The American Thinker | 3.7.15
By Alan W. Dowd
My colleagues at the Fraser
Institute have just published a report examining the issue
of cyber-security from an underappreciated but crucial perspective, namely, the
importance of cyber-security to liberty.
We all know the Internet was
designed not with security in mind, but rather openness and the free flow of
information. This has been beneficial for liberty. The no-barrier, global,
connected nature of the Internet has brought unprecedented levels of
information and commercial exchange, contributed enormous gains to individual
prosperity, empowered individuals, bypassed governments, and promoted and
expanded individual freedom. Only in recent years have people, businesses,
industries, and governments come to recognize the importance of protecting this
critical sphere of activity on which so much liberty, property, prosperity and
“Without a robust level of
security,” reads the
report, “the benefits of the extended liberty provided by the Internet would dry
Just consider some of the economic costs of
cyber-espionage and other forms of cyber-attack:
2014 study conducted by the
Center for Strategic and International Studies (CSIS) on behalf of McAfee
estimates the global costs of “malicious activity” at between $375 billion and
$575 billion. To be sure, the CSIS estimate is imprecise. However, it does provide
a sense of how this ungoverned zone of commerce, communications and collaboration
is being exploited by bad actors to pursue nefarious ends.
431 million people are victimized in cyberspace per year, and cyber-crime
represents an economy “larger than the global black market for marijuana,
cocaine, and heroin combined,” according to a report from the Canadian
Defence and Foreign Affairs Institute.
costs an average of some $600,000 per firm to respond to each cyber-security breach.
to figures produced by the Commerce Department’s International Trade
Administration that extrapolate export values into U.S. jobs, CSIS concludes that the high-end
estimate of $100 billion in U.S. losses from cyber-espionage “would translate
into 508,000 lost jobs…roughly a third of a percent decrease in employment.”
to Gen. Keith Alexander, former commander of U.S. Cyber Command, 162 of 168
Fortune 500 companies surveyed report being victimized by cyber-attacks of some
sort. But the scope and scale of the danger is much worse. In fact, “They’re
the ones that know they’re being hacked...there are more than a hundred
companies for every one that knows they’ve been hacked that don’t know they’ve
been hacked.” In 2013, the U.S. government notified more than 3,000 companies—many of them defense
contractors—that their computer networks/systems had been compromised.
That brings us to the national-security costs and
risks associated with cyberspace.
In what has been called “Web War I,” Russian-orchestrated
cyber-assaults essentially cut off NATO member Estonia from the digital world
in 2007. Russia employed cyber-attacks to augment kinetic military operations
against Georgia in 2008 and Ukraine in 2014. And Russia has conducted
sophisticated cyber-espionage and intrusion into Western energy firms.
Iran’s Shamoon computer virus destroyed data on
30,000 computers linked to the Saudi oil industry.
Korea’s “DarkSeoul” attacks wiped
clean the master boot records (MBRs) of 32,000 computers at South Korea’s
largest banks and broadcasting companies.
McAfee reported in 2013, the attacks “were actually the conclusion of a covert
espionage campaign” aimed at military networks and military units in South
Korea. “The true intention of the DarkSeoul adversaries,” according to McAfee,
was “to spy on and disrupt South Korea’s military and government activities.”
And then there’s China. According to a study conducted for the U.S.-China
Economic and Security Review Commission, China’s use of “computer network
exploitation activities to support espionage has opened rich veins of
previously inaccessible information that can be mined both in support of
national-security concerns and, more significantly, for national economic
In 2013, information-security firm Mandiant pointed
to “an army unit in China” as the source of these attacks. The Mandiant report
details a cyber-campaign that has “penetrated the networks of at least 141
organizations.” The report concludes that a cyber-force within the People’s
Liberation Army (PLA) known as “Unit 61398” is conducting “extensive” computer
network operations. For example:
a 2007 case, some 1,500 Pentagon computers were compromised by Chinese
has used cyber-attacks to infiltrate subcontracting firms and systems related
to the development of the Joint Strike Fighter and C-17 Globemaster.
exploited cyberspace to steal “user credentials” for more than 150 NASA
employees and gain “full functional control over networks at the Jet Propulsion
Laboratory,” according to an investigation conducted by the U.S.-China Economic
and Security Review Commission.
61398 launched “spearphishing” attacks—a tactic using email that appears to be
from a trusted source to gain access to a target’s computer—against
Westinghouse Electric, Alcoa, Allegheny Technologies Incorporated, U.S. Steel,
the United Steelworkers Union and SolarWorld.
concern with Chinese cyber-attacks stems from the close relationship between
the central government and China’s many state-owned enterprises. For example,
some U.S. officials suspect telecommunications giant Huawei of placing a “bug,
beacon or backdoor” into critical systems that could allow for “a catastrophic
and devastating domino effect…throughout our networks,” as one congressman toldForeign Policy magazine. Hence, U.S.
officials have tried to dissuade American firms in the defense and
telecommunications arenas from contracting with Huawei. In 2011, for
instance, Washington blocked Huawei from building a wireless network for
emergency responders, and in 2013, Washington urged South Korea to exclude
Huawei from participating in a wireless-network project.
The concepts of deterrence, military-to-military signaling, arms control, and non-proliferation as developed in the kinetic, conventional and nuclear realms are not easily transferred to the cyber-theater.
Yet some military officials are urging policymakers to move in that direction. “Our adversaries seek to operate from behind technical, legal and international screens as they execute their costly attacks,” argues Gen. James Cartwright, former vice-chairman of the Joint Chiefs of Staff. “If we apply the principles of warfare to the cyber domain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary to deter actions detrimental to our interests.” Toward that end, Cartwright has even suggested that Washington may have “to do something that’s illustrative” in order to communicate U.S. seriousness.
To assist the
warfighters in their deterrence mission, it may be helpful for policymakers to
let it be known that the U.S. would view a cyber-attack on critical
infrastructure in the same way as a traditional military attack. It’s worth
noting that Russian military officials have argued that “the use of information
warfare against Russia or its armed forces will categorically not be considered
a non-military phase of a conflict, whether there were casualties or not.”
deterrence may not translate to cyberspace—and the line separating the virtual
world of code from the real world of blood remains blurry—resilience is key.
“The operational concept best
suited for cyber-security per se is resiliency,” says the Fraser report. “Given
that the nature of cyber-attacks is still evolving and that attackers
increasingly use third and fourth parties to channel their attacks, and thus
create false leads, deterrence is more difficult…A better defence is the
ability to sustain one or more cyber-attacks and to be able to counter and
restore defensive capacity.”
This appears to be the path NATO has chosen. NATO’s
2011 cyber policy, for instance, focuses on “prevention, resilience and defense
of critical cyber assets.”
How to detect, withstand, recover from and, if
possible, stop illegitimate activity in cyberspace while protecting legitimate
activity—all without compromising the Internet’s open character—is the
challenge. According to the Fraser report, “Overemphasizing security can
restrict freedom and stifle entrepreneurial potential…Conversely, cyber-liberty
without an appreciation of cyber-security presents rising commercial and
governmental costs as well as unacceptable threats to national security.” The
choice is not only liberty or only security. Liberal democracies must aim for
Among the recommendations urged
by the report:
Long before there was
such a thing as cyberspace, Adam Smith, the father of free-market economics,
noted that “the first duty of the sovereign” is to protect society from “violence
and invasion.” What serves as the launching pad for violence or invasion—land,
sea, sky, space or cyberspace—diminishes neither the danger nor the sovereign’s
duty to confront it.
of the need for security and hence a continuing role for national governments
in securing cyberspace, just as they play a role in securing airspace and
that the sprawling nature of cyberspace, outsize reach of cyber-actors, and
fluidity between defensive and offensive actions in cyber-security make
difficult the application of traditional forms of deterrence;
that cyber-security is best understood as gaining and maintaining maximum
overall resiliency; and
in Washington and among America’s closest allies (Canada, Britain, Australia,
Japan, Israel, etc.) of the benefits each derives from deepening and widening