Cyber Deterrence Conference
On November 2, 2009 INSA held a Cyber Deterrence Conference at The George Washington University. The well-attended conference welcomed some of the best and brightest minds on cyber security in the nation. The symposium was co-hosted by INSA and The George Washington University’s Homeland Security Policy Institute and sought to address the myriad issues that surround cyber security. The conference helped map out the current debate on cyber, the major forms and threats that cyber attacks embody, and the methods that can be used to prevent and counter such attacks. The overarching theme of the day was that cyber capabilities are evolving much faster than the government can prepare for and a framework for defense and protection must be formed that can anticipate the direction that cyber attacks may take before they occur. Attribution and deterrence were discussed at length as the principle forms of security, as well as bringing together the capabilities of the government and private sector to combat cyber threats.
The day began with opening remarks by Charlie Allen and Jaak Aaviksoo, the Minister of Defense of Estonia. Minister Aaviksoo discussed the cyber attack that occurred in Estonia in 2007. The recent occurrence and severity of this attack emphasized the urgency with which a solution to cyber security must be developed. He stressed the increasing importance of the cyber realm in everyday life and the vulnerability that this creates, both for private and public sector users. The Minister also addressed the role that NATO should take in forming an international cyber deterrence policy. Mr. Aaviksoo emphasized that the right tools, systems, and methods for dealing with cyber at the technology -to-human interface have not yet been developed. He identified the two primary strategies that states have in cyber security, these are denial and retaliation. Both of which are currently very difficult to carry out and ill defined. Minister Aaviksoo called for network cooperation, between private users and governments, to establish an international approach to cyber security.
The first panel, titled “The Cyber Threat,” clearly outlined and defined what cyber threat means and what it consists of. Jim Lewis, Director CSIS, elaborated on the “current cyber situation” in the US, stating that the advantage lies completely with the attackers, as the US has no clear policy regarding cyber security. Lewis mapped out the current risks highlighting espionage and crime, while outlining the potential for infrastructure attack. The opponents found online, according to Mr. Lewis, are most often foreign governments conducting espionage, cyber criminals seeking profit from within “sanctuary” states, and independent political groups, including terrorists. However, there is always uncertainty in who is attacking, where, why and how. Mr. Lewis also stated that The United States has the capabilities to act offensively with great impact, but it is on the defensive because of the current disjointed efforts. The panelists that followed Mr. Lewis’ summary of the current situation brought a number of important issues to the table. Roger Cressey of Good Harbor Consulting stated that analysis of attackers was difficult due to confusion over both intent and capability of cyber attackers. Additionally, Mike Delaney of the House Permanent Select Committee on Intelligence laid out the need for clear legislative jurisdiction on cyber and told participants to expect a fight between committees in Congress for control of the issue
This group was followed by a discussion on “Deterrent Capability.” Keynote speaker Michael Nacht, Assistant Secretary of Defense for Global Strategic Affairs, stressed the importance of attribution and operating at “next speed” to deter cyber threats. He also pointed out that “deterrence” as a concept need not be wedded to Cold War deterrence policies based on massive retaliation and mutually assured destruction. He advocated a picture of deterrence based on value, suggesting that frustrating attacks through better defense, limiting their impact through resiliency or retaliating in other areas, such as diplomatic or economic sanction may be effective means of deterring attacks. The panelists emphasized the importance of attribution and also the need to establish a new “business model” for cyber security, which includes a public-private partnership.
During lunch, Senator Susan Collins (ME), the ranking member of the Committee on Homeland Security and Governmental Affairs, addressed conference attendees about the importance of taking action on cyber security. She called on the Department of Homeland Security to use the newly formed National Cyber Security Communications Coordination and Integration Center (NCIC) to take the lead on cyber efforts. She also emphasized the need for collaboration of government agencies in coordinating cyber policy, and the inclusion of private sector players, which have important cyber capabilities that the government can leverage in forming a sound policy.
After lunch, the Conference’s third panel, led by Richard Barret, Coordinator for the Al-Qaeda Taliban Monitoring Team at the United Nations, launched a discussion on solutions. Barret outlined the threats from terrorists online and then discussed the complications that face any effort to coordinate cyber security internationally. He listed five areas of complication, stemming from the fact that each country feels and assesses the cyber threat differently. States have different financial, social, and political priorities on the internet and are possessed of varying technical capabilities and legal structures, all of which makes coordination and cooperation an arduous process. During the Panel that followed, David Grannis of the Senate Select Committee on Intelligence echoed the summary of his House counterpart, emphasizing that the Senate is doing much more work on cyber security, but is not coordinated and is presently considering over 20 bills on cyber security. Neill Sciarrone of BAE emphasized the need for a common lexicon amongst government bodies and private sector entities and suggested rather than “black-listing” or sanctioning states we believe to be cyber attackers, the US might create a trusted cooperative network environment between our closest allies and states with strong cyber track records.
The Final subject panel of the day addressed implementation and was led by DHS NPPD chief Phil Reitinger. Reitinger remarked that cyber security has been complicated by a “too many cooks in the kitchen” phenomenon, but that try as we might to centralize authority, cyber will remain a distributive responsibility. Because of this, government and private sector actors should emphasize collaboration and partnership through the creation of a model that assigns specific roles and responsibilities, “Everyone must learn to play their positions and play them well” says Reitinger. In the panel discussion, Tom Shanker of the Washington Post stated that government had to do a better job of engaging citizens in public debate on the cyber issue if they hope to win their support for new measures. Jeff Cooper of SAIC and Steve Chabinsky of the FBI Cyber Division echoed the need for greater structure while Suzanne Spaulding of Bringham Consulting Group emphasized the need for strategic counterintelligence relating to cyber espionage.
In the final panel of the conference the INSA Cyber Task Force presented the finding of their paper “Addressing Cyber Security Through Public Private Partnership: An Analysis of Existing Models.” This paper traced the successful history of Public Private Partnership in America and outlined a model for public-private cooperation and collaboration on cyber security efforts. Click here to read this paper.
NSC Cyber lead Chris Painter ended the conference with his closing remarks, asserting that economic recovery and growth is dependent upon a safe internet and that the new consensus is that it is time to deal with this problem. Painter claimed that the government has long pondered these issues, but that a new found willingness, in part born from public and corporate support, on the part of the government to address these issues is an important and positive development. He also offered a word of caution, cyber must be done carefully, with an organized national framework and plan and abundant protections for privacy and civil liberties. Areas of interest Painter identified include educating the public on online risks, developing new research and technology capabilities and priorities and harmonizing legal structures to better apply them to cyber issues.
The conference continued for a second day on November 3 at Northrop Grumman Heritage Conference Center. The day included classified sessions expanding upon the discussions developed during Day 1. The major themes of the day included policy and information requirements for cyber strategy, private sector involvement, attribution, and moving forward with policy. Bill Studeman, former Deputy Director of the CIA, stated that cyber security strategy should be spearheaded by the White House. A White House task force should be formed to address cyber security; this will eliminate any jurisdictional fight over who should take charge of the cyber problem and ensure that there are not “too many cooks in the kitchen.” Cyber strategy should be threat driven and strategic objectives need to be developed. The US must also expand its Human Capital capabilities to better engage the public on the issue of cyber security and develop professional programs in the field of cyber security. Policy issues identified included developing standards, categorizing cyber attacks within the definitions of war, information sharing, privacy of private users, critical infrastructure protection, and forming the right legislation from the current myriad bills that include cyber. Discussion centered on where to begin in forming policy and growing public awareness. The panelists identified acquisition processes for cyber intelligence and creating public awareness through red teaming as areas that should be improved in new efforts.
Another area of cyber policy that was discussed at length was the involvement of the private sector. Since the responsibility of cyber security should fall on the White House, the panelists concluded that the private sector should be included in the capacity of government support and mentoring and that private involvement should be clearly defined. The INSA cybersecurity paper called for a public-private partnership that would ensure privacy and limit government intervention. However, the scope of the issue indicates that more government initiative is necessary. It was suggested that developing a community of interest within the private sector could be a valuable next step.
The second day’s discussions also spoke to the global nature of the cyber issue. Panelists brought attention to the necessity of international collaboration, stating that the government also needs to address the privacy issue and must undertake these tasks urgently. The aspect of “humanizing” cyber security and threats was also discussed. Echoing the preceding day’s discussion, the discourse emphasized the need for a common lexicon to help engage the public both nationally and globally. The group of experts also recognized that risks should be shared to create greater awareness and hopefully greater prevention. It was proposed that a third party entity across the defense industrial base should be created to provide unified communications. Finally, it was put forth that community policy could be used as a strategy to engage the public and build trust between and amongst the government, private sector and civilians.