulted for not collecting the proper information, "not connecting the dots," to prevent the attacks. Thomas Keane and Lee Hamilton, co-chairs of the 9/11 Commission, published an update to their original report, fittingly, on September 11, 2014. They stated the following:

       "One lesson from 9/11 is that we didn't awaken to the gravity of the 
        terrorist threat until it was too late. We must not repeat that mistake 
        in the cyber realm."

How short must our memories be?

Monday, May 4, 2015

EMP and Cyber: Twin Threats but Not Twin Risks

It has been an enlightening but disturbing two weeks on the subject of threats posed by electromagnetic-pulse (EMP) and cyber attacks to America's critical national infrastructure.

In the case of cyber, Defense secretary Ash Carter's April 22nd release of the "DOD CYBER STRATEGY" for 2015 outlines the DoD priorities and responsibilities to the American homeland in the case of cyber conflict.

The stated strategy makes clear that the DoD's primary duty is to defend its own networks, with the objective of keeping its communications necessary for warfare operations intact.

Protection of critical U.S. infrastructure, ninety percent of which is operated by the private sector, receives secondary importance and little detail in the report, which states: "The majority of [private sector] intrusions can be stopped through cybersecurity investments that companies can and must make themselves."

In other words, in case of a crippling national cyber attack, the private sector must plan on fending for itself.

The threats posed by an EMP attack were well chronicled in a Wall Street Journal opinion piece on May 1st by Amb. Henry Cooper, former director of the Strategic Defense Initiative and Peter Pry, executive director of the EMP Task Force on National and Homeland Security.

The article describes that "An EMP attack, most likely from the detonation of a nuclear weapon in space, would destroy unprotected military and private sector electronics nationwide, blacking out the electric grid for months or years."

The authors point out that such an event would cause widespread death from hunger, disease and social disruption that by some estimates could reach ninety percent of the U.S. population.

Society would crash to a halt. No highways filled with speeding automobiles; no jet trails arching across the morning sky; no brightly-lit skyscrapers, just dark, towering hulks of glass and steel.

In examining this threat, it is important to keep in mind that desire does not equal capability. North Korea or Iran, for example, may have the desire to inflict widespread damage to the U.S., but neither reportedly holds the missile or miniaturized nuclear weapons capability to conduct such an attack.

Nor does capability equal action. U.S.satellites would know the source of any nuclear-caused EMP attack on the United States. Retribution would be expected to be harsh and immediate, likely critically injuring or destroying the assailant.

In contrast, cyber attacks present a different and arguably even more dangerous level of risk.

Due to inherent attribution difficulties, 'false flag' attack capabilities, increasingly-procurable cyber weapons and an inherently larger universe of potential assailants, mounting a counterattack on the true offending party can be a tricky and imprecise exercise. Counterattacking the wrong party would only amplify and worsen an already dangerous global conflict.

EMP and cyber threats are potentially so damaging that both should be treated with the utmost urgency. But it could be argued that cyber threats present the greatest immediate risk.

Looking ahead, one can hope that a cyber-era deterrent like that between the U.S. and Russia during the Cold War will help avoid the consequences either threat.