Justice League Blog
Is Cyber War Inevitable?
Turns out that Richard Clarke is a national security policy wonk. I guess that fact is not that surprising if you knew that Mr. Clarke was once an Assistant Secretary of State working on nuclear arms control issues during the Reagan years. The general public knows Dick best as a key figure in counter-terrorism who famously testified before the 9-11 commission and then became enmeshed in partisan battles. Those of us on the front lines cyber security know Dick best as one of the first political types to focus real attention on computer security. For that, we owe Dick a major thank you.
In his new book Cyber War, co-authored by foreign policy expert Robert Knake, Mr. Clarke confronts an important topic too often swept under the rug with the burgeoning pile of security FUD—the notion of cyber war. US citizens have every right to worry about cyber war given our risk exposure. The risks of cyber war and some of the potential consequences are impressively covered in the book and even include doomsday scenarios that are getting Dick into hot water with the hipsters at Wired. Consider how little North Korea depends on the Internet (ok, they are only barely scraping by as a society), then consider the same dependency in the US. See the problem?
One of the challenges of discussing computer security rationally in the Internet Age is that devastating consequences always seem hyperbolic, even when they’re not. Turns out that taking down the power grid with a cyber attack is not outside the realm of possibility. I’ve been told by people who actually engineer and run the grid for a living that inflicting permanent damage taking years to fix is more than possible given current design. Nor is the notion of an Information Warfare attack preceding “kinetic” involvement with explosive chunks of metal some kind of idea from Mars. One of the coolest stories in the book involves the Israeli destruction of the ill-fated Syrian nuclear facility. Scary? Yes. Hyperbolic? Not so much.
There are a few technical nits to pick, of course. Calling out the Estonian dDOS attack (most likely perpetrated by the Russians) as some kind of major cyber attack is a bit over the top. dDOS attacks are the stuff of script kiddies and solutions that thwart them are over a decade old. Most problematic of all is the overemphasis on network security mechanisms and ISPs as proposed technical solutions to the problem. I know Ed Amoroso (CSO of AT&T) believes that security defenses and monitors need to be put in place in the tier1 ISPs, and it’s very clear that he has convinced Dick of that. But as a computer security expert, I am skeptical of that solution. In my view, the only way we can properly address the cyber war problem is by attacking software security head on. Fortunately Dick says the right things about software vulnerability, demonstrating a nuanced understanding all too rare among politicals.
From a policy perspective, the ideas in Cyber War are fresh, new, and important. Dick’s mastery of arms control strategy comes to the fore when he discusses various ideas about cyber war non-proliferation. I must confess that my knowledge of such things is rudimentary at best. I wonder, probably naïvely, how we can think of controlling something as invisible as cyber attack capability (not to mention Trojan Horses and logic bombs) when we can’t even stop Iran from refining uranium like the complete nut-jobs that they are. But SALT II and START came from somewhere, and they have been a very good thing for the world.
Some of my foreign colleagues in computer security (but not all, see this posting from Italy for example) wonder why we are so obsessed with cyber war in the States. They are not sure why we are the only society openly discussing these things. Perhaps they hear the drums of war beating again as they did in the impressively-orchestrated and utterly-delusional run up to the Iraq war. More likely I think the answer to that question lies in understanding just how vulnerable we are in the States. We may not be the most wired country in the world from a consumer perspective, but we’re the most wired country in the world from a critical infrastructure perspective. Cyber war is a serious problem that calls out for serious solutions.
In final analysis, I think it behooves every computer security person to read this book and think through its points carefully. Even if you disagree with some parts of the book (as I do), we must do what we can as technically adept citizens to involve ourselves in the political discourse around cyber war. Dick does an excellent job getting the conversation started.
