What’s in a (Cyber) Name?
As the United States (and the world) prepare for the possibility of Cyber War, it seems that there’s little agreement on what the term means. Merriam-Webster defines it as “of, relating to, or involving computers or computer networks (as the Internet). Yet we have a government Cyber Command and reports are full of military metaphors. Plug the term into the DOD’s public website, and you get 1270 articles. One such article, “Defending a New Domain: the Pentagon’s Cyber Security,” had 77 references and included the following: cyberwarfare, cyberattacks, cyberwarriors, cyberstrategy, cyberthreat, cyberdefense, cyberspace (of course), cybersecurity, Army Forces Cyber Commend, Marine Forces Cyberspace Command, National Cyber Range (really? You shoot electrons at targets, maybe?), cyberweapons, cybersecurity professionals.
The United States Government Accounting Office (GAO) issued a July 2011 report, “DOD Faces Challenges in its Cyber Activities,” wherein it expresses the same concern: definitions and responsibilities are literally all over the map. Different organizations within Defense are not coordinating their efforts and don’t even agree on some basic definitions.
So perhaps it’s not surprising that Senator Kirsten Gillibrand of New York is demanding clarification about who or what “cyber” really means. Gillibrand wrote to Defense Secretary Leon Panetta to say “I continue to be concerned that the lack of cross-cutting, clear definitions of cyber personnel throughout the Defense Department is a significant hindrance to your ability to carry out this significant mission.” Among her complaints are DOD’s 90,000 people working on cyber issues, but many are basic computer maintenance workers, rather than actual military cyber experts. It’s not that ” just IT guys fixing hard drives” (as the author does himself) aren’t important, but that they’d be there in a similar capacity whether there were concerns about military cyberthreats or not.
The lack of a cohesive response and adequate security has results in multiple large-scale data breaches. According to Deputy Defense Secretary Willam J. Lynn, Foreign crackers stole 24,000 military files in March 2011. Lynn said “It is a significant concern that, over the past decade, terabytes of data have been extracted by foreign intruders from corporate networks of defense companies. The DOD believes that “more than 100 foreign intelligence organizations are trying to break into U.S. network.”
Given that there are about 195 countries in the world, that’s a significant number.
Continuing from the DOD document, “Whereas a missile comes with a return address, a computer virus generally does not. The forensic work necessary to identify an attacker may take months, if identification is possible at all. And even when the attacker is identified, if it is a nonstate actor, such as a terrorist group, it may have no assets against which the United States can retaliate. Furthermore, what constitutes an attack is not always clear. In fact, many of today’s intrusions are closer to espionage than to acts of war…Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.”
Gillibrand believes the threat to be significant. Honoring the new tradition of using military terms for threats on government networks, Gillibrand in June called for the creation of a “Cyber ROTC.” She believes that government needs to draw off some of the talent in the private sector to become cyberwarriors and that a CyberROTC could become the farm team in developing new talent.
Are we jumping too fast and too far into the military classification of what until now has been largely the domain of Silicon Valley and Route 128? We seem to be calling for the creation of organizations and personnel based around concepts that are not fully defined.
This author thinks it would behoove us to understand what we are doing before we do it. I echo Senator Gillibrand’s call for common definitions. But I do believe we need definitions and accountable responsibilities in place before we jump wholeheartedly into shoveling Treasury funds into amorphous plans – solutions for problems we don’t yet understand.