Deja vu! Seem to recall Winn Schwartau saying all of this in 1990-1991.
Keeping your finger on the pulse of evolving cyber threats is very difficult as they change so frequently and abruptly. In the following interview, IDGA’s @DefenseInsider explores the current and future landscape of cyber warfare with Scott Borg, CEO of the Cyber Consequences Unit. Chris Archer asks how cyber warfare will affect defense in the future and what’s being done to ensure the military and government remain ahead of the evolving threats. Scott Borg also reveals the current aims and priorities within the US Cyber Consequences Unit.
Scott, in your opinion how will cyber warfare affect defense in the future?
Cyber warfare will require us to rethink every aspect of defense. Our current weapons and defense systems will still be needed, but the way we use them will become very different. A major cyber assault could completely bypass our military forces. It would not require incoming airplanes, missiles, ships, or troops. The attack could suddenly appear inside the computerized equipment of our major industries. The identity of the country or organization that was responsible could be impossible to determine quickly or with complete confidence. The cyber assault could cause almost any kind of damage that could be produced by the human operators of computerized equipment. In fact, a cyber attack could cause many kinds of damage that the human operators of industrial equipment could only achieve by reprogramming their controls. A major cyber assault could physically destroy or sabotage electrical generation stations, refineries, pipelines, banking systems, railroad switches, flight control centers, chemical plants, hospital equipment, and water and sanitation facilities. Thousands of people could be killed immediately by explosions, leaks of toxic chemicals, airplane crashes, train crashes, and wrong medical treatments. Hundreds of thousands could be caused to die over the months to come as a result of famine, disease, loss of heating or cooling, and the general deprivations and social breakdowns resulting from people no longer being supplied with the necessities of life. The total economic damage and fatalities could surpass any other kind of assault, except for a nuclear one.
Our current defense strategy ‐‐ having the government defend our boarders, being ready to annihilate adversary military forces or countries, and letting domestic industries completely ignore defense issues ‐‐ is clearly no longer appropriate in a world where this sort of attack is possible. The entire relationship between our military and our society will need to be redefined.
You have suggested that the word ‘cyberspace’ is dangerously misleading. Could you explain why?
Cyber warfare seems likely to transform every type of military operation as completely as mechanized warfare transformed all military operations a hundred years ago. Declaring “cyberspace” to be a realm of combat, analogous to the land, the sea, and the air, misses the
point. Every kind of weapons system and military force that uses microelectronics, whether it’s the army, the navy, or the air force, is now operating in “cyberspace.” There is no separate realm of cyber warfare. Imagine if military planners at the beginning of the twentieth century had declared a new realm of combat called “mechanized space,” and assigned machine guns, airplanes, tanks, trucks, and every other new mechanical device to a separate “mechanized force.” That would be analogous to what our military planners are doing today when they talk of “cyberspace” and set about developing a corresponding “cyberforce.” Every military force is now dependent on cyber defense, and every military force needs to have a cyberforce component.
The very term “cyberspace” also leads to strategic and tactical mistakes, because it suggests that cyber conflicts will take place in something analogous to a physical space. This can lead defense planners and military leaders to think that “cyberspace” is something with territories and borders; that there are positions in cyberspace that can be occupied; that some things are far away in cyberspace, and others are close; that reaching things “far away” in cyber space takes longer than reaching things near at hand; that attacking more locations in cyberspace requires more attackers; and so on. These kinds of assumptions often shape decisions about cyber warfare, even when the assumptions are not explicitly stated. This sort of thinking is dangerous.
Why is it such a challenge to consistently keep a finger on the pulse of evolving cyber threats?
The biggest problem is that cyber threats change so frequently and so abruptly. Extrapolating a past cyber attack trend into the future is of little use, because the threats we are most worried about at a given moment will be different from those we were most worried about two or three years earlier or the ones will be most worried about two or three years later. Remember when the big worry was mass viruses that would clog up systems or erase data that hadn’t been backed up? Or a little later when the big worry was distributed denial of service attacks on public facing websites? Or when the big threat was bot‐nets, clogging up the internet with spam? Or some of the other cyber threats that have come and largely gone? This is a field that is changing at an enormous pace.
By the way, this is the reason why government mandated security standards are not generally a good idea. By the time cyber‐security standards have been defined and are being imposed, they will not only be obsolete; they will often be an impediment to implementing the security measures that are most necessary. Requiring software to be certified causes similar problems. Because of the time required to go through certification procedures, certified software will almost always have more security flaws than more recent, uncertified software. The government can’t mandate good cyber security; it can only mandate poor cyber security.
Tell us about the past and current aims of the US‐CCU – have the priorities and focuses within the organization changed? What is the US‐CCU doing today?
The US‐CCU is a non‐profit research institute that was set up at the request of the Private Sector Office at DHS in the early days of that government department. Its original mission was to determine how much damage could actually be caused by various kinds of cyber attacks on various critical infrastructure industries. The idea was to have an organization outside the government that could gain access to the confidential information of corporations and not only protect this information, but also protect the very identities of the corporations providing it. I was recruited, because I was already well known to some of the relevant corporations, and because I knew how to quantify in economic terms many kinds of damage that other people thought were too complicated or intangible to quantify.
The US‐CCU was very successful at our original mission. One of the things we discovered was that many cyber attacks would actually be much less destructive than people imagined. This is because our major industries are, in many respects, very resourceful and resilient. We also discovered that many cyber attacks would be much harder to carry out than people expected. Our big worry then and now is that some of the more destructive cyber attacks will get easier to mount as time goes on and that more countries and other groups will acquire the capabilities needed to mount them. Very soon after the US‐CCU began its work, we decided that we needed to start tracking threats,
as well as consequences, in order to determine whether we were investigating appropriate kinds of attacks. We became very good at this, not by extrapolating from past attacks, but by looking analytically at the pre‐conditions for cyber attacks: what potential attackers are out there, how and how much these groups could gain by carrying out various attacks, what cyber targets would appear to be the preferable ones from their vantage point, how difficult and how costly it would be for them to assemble the necessary capabilities, and what signs are available to indicate their current cyber activities. We are now offering intensive, one and two‐day courses to corporations and government agencies, teaching them the techniques we have developed for cyber threat analysis and cyber consequence analysis. Our cyber threat analysis course teaches organizations the methods and models that have allowed the US‐CCU to anticipate every important new cyber threat since 2003. Our cyber consequence course shows organizations how to quantify things like damage
to customer relationships, damage to brand or reputation, and loss of competitively important business information. We are also about to start offering a course in cyber policy analysis, demonstrating how to quantify policy RIO’s and how to comparatively evaluate different policy choices. Meanwhile, the US‐CCU is continuing its research on how threats and consequences are developing today.
Would you rate it as a positive or negative that the U.S. government currently has at least a half dozen different organizations tackling the issue of cyber security?
The U.S. government has at least a half dozen very different missions where cyber security is concerned. These missions put conflicting demands on those carrying them out, so it would be appropriate to have at least a half dozen different government organizations dealing with cyber security. Unfortunately, the government organizations tacking cyber security do not have responsibilities and capabilities that are well aligned with the six government missions. As a result, we have gaps, overlaps, turf wars, and a lot of confusion about who should be doing what. As we gradually sort this out, I don’t think the government will be consolidating cyber security responsibilities in one organization. I think it will be allocating different types of cyber responsibilities more clearly to different organizations. There will also be an increasing need to make its own cyber security an explicit responsibility of every government department and agency.
Does the US‐CCU provide research that specifically focuses on Talent and HR? If yes, what are
your most important findings?
Virtually all of the US‐CCU’s research efforts from the beginning through the present have regularly shown the need for more cyber‐security expertise in more places. Furthermore, we believe that the almost exclusive emphasis on technical vulnerabilities in cyber‐security training has badly damaged the field. This excessively narrow focus has limited the ability of cybersecurity professionals to communicate with those outside the field. It has prevented the field from having a better understanding of threats, consequences, and policy. It has caused our country’s limited cyber‐defense resources to be badly allocated, wasting considerable money, and leaving many important targets inadequately defended. We not only need more cybersecurity professionals trained in more aspects of cyber security; we also need virtually all government and business leaders to have some rudimentary training in cyber security. Cybersecurity training needs to reach a much wider range of executives and cover a much wider range of material.