In the last few days, several news sources have reported on a recent article by the Defense Department's Deputy Under Secretary William Lynn III that revealed that in 2008 malware from an infected flash drive found its way into the U.S. Central Command computer network. This malware, which sought to spy on U.S. secret military networks, is alleged to have been developed by a foreign government. But the real story is not that such an attack occurred (indeed, Wired presents a rather cogent argument that perhaps this was not an attack by a foreign power at all). Rather the importance of the article is its description of the Pentagon's cybersecurity policy.
While many in Washington have been arguing for better forms of attribution in order to deter such attacks, Lynn says straight out that's not the issue. Cold War deterrence models of assured retaliation are unlikely to work. The speed of action and reaction in cyberspace is so fast that it is simply impossible to attribute with sufficient certainty to launch a counterattack. The rules of engagement, Lynn points out, must be "appropriate, proportional, and justified --- in each particular case."
Defense is what matters, and Lynn claims that in the last two years, under the U.S. Cyber Command the U.S. military has streamlined responses to attacks, while NSA has sharpened its intrusion detection efforts and the Pentagon has enhanced its ability to search for "lurkers" within DoD networks. All good (if it works), and none of it a surprise. But the next issue Lynn raises is.
The Defense Department's Deputy Under Secretary says that the threat to U.S. intellectual property --- the inventions, processes, and business plans of U.S. industry --- "may be the most significant cyberthreat that the United States will face over the long term." Lynn's absolutely right, and he's pointing to a really hard problem.
The U.S. Department of Defense employs half a million people, and it hasn't been able to secure its systems. It may be appropriate for defense contractors to adopt some of the same cyberdefenses as the U.S. military, but extending government military defenses to other companies beyond the .gov realm is not (nor is that solution suggested by Lynn). So how will a Cisco, Apple, or Genentech --- to pick three powerhouses of U.S. industry --- with sixty-four thousand, sixteen thousand, and eleven thousand employees respectively --- do it?
Solving this cybersecurity question is the 64 billion dollar question. How much of the intrusion detection and intrusion prevention systems designed by the U.S. government is appropriate for use by U.S. industry? Who should be controlling the systems? Should the technology be shared with multinational corporations? Openness is an issue. Companies want your "visit" to them to be easy, but visiting is different from intruding. What is the right balance between an open website and requiring credentials (asking web visitors to register cuts initial inquiries in half)? When security solutions fail, who is at fault, and how should liability be handled?
We'll need changes in technology --- over the last two decades we giddily interconnected without building in security from the start. We'll also need new policy and legal regimes. Protecting U.S. industry is the primary cybersecurity issue. Good for Lynn for saying so.