Lt. General Brent Scowcroft delivered the following remarks at the conference on international engagement in cyberspace hosted by Georgetown University’s Institute for Law, Science, and Global Security and the Atlantic Council’s Cyber Statecraft Initiative.
Congratulations to Catherine Lotrionte of Georgetown University and the Atlantic Council for bringing all of you together today. From what I am told, we have here the best and the brightest of the cyber world. I wish you luck in your deliberations.
You may wonder why I was asked to keynote this morning. After all, I probably know less about the cyber world than any person in this room. I consider myself successful when I have a harmonious day with my laptop and my BlackBerry. I have no doubt that my little granddaughter will soon be more expert than I am on both.
But you don’t need to be technically expert to understand the national security implications of what is going on in the cyber world today. I believe it is nothing short of amazing when I consider how, in the space of about two decades, we —and here I mean not only Americans but people all over the globe—have literally become dependent upon cyber communications. Consider for a moment how most of what we have come to rely upon in normal everyday life has a cyber component.
Cyber controls the distribution of electric power. It provides the backbone for financial services. It helps guide us to our destinations through GPS. It allows us to obtain cash through ATMs, and to use credit cards to buy goods and services and trade stocks —and even to do so without leaving our homes. Thanks to cyber we have more data stored and available for our instant use than any previous generation in human history. Cyber permits us to communicate instantly all over the world.
And yet, through those same mechanisms, we are also very much at risk. The same cyber mechanisms which enable can, as you well know, be used by malicious actors —common or syndicate criminal, “cyber patriot,” terrorist, or a hostile intelligence or security service — to steal identities, funds, or data; to manipulate information; to deny us access to the sinews of 21st Century life; and, ultimately, to threaten the very safety and health of society as we have come to know it.
This is an international problem. And I am encouraged that you are meeting today to try to develop ideas and mechanisms which may allow these issues to be addressed cooperatively on an international scale. Because I fear that “we” —the collective “we”—are lagging behind, and that on both the national level…and certainly on the international level… we are neither adequately organized to compete with the threat nor are we keeping pace with it.
Let me speak to the Americans in the audience for just a moment.
On a national level, dealing successfully with cyber attacks requires a unique public-private partnership, unique because this means a government-private sector cooperative. One part of our government, the Defense Department, is already well advanced in detecting and defeating threats to its networks; the civil sector of the U.S. Government lags behind, however, and it needs to overcome parochial prejudices and divides, and cooperate with the DoD so that “dot.gov” is protected as well as is “dot.mil”.
And, simultaneously, both parts of our government need to work together with industry to protect those critical societal services known colloquially as “dot.critical infrastructure.” This partnership also needs to focus on how to build “resiliency” into critical functions in order that, if there is a cyber attack from whatever source, the affected sectors are able to recover quickly and to minimize thereby any societal disruption.
We also need to be working along the same three lines—defense, civil government, and critical infrastructure—with like-minded nations — to help them build defenses and resilience…..and to learn from them about alternative or different approaches they may have taken to achieve the same goals. And we need to work with those governments to develop a set of norms—“rules of the road” if you will—on how to deal with cyber criminals and cyber terrorists who are operating within their (and our) national territory ….. or who are operating remotely through servers located in their countries or American soil.
Finally, we need to be consulting about what we should do with respect to those governments whom we suspect of tolerating or even encouraging so-called “cyber patriots” to operate from their soil against our networks… or of using their own intelligence or security services to do so.
In this regard, there are two aspects for consultation. The first aspect is how to convince all responsible governments that we are in this together – and that we should act in a cooperative manner rather than in a confrontational deterrent-like manner –to deal with the issue. The time is soon coming when all large modern states, and their economies, will be more or less equally dependent upon cyber systems…and more or less equally vulnerable to cyber disruptions. We wanted an interconnected world; well, increasingly we have one.
So, now is the time to begin thinking about how to engage state actors as to how to build a web of interlocking obligations. Should the mechanism be treaties? Or should they be merely rules of the road? And in either case, how can adherence to what has been agreed be verified?
Some will say that none of that is possible, that we would reveal too much about our own intelligence capabilities if we challenged another state about a cyber attack. But that isn’t necessarily the case. The arms-control discussions we held with the Soviets during the Cold War provide a case study.
There is something here which is reminiscent of the Cold War. Nuclear weapons, when first incorporated into our arsenal, were considered merely “bigger and better” weapons. It took us some time to adapt policy to the path that Bernard Brodie set forth early in the nuclear age – nuclear weapons role was not to be used in war-fighting; rather, their role was to prevent war. So too the international community needs to consider what the role of cyber weapons should be now or in the future.
We and the Soviets were implacable enemies. Stability rested ultimately upon each side’s strategic nuclear forces. What we knew about them (and vice versa) and what information we wanted to protect about our forces (and vice versa) are in many ways similar to the current situation. Both sides wanted to protect information about capabilities and vulnerabilities. (Remember when the Soviet military admonished the US side in the early SALT talks for revealing too much about Soviet forces to the Soviet Foreign Ministry representatives?) And yet, we managed to find a way to begin talks and to keep talking.
There are of course multiple levels of engagement:
- Track One.
- Track Two.
- Track 1.5
Always remember that engagement is a process, not a point solution.
We also need to consider what to do if the “cooperative engagement” track doesn’t work. That means we need to think about how to prevent cyber attacks if we can’t convince governments that it is better for all concerned to cooperate.
In that same regard, we need to determine what our “red-lines” are with respect to cyber attacks (noting up front the difficulties in attributing firmly the origin of a cyber attack).
What constitutes the cyber equivalent of an attack on “vital national interests”? Every government which possesses a cyber capability will want to use it to their own advantage. But certain cyber activities and certain cyber attacks must be understood clearly to be “off limits”.
How do we communicate to the international community the gravity of cyber attacks on those vital interests?
What do we do if the red lines are crossed anyway? There is a great deal of nonsense in the popular press that we should respond to a cyber attack against a critical infrastructure target with a major cyber attack of our own…or even with nuclear weapons. Well, you might as well use one if you are going to use the other. Remember…these are weapons which if used can destroy large elements of society as we know it. That places a great burden on planning to prevent such attacks in the first place.
And, in a way more reminiscent of the situation we face with nuclear terrorism today rather than classic deterrence, I have to ask you: “ how confident are we that we can prevent all the American hackers and “cyber patriots” from attacking other nations’ …and what does that tell us about other governments’ ability to do the same thing with their hackers and “cyber patriots”?
So I wish you luck in your discussions today. I’m counting on you. So is my granddaughter.