The Center for Strategic and International Studies (CSIS) recently released a report titled “Securing Cyberspace for the 44th Presidency: A report of the CSIS commission on cybersecurity for the 44th presidency”. This report is an in depth look at policy recommendations. Realizing that this an effort of many people and not to denigrate the work by those people this report unfortunately does not suggest anything revolutionary. To make matters worse it is both factually and procedurally filled with holes that would seem egregious. Some of the issues would be honest differences in opinion, but others are simply world view issues that are woefully overstated or failing miserably.
The relative merits of the Internet are in speeding the communication cycle and distributing that communication over a large infrastructure. The CSIS report though is written from a hierarchical federalized (centralized) militarized autocratic point of view that ignores many deeper issues. A deeper problem is that this report ignores history. As a cliché those who don’t study history are doomed to repeat it is still a valid consideration. The CSIS report trots out old issues and new with equal vigor and uses little in critical thought when evaluating them.
I would strongly suggest that anybody looking at the CSIS report or considering it read the report in full themselves. I have read much by several of the authors of the report, I know and interact with a few of them, though I doubt any of them know me. As such the CSIS report has much more credibility with the cyber security community than anything I might provide. The CSIS report can be downloaded [here]. CSIS has been around since the 1960s and has a long history of providing products to government and the military on a variety of topics.
Problems in the report with internal inconsistency start right in the preface with “Inadequate cybersecurity and loss of information has inflicted unacceptable damage to U.S. national and economic security”, this of course would seem to be a truism. However, at the end of the report it is stated “One particular area of research involves metrics to assess the overall effectiveness of cybersecurity initiatives (p. 75).” On one hand we have a superlative laden call to action and on the other hand we have a discussion about the relative inadequacy we have of measuring the issues. Failure of security is the primary metric we use to identify the problems. Scratch that. Detected failure of security is the primary metric we use to identify problems. The CSIS report while overstating one problem ignores the larger problem and illuminates the inconsistencies in opinion and capability of cybersecurity.
The overall goal from the “Executive Summary” is cybersecurity is a major national security issue, decisions and policies must respect privacy and civil liberties, a comprehensive national security strategy will make us more secure (p. 1). This would be similar goals to a variety of reports that have been generated in the past [1], [2], [3].
In the Introduction under the section “The Hidden Battle” (p.11) a rather pedenatic discussion begins with the Enigma machine. Discussing what colliqually is known as command and control and techniques of securing those items starting with World War 2 is not surprising. There is a particular Air Force centric thought process that runs through the entire document. It is as if war and cyber crime started with the Air Force. Even discussion of cyber attack being new is horribly misguided [4], [5], [6], [7], [8], [9]. New in the annals of land war or naval warfare perhaps. An often forgotten element is that Aeronauts of the United States Civil War provided command and control with teletype and semaphore to ground troops from balloons. This was similar to the use during the French Revolution and conflicts since then. In many ways the Predator Drone is doing much the same reconnaissance function as those early aeronauts did sans the pilot.
The report states that over the past 20 years the United States has struggled unsuccessfully to devise a strategy to counter new kinds of threats in a new kind of world (p. 12). This kind of thinking is part of larger scope of entrenchment in cold war and vertical hierarchical thinking. We can borrow from a variety of sources the tools and techniques to counter criminal and foreign insurgent forces [10], [11], [12], [13]. The issue primarily is of how conflict is considered. The CSIS report takes a decidedly “high intensity conflict” (HIC) view of what is primarily a “low intensity conflict” (LIC) problem. The strategies are in place to coordinate and create solutions but they are as diverse and ephemeral as the problem space exists within.
Part of the problem is that we do not realize the projection of power is a reflection of weakness. The CSIS report states that senior representatives from the intelligence community told them they had conclusive evidence the U.S. had lost billions of dollars in intellectual property (p. 13). Some of this issue may be due to domestic problem with how we deal with patent law, intellectual property, and the law base such as the Digital Millennium Copyright Act. Our own efforts at trying to control things like ideas, stories, music, designs creates an opportunity for criminal enterprise.
The report states, “our most dangerous opponents are the militaries and intelligence services of other nations” (p. 13). This is the same kind of HIC thinking verbalized that ignored Usama bin Laden. The decentralized, insurgent, technological adequate adversary is capable of extreme harm. An Air Power advocate explained it best when he stated that there are myths of future conflict. We should realize that the adversary won’t look like us, we can’t downsize to success, information superiority is illusory, modern technology will make war more humane [14]. As we look at current examples of conflict in cyber space we can see a decentralized stream of attacks even if they are ideologically linked [15], [16], [17], [18]. It isn’t like we have not realized or been cautioned about the super-empowered individual for some time [19].
The CSIS report talks about the psychological aspects of an attack being as important as the actual physical damage. In this I think we can agree that disruption is at the heart of any action as much as destruction. The second and third order effects of the September 11th attacks in New York city are still reverberating through the American and world economies. There is ample evidence to suggest that attacks against basic infrastructures could be successful in degrading will and political fortitude, and that those attacks could be successful [20], [21], [22]. It is hard to disagree with the CSIS repor (p. 15) when they state the United States must realize that cyber security is one of the most important challenges that we face. To that end the CSIS report recommends a comprehensive detailed cyber security strategy for cyber space (p. 17). Though they go further in suggesting the overall strategic goal is to expand the rule of law and democracy (p. 18). Whereas, I might not find that offensive that kind of hegemonic and likely expansionist philosophy has been sorely tried over the last few years. I find platitudes to cold war thinking ill considered when looking at a communications tool that has the deepest penetration into the infrastructure and lives of foreign nationals in the history of the world.
Though not specifically stating it as such the CSIS report lays out a “DIME” for cyber space. DIME being an acronym for diplomacy, intelligence, military, and economy (p.18 -19). This is an interesting balance to other sections of the document. That model then is put into a consideration of how Air Space controls are in place and rather than use maritime rules which have deeper and more fundamental understanding carry the Air theme further through the document. The discussion of cyber space compacts and treaties (which are primarily about behaviors or technical standards) is whether at some point the United States would literally declare war on a non-state actor over an issue in cyber space. The report discusses issues of that nature later, but could there be a real war on something like “Pirate Bay”?
In discussing military doctrine the old ruse “There is a national strategy but it is classified” is tossed on the table again (p.23-24). National strategies under consideration are fairly straight forward [3], [23], [24], [25], [26], [27]. What actually appears to be the aim of the report is to say that the Pentagon/Department of Defense has solved many of the problems and it is the civilian sector that is deeply in trouble regardless of the evidence to the contrary [17], [28], [29]. The mitigating solution according to the report seems to be the “DIME” model in cyber space. An excellent solution but the doctrine seems to lead towards military preeminence in the domain. Though the report is correct on pulling out proportionality as an issue it does little to discuss what that would look like. The rules of engagement and lawfare issues are fairly substantial and any suggestion that military should be the lead has substantial international ramifications as well as domestic considerations [30], [31], [32], [33].
It is an old saw easily refuted stating that cyber warfare is so new that the concepts, lexicon, and ideas are still being developed (p.27). As discussed earlier the cyber aspect is fairly old. It would seem that generals likely told admirals that naval warfare would be so new nobody would understand it. Then admirals likely said something similar to the original aeronauts and pilots. When space came along I can see there being similar discussion. In the end a relatively tight concept of conflict has arisen whether it be high intensity conflict or low intensity conflict. There is a spectrum and the terrain and domain is less important than capabilities to operate within that domain. Following outmoded political models though is to be found deeply entrenched in the CSIS document when they suggest (p. 29) in using the ICANN group as a tool for moving an agenda forward which forgets the negative results in the past of similar efforts [34].
The report further states (p. 14) that the government is organized for industrial age decision making while there may be more efficient ways to govern. Once again there is an internal contradiction that is further exaceberated when policy suggestions and restructuring is discussed (p. 35). This is balanced by the suggestions of an information age government building a collaborative network (p. 41). Efforts to do so are stymied by hierarchical structures that impede networked structures. Control and containment are more important within governmental organizations as even the 44th President will be likely banned from using his ever present Blackberry device. The incongruity of the suggestions and the reality of the environment are inchoate.
When discussing the organizing of cyber security the report lays out a federated regulatory approach for critical cyber infrastructures (p. 33) which by the very nature of the Internet is abhorrent. Federated has been tried on many occasions. Abysmal results litter the different regulatory standards from HIPPA to FISMA and another layer of bureaucracy will fix that? These internal contradictions are compounded when CSIS suggests that the Department of Homeland Security is a young and growing agency with all of the start up issues (P. 35) that are part of the new. So, to solve that problem a new executive branch structure should be created to take over cyber security (p. 36). Which of course would be a newer, less funded, absolute start up group with no history to speak of. The logic of that escapes me.
Internal consistency is an issue. Discussing a final point the CSIS report states (p.61) “..should implement regulations that protect consumer by preventing business and other services from requiring strong government-issued or commercially issued credentials for all online activities”. To protect the consumer we should keep encryption out of the hands of consumers and not protect them with it. Though they refute that point and say that government can accelerate the adoption of encryption (p. 62). Unfortunately the military mindset of the writers is not balanced by the reality of domestic (local) law enforcement. The statement that drivers licenses and other government issued identification is somehow superior (p. 63) to technical controls is controversial at best and likely not based in reality. Attempts have been made to stop abuse of government issued identification but regardless of the cyber issues the criminal abuse of government identification is rampant.
With that I will end what I am sure will be considered a rampant attack on CSIS. Any report or writing is going to be a stake in the sand upon which elements after the writing date can be brought into the debate. Ideas can be misconstrued. There can be internal logic errors not perceived by the participants. I respect the work that the organizers of the CSIS document have put into it. There are many areas that we have agreement. I doubt that a little blogger can fire up the debate. What I can do is say that think tanks like CSIS that push subject matter experts aside and write in closed sessions what they perceive to be the policy issues of the future need to be evaluated on the merits of their argument. CSIS held only two open forums where they told the audience what they wanted or controlled the narrative. I am using the only form of one-to-many communication I have as the ears of congress and the president are not open to me.
A report for the federal government executive branch is going to have a decidedly heavy federal slant.
In this period of economic hardship, with the issues of cyber security that are prevalent, our government should refute hierarchical controls and centralized management as the horribly misguided tactics they are. Applying business processes of centralized control and management to government actions are misdirected and not aligned with long-term strategies of resilience and success. Instead if cyber security is the goal we should take a page from the domain and think like cyber citizens. Distribute security, create resilient architectures and infrastructures that are self-repairing, accept and embrace substantive redundancy, and use the terrain of the Internet as a model for the security of that domain. If the same strategies worked for land warfare, naval warfare, and air war why would we abandon them when dealing with cyber warfare?
Works Cited
[1] W. H. Ware, The cyber-posture of the national information infrastructure. Santa Monica, CA: Rand, 1998.
[2] C. Wilson, “Botnets, cybercrime, and cyberterrorism: Vulnerabilities and policy issues for congress.” vol. RL32114 Congressional Research Service: Library of Congress, 2008, p. 40.
[3] C. Wilson, “Computer attack and cyberterrorism: Vulnerabilities and policy issues for congress.” vol. RL32114 Congressional Research Service The Library of Congress, 2005, p. 43.
[4] J. Becker, “Computer crime career of the future?,” in Computer Careers Magazine. vol. October, 1980.
[5] R. Kling, “Computer abuse and computer crim as organizational activities,” Computer Law Journal, vol. 2, pp. 12-24, 1980.
[6] P. Denning, D. B. Parker, S. H. Nycum, and W. H. Ware, “Computers, crime and privacy a national dilemma: Congressional testimony from the industry,” Communications of the ACM, vol. 27, pp. 312-321, August 1984.
[7] S. Levy, Hackers: Heroes of the computer revolution. New York: Penguin Putnam, 1984.
[8] D. B. Parker and S. H. Nycum, “Computer crime,” Communications of the ACM, vol. 27, pp. 313-321, 1984.
[9] P. W. Howerton, “Computer crime: A tutorial,” in ACM Annual Conference on the Range of Computing : Mid-80’s Perspective, Denver, Colorado, 1985, pp. 54-55.
[10] The U.S. Army Marine Corps counterinsurgency field manual: US Army field manual No. 3-24 Marine Corps war-fighting publication No. 3-33.5. Chicago: University of Chicago Press, 2007.
[11] Low-intensity conflict and modern technology. Maxwell Air Force Base, Alabama: Air University Press, 1986.
[12] In Athena’s camp: Preparing for conflict in the information age. Santa Monica, CA: RAND, 1997.
[13] Information operations: Warfare and the hard reality of soft power. Dulles, VA: Brasseys Inc., 2004.
[14] C. Dunlap, “21st century land warfare: Four dangerous myths,” Parameters, vol. 1997, pp. 27-37, 1997.
[15] M. Bishop, “China’s cyber warriors,” in Foreign Policy, 2006.
[16] S. Cooper, “China’s secret war,” in Popular Mechanics. vol. August, 2006.
[17] B. Drogin, “Russians seem to be hacking into Pentagon: Sensitive information taken–but nothing top secret,” in SFGate.com San Francisco, CA, 1999.
[18] B. Brenner, “Myfip’s Titan Rain connection.” vol. 2007: SearchSecurity.Com, 2005.
[19] T. L. Friedman, The Lexus and the olive tree: Understanding globalization. New York: FSG Books, 1999.
[20] D. Verton, Black Ice: The invisible threat of cyber-terrorism. New York: McGraw-Hill/Osborne, 2003.
[21] F. G. Hoffman, “Conflict in the 21st century: The rise of hybrid wars,” Arlington, VA: Potomac Institute for Policy Studies, 2007, pp. 1-72.
[22] F. Sheldon, T. Potok, A. Krings, and P. Oman, “Critical energy infrastructure survivability, inherent limitations, obstacles, and mitigation strategies,” in PowerCON 2003 – Special Theme: BLACKOUT New York, USA, 2004, pp. 1-7.
[23] “Joint publications 3-13: Information Operations,” United States Government, 2006.
[24] A. K. Cronin, “Cyber-mobilization: The new leve’e en masse,” Parameters, vol. 2006, pp. 77-87, 2006.
[25] R. D. Steele, “Information operations: Putting the “I” back into DIME,” Carlisle Barracks: Strategic Studies Institute, 2006, p. 75.
[26] K. B. Alexander, “Warfighting in cyberspace,” Joint Forces Quarterly, vol. 3rd Quarter, pp. 58-61, 2007.
[27] K. J. Cogan, “A view of command, control, communications, and computer architectures at the dawn of network centric warfare,” Issue Paper Center for Strategic Leadership, vol. 2-07, 2007.
[28] D. Sevestopulo, “Chinese military hacked into Pentagon.” vol. 2007 Washington DC: The Financial Times, 2007.
[29] “China denies Pentagon cyber-raid,” International Version ed. vol. 2007: BBC News, 2007.
[30] L. Gross, “The Peace of Westphalia, 1648-1948,” The American Jouranl of International Law, vol. 42, pp. 20-41, 1948.
[31] N. Strossen, “Cybercrime v. Cyberliberties,” International Review of Law Computers & Technology, vol. 14, pp. 11-24, 2000.
[32] D. S. Wall, “Introduction cybercrimes, cyberspeech and cyberliberties,” International Review of Law Computers & Technology, vol. 14, pp. 5-9, 2000.
[33] D. B. Hollis, “Why states need an international law for information operations,” in The war for the message: Temple University Beasley School of Law, 2007, pp. 1023-1061.
[34] E. Brophy, “The outlaw ‘Net’: Opposition to IANN’s new Internet order,” ACM SIGCAS Computers and Society, vol. 32, 2002.
2 comments for “Commentary and refutation: CSIS & Securing cyberspace for the 44th presidency”