Co-authored by Dr. Stephen Bryen, Founder & CTO Ziklag Systems
The Pentagon has Plan X --a scheme to retaliate against cyber attacks. No one knows what the warfare rules are for Plan X, but the fact that the Defense Department thought it necessary to put Plan X in place tells us that the attacks on the US critical infrastructure are rising to a level that threatens America's security directly.
Exactly what would trigger a counter-attack, a cyber war, can only be guessed. Would an attack on America's banking system that threatened our economy, or an attack on a nuclear power plant that could set off another Three Mile Island or Chernobyl type incident be enough to trigger a counter attack from the United States? Are we entitled under the rules of war to destroy an adversary's nuclear power plants or banking system?
For the past decade the US has tolerated cyber attacks on the critical infrastructure. Government agencies have tried to help private sector companies and organizations, but that's done little to stem the assault on critical infrastructure. In fact, securing computer networks is an uphill battle.
Virtually every system used by private companies, government agencies and the military are built on commercial off the shelf systems (COTS) which are mainly open systems. None of the commercial systems was built with security in mind and trying to patch holes in a sinking ship is only a delaying action at most. There are too many gaps in the underlying computer code that can be exploited. Making matters worse, most of America's computer hardware is manufactured in China. As is becoming increasingly clear, microcode spyware is being surreptitiously built into foreign-made gear. Everything from USB flash drives, computer mother boards, and mobile phones have been compromised.
There is a prevailing attitude in America, even at the highest level, that security vulnerabilities are not too big a concern. That is why some of our top officials don't hesitate to use compromised smartphones for sensitive conversations. They fail to see that it is not only a potential risk to themselves, but spyware can migrate rapidly into sensitive and classified networks and give an adversary control over virtually all governmental and industrial transactions. Even worse, it gives the adversary the know how to compromise or destroy any network at will.
America cannot portray itself as an innocent. The US government has taken advantage of the same vulnerabilities to spy on potential adversaries and on allies too. That is why it must be oddly embarrassing for Secretary of State John Kerry to engage his Chinese interlocutors on the idea of some sort of deal on cyber spying. The Chinese are well aware of what the US has been doing while they, of course, deny that China is spying on the United States. There is no way to reach any verifiable agreement with China on cyber security. China considers that spying is a productive activity essential to improving their military systems by stealing American defense secrets. China also thinks that if there is a conflict with the United States it will need to use cyber means against the US military and critical infrastructure. Russia also thinks this way, and Russia has never hesitated to use its cyber skills against its opponents.
This leaves the US in search of a strategy. The strategy either has to be totally passive, as it mostly is now, or proactive, as it ought to be. A proactive policy would not stand by and watch its banking system, energy or government constantly hit without responding. We need to adopt a byte for a byte approach on cyber security.
A byte for a byte approach would attack Chinese banks if U.S. banks are attacked by them, or Russian banks if the Russians are doing it, or Iranian banks if they are the ones. In the same way, if one of our aerospace or defense companies is ripped off, we need to rip off theirs, crash their computers and damage the data they have stored to build their military systems.
A byte for a byte approach is something our adversaries will readily understand. It is up to them what they want to do. If they escalate, we escalate. They know they will lose because we have far more cyber resources to draw on then they have, and we can cause them real harm if they mess with us.
Above all, instead of running off and trying to get some useless unenforceable deal with China, let's take action when they attack us. Let's put in place a byte for byte policy and, for a change, respond proactively.