Weaknesses of US and European models of cyber defense

Cyber conflicts to be won by nations with "long-term internal resilience and external targeted disruption capacities"

From Chris C. Demchak, American Interest:  [F]ew of the strategic or institutional support elements of a security resilience strategy are in place today, either within or across the various democratic trading states. The U.S. model of a national “cyber command” is narrowly focused on state-level bad actors, on the protection of domain-centric military networks, and on matching adversary advanced use of cybered attacks during a (highly unlikely) formally declared war. 

Furthermore, despite the laudable knowledge-sharing and rapid-action innovation encouraged by the dual-hatting of the Director of the NSA and Commander of the U.S. Cyber Command, the overall model is tied to the dot-mil domain. Unless national command authorities request the direct help of this small knowledge nexus, NSA/U.S. Cyber is not authorized to routinely and proactively help the rest of the U.S. government or the nation’s privately owned critical systems. This model separates by law and inclination the most skilled of public entities from developing national resilience more broadly among the private corporations whose vulnerable systems can affect the homeland, and who are not amenable to paying in advance for security. 

This strict separation of domestic from national security by policy and institutions worked tolerably well during the Cold War. Today, however, bad actors tunnel into the nation around NSA or Cyber Command and weaken the resilience resources of the entire national system through cybercrime or deliberate theft and other control exploits. Today, in a world of connected cross-border easy access, this military-versus-civilian separation ensures that both domestic and national institutions will lack the consensus, shared data analysis and collective learning needed to avoid being paralyzed or panicked after a surprise. 

Also unlikely to adequately implement an effective security resilience strategy is the purely resilience-focused “key firm” model emerging largely in Europe. This strategy is built on national concerns for economic or privacy losses due to massive onslaughts of cybercrime. The European model of national cyber defense rests on using internet service providers as the key firms whose technological skills can be called upon to derail cybered bad actors as they enter home systems or once they are identified within the ISPs’ networks. While the key firm model provides more systemic national resilience than the U.S. cyber command model, it leaves these deeply digitized nations with few legal ways to disrupt persistent bad actors. Disrupting bad actors outside of these jurisdictions is not publicly endorsed or discussed as legally acceptable.

Beyond organizational and legal deficiencies, we face a range of attitudes that hinder appropriate responses to cyber threats. Nine seem most germane.

• We focus on unlikely interstate war while neglecting the society-wide enfeebling effects from waves of non-wartime cyber attacks inside the homeland’s critical socio-technical-economic systems. 

• We separate resilience from disruption, which causes imbalances and incoherence when we allocate strategic resources to deal with sources of cybered surprise.

• We focus on protecting only military or governmental systems in cyber command, or equivalent structures in the private sector, while leaving critical systems that enable our economy to function wide open to attack. This imbalance encourages bad actors to target our weaker points.

• We neglect the crucial role played by the vast global and opaque cybercrime community in threatening the entire nation by innovating new techniques and access points, new methods of attracting and training opportunist or full-time cyber criminals, and new “noise” and cover for criminal or state-run operations.

• We avoid investments in fundamentally redesigning the insecure base layers of the global internet out of deference to private industry, instead pouring investment funds into layer upon layer of technological fixes easily defeated by thousands of underemployed bad actors with time to tinker. 

• We approach securing the national well-being as a purely technological challenge. We fail to grasp the interaction of the social with the technological aspects of critical national systems, ignoring how human cognitive function can cause surprise to leap to technical system failures or erratic behaviors and back again.

• We calculate resilience and disruption costs in short-term budgets and ignore the long-term, episodic and systemic threats of the cybered conflict campaigns likely to be conducted by major adversaries and opportunistic allies. This encourages systemic national and global weaknesses that can be exploited in future international crises.

• We use the insurance model of risk calculations and its presumptions of one-off disabling events, thus relying on allies to provide aid in a crisis and encouraging adversaries to target many states at once. 

• We underinvest nationally in basic research, leaving the technological redesign of a more secure web to the narrow, near-term perspectives in corporate investments and ensuring public institutions will lag in appropriate human capital when new threats emerge from the convergence of cyberspace and new technologies like nanotechnology, genetics or robotics. Corporate interests infrequently take a whole-of-society or long-term perspective, and tend to ignore new knowledge related to cyber threats if it seems to challenge near-term returns on investment or to promise expensive proprietary uncertainties. Right now, a key large and growing peer competitor to the United States in cyberspace and science in general is massively subsidizing and outstripping U.S. public research investments in wide-ranging basic nanotechnology research, supercomputing and other cutting-edge scientific and engineering fields. . . .

The frontier free-for-all that marked the two early decades of cyberspace is ending, but the fight over how it will change the international system developed by the trading states has just begun. Amid the inevitable uncertainties of the future, those nations that most effectively develop careful long-term internal resilience and external targeted disruption capacities will be the most powerful, sustainable and materially healthy in the long run. As things stand now, the United States may not be among them.

Chris C. Demchak is a professor at the U.S. Naval War College. She is the author of Wars of Disruption and Resilience: Cybered Conflict, Power, and National Security (University of Georgia Press, 2011). All statements here are those of the author and do not reflect the views of the U.S. government, the U.S. Navy, or the U.S. Naval War College. (graphic: CIO)

Image: cio%209%2025%2012%20cyber-security.jpg