Sunday, June 7, 2009

Does Pentagon really need yet another arm? (Foreign Policy: net.effect)

Does Pentagon really need yet another arm?
Fri, 05/29/2009 - 12:22pm
So, as a follow-up to my recent post on Obama's cyber security speech, here are some reflections on the military angle of the cyber seucrity debate. I should start by saying that I still think the best way for Obama to tackle the problem of cyber security is to impose a moratorium on the use of the word "cyberwarfare". A series of recent New York Times articles create an impression that the White House is seriously considering building and deploying some mysterous "cyber weapons" which will help it to "wage wars" when, in fact, all we are talking about is a bunch of cables, keyboards, and computer screens. Now, does all of this add up to be "Pentagon's new arm" as a headline in today's New York Times puts it

I very much doubt it. First of all, I am extremely skeptical that anything good would come out from the military's involvement in cyber security affairs. The recently announced plans to create a cyber comand leave me unimpressed; I simply don't see any steps in the chain of cyber security per se where the military can add much value. Having the hugely complex and immobile military coordinate our cyber security does not sound very promising. I think we need to get realistic: at the moment, the risk that someone would be able to smuggle a bomb into a plane is much higher than the risk that someone would manage to successfully interfere with the civilian aviation system. I'd rather have our best military minds focused on dealing with real terrorism - a skill that, I must say, they haven't yet polished to perfection -  than addressing the nascent cyber threats, which are yet to physically manifest themselves in any meaningful way. 

The questions facing the Obama administration on the cyber security front are quite simple: 1. How do we make sure that the million of government computers are secure? 2. How do we ensure that the critically important computers in the private sector (belonging to stock exchanges, banks) are secure? Those are the two questions that really matter; everything else is usually derived from the Hollywood movies. 

Well, there is nothing magical about keeping computers secure: one simply has to start introducing standards across various government agencies and ensuring that eventually all computers deemed critically important adhere to the same (or at least comparable) security standards. This is something that can be easily handled by civilians; it's a question of logistics and leadership. Do we need a czar who can push this through the intra-agency strife? Perhaps, we do - but we should essentially be ready for the news that this is going to be one of the most boring jobs in the government, which basically involves making sure that all government computers have the latest anti-virus upgrade. This doesn't really sound like "fighting the latest cutting edge threat in cyberspace" that the Pentagon folks would be most excited about. 

The private sector probably needs less help with getting on with cyber security than we think; I am yet to meet someone working in IT at a nuclear plant or a stock exchange who doesn't think that keeping their computers secure is a must. Often, the IT experts working in the private sector are much more talented (and better paid) then their counterparts working for the government; usually, they also have lavish budgets. I do believe that there are probably a few crucially important hub industries, whose computer systems may not be up to date, but, overall, I think the private sector is years ahead of the government, and the expertise is likely to flow in the opposite direction (i.e. from companies to the government and not vice verca). 

So, this is it about the defensive actions. As for the offensive actions, well, I think the situation is not as dire as it's painted in the media. Of course, the military has all the rights to work on new more precise computer-aided weapons; as long as they comply with the international law, there is nothing to fear about that. But they have been doing it for many decades already, so I am not sure why all the fuss now. Retaliating for cyber-attacks with cyber-weapons just doesn't seem viable to me. First, in most cases, this is impossible, since the attackers are untraceable. Second, most of these attacks could be classified as crime and should be dealt with under the provisions of the international law; otherwise, we risk stepping in a very dangerous territory where we decide to bypass the legal option and reach for the much easier military option instead. Do we really want this?

No comments: