CAPITOL HILL: Maybe cyberspace isn’t as fragile as it’s made out to be. “Relax, Chicken Little, the sky isn’t falling,” said Columbia professor Abraham Wagner. “Protection ultimately is easier than penetration.”
Wagner’s argument reverses the conventional wisdom that the attacker always has the advantage online. A forthcoming study by the Cyber Conflict Studies Association, for example, says that even a good offense is no defense, because it’s so easy to hide who really launched a particular attack — the notorious “attribution problem” — that it’s nigh-impossible to know whom to retaliate against. But Wagner and several other cyber experts assembled Thursday by the hawkish American Foreign Policy Council collectively suggested that both defense and deterrence are doable, even against hackers backed by nation-states like Russia, China, and Iran.
It’s not that the assembled experts played down the threat. Far from it. Congressional China Commission member Larry Wortzel — one of the country’s top experts on the PLA — said China has explored how to take down the US civilian power grid, satellites, and military communications in a conflict. This comes on top of that country’s ongoing, massive campaign of industrial espionage. (No less a figure than Gen. Keith Alexander, chief of both the National Security Agency and Cyber Command, called the online theft of intellectual property — principally by China — “the largest transfer of wealth in history.”) The Potomac Institute’s David Smith called Russia as great a threat as China, with fewer but more sophisticated hackers whom we hear less about simply because they are less likely to get caught. The American Foreign Policy Council’s own director, virulent Iran critic Ilan Berman, said that while Iran is less capable than either Russia or China, it is working hard to develop cyber-attack capabilities and — under pressure from viruses like Stuxnet, the civil war in its ally Syria, and the US Navy build-up in the Gulf — Iran is far more likely than a more secure nation-state to lash out in an attack.
Nor did the panelists dismiss the attribution problem. None of these adversary states is bound by US-style sensitivities about covert operations. Russia in particular, they agreed, the Putin regime uses underworld and ultra-nationalist proxies to act on its behalf, as in the 2008 and 2009 cyber-attacks on Estonia and Georgia. But nevertheless, Smith said, it quickly became obvious that the Russian government was behind the attacks. (Some of the routers and IP addresses involved were also linked to attacks on internal Russian dissidents). Instead of strict legal standards of proof, he and Wortzel agreed, we need to apply common sense to holding countries responsible.
Remember that every computer, every router, every fiber-optic line that forms cyberspace is also a physical object located in someone’s jurisdiction.
“You can say to a country, ‘you’ve got a server doing something, [and] if you don’t shut it down, we’re going to shut it down,’ because we are capable of doing that,” said Wortzel. Such a policy, holding countries responsible for stopping attacks launched from their territory — or for getting out of the way while the US stops them with a targeted cyber-attack — “destroys the myth of the need for attribution.”
Wagner was less optimistic than Wortzel about the attribution problem: “Some of the worst stuff we’ve seen,” he noted, has come out of servers in the US, with the ultimate authors unknown. Nevertheless, he argued that cyber-defense overall is a solvable problem in the mid- to long-term — “maybe it’s a five-year deal, maybe it’s a ten-year deal.”
Wagner acknowledged cyberspace’s security problems run deep. The issue isn’t particular vulnerabilities in particular pieces of software that can be found and patched; it’s fundamental weaknesses in the basic operating systems and even the chips themselves, which were designed without security in mind. The problem is hardwired — but we can rewire it. In fact, we could and should have fixed the Internet’s fundamental insecurity back in the 1990s, which Wagner called “a decade of lost opportunities,” but we can still do it. What’s needed is a major national investment of money, time, and top-flight talent in a new generation of software and hardware built to be secure from the bottom up, Wagner said. Such an effort would reverse the current imbalance in cyberspace from favoring the attack to favoring the defense.
“If we catch up on stuff we just ignored for a long time,” said Wagner, “I think the balance in terms of how you fix that software is easier and cheaper in the long run than how do you improve the [high-threat] hacks.“