Yesterday, the Hudson Institute hosted a discussion between Harold Furchtgott-Roth and Gen. James Cartwright (USMC, ret.) entitled “Recent Developments in Cyber Warfare.” Cartwright served as Commander, U.S. Strategic Command, and later as Vice Chairman of the Joint Chiefs of Staff. He is currently the Harold Brown Chair in Defense Studies at the Center for Strategic and International Studies (CSIS).
Cartwright began his discussion by noting that the underlying assumptions about how the Department of Defense (DOD) views cyber and has organized itself in that respect are not well understood, and that he wanted to rectify some of those misconceptions.
He observed that warfare has morphed tremendously over the last ten years. Unlike previous societal transitions in which the basis of law, property, has been maintained, the same cannot be said for our continuing expansion into the Information Age. Property in the Information Age, according to Cartwright, is a difficult construct to work with.
He then provided an analogy to the current IED conflict in Afghanistan, noting that in that area as well as in cyber, competitive advantage doesn’t last long. A new IED development, the response to that development, and the subsequent response to that countermeasure, all takes place within a 30-day cycle. In cyber, the cycle is likely much shorter, and requires greater resources just to keep up.
Cartwright next discussed the government’s approach to cyber, noting that cyber had to be treated in such a way that people would be able to use it – unlike what occurred with our space capabilities, which were isolated, and subject to heavy security and very little sharing. There is also a strong need to make cyber a part of the existing training regimen so it can be more fully utilized by the warfighters.
The National Security Agency (NSA) was a good place to align our cyber efforts, Cartwright said, because that agency houses the best mathematicians, high power computing, and cryptologists, and those are the fundamental components of the Internet. There was also intent to treat cyber as any other capability – as part of a broad package of tools, since standalone capabilities are too easy to defeat. Integration is key.
Cartwright also said that there was a legal obligation to form service components for cyber elements, so those elements could conduct R&D and acquisition, as well as personnel training. US Cyber Command itself is a sub-level command under US Strategic Command, and the different services have “service elements” under the umbrella of Cyber Command (Army Cyber Command, 24th Air Force / Air Force Cyber Command, Navy’s Fleet Cyber Command, and the Marine Corps Forces Cyber Command). Cyber Command mixes elements of intelligence and defense, and the challenge is to achieve a balance as those missions entail different requirements.
Inside the US, the responsibility for cybersecurity lies with the Department of Homeland Security (DHS), with some exceptions related to military bases and routes for debarkation. Included in those exceptions would be landing points for cyber communications, which for military communications are routed through “cleansing stations” before being sent to their destination.
Cartwright raised some important questions he said need to be addressed at the national level: 1) who should control the ‘cyber border’ and 2) should there be an inspection regime for incoming traffic. The difficulty in answering these questions, he noted, was the differing views of the threat environment on the part of government, the private sector, and individuals.
The federal government wants the nation secure and operates with that mindset. The private sector is constantly under barrage from threats and likewise wants to remain secure, but there are reasons that this is difficult to achieve (high cost and potential for loss of trust with consumers). Finally, the individual citizen does not often see the full threat picture, and thus has a view that differs from the previous two. He suggested a balanced approach is needed to satisfy these divergent perspectives, in light of privacy issues and other concerns.
Offshore responsibility lies with the DOD, and consists of both active and passive defenses. He described much of the current system as operating from a “point defense construct” – through the use of patches, virus updates, etc. These give our opponents more spots to attack rather than making us more secure. This needs to change, and he suggested the remedy of a layered defense, consisting of what could be characterized as highly active global tripwires.
As far as our current method of responding to threats, Cartwright suggested the system largely works. Under that process, the DOD talks to the State Department, and asks them to contact the country from which the attack originated. The State Department then requests that country take action to halt the threat, usually within a 48 hour window. This has always worked, Cartwright said, and likely because it is almost never the government itself conducting the attack.
But to increase cooperation and ensure that such a layered defense system could operate, Cartwright pointed to the Five Eyes Construct. He suggested if this could be expanded to NATO, that it would cover 90% of global traffic. Shared standards and common reporting requirements would enhance a layered defenses system and ensure greater resiliency. He summed up this approach as consisting of 1) layered defense 2) on a global scale 3) with shared standards 4) and both awareness and real-time reporting of threats, as well as 5) active and aggressive defenses (proportional responses to threats in real time – this, he noted, was a long way off), plus 6) a strong penalty for what was done.
On this last point, Cartwright suggested the United States needs to be clearer about our capability of responding to threats and assurances that we’ll do so. The longer we don’t acknowledge these attacks and notify the global community of them, the longer they will continue. Indeed, as Cartwright put it, “it’s hard to convince someone you’ll do something to them when you don’t tell them you can do it.”
You can view the presentation here.