Pages

11 May 2017

Incoming! The upcoming cyber executive order


by Kenneth Geers,

Washington and Moscow have always been busy corners of cyberspace, but the first 100 days of Trump have produced too many digital controversies to keep up with, from leaks to arrests, witch hunts to untimely deaths. In the White House and Red Square, cyber espionage has given way to cyberattack, but it is far from certain how much is virtual and how much is real.

In this context, everyone is waiting for the Cyber Executive Order. We will soon see Trump’s vision for cyberspace, but his choice for Cyber Czar, former top NSA hacker Robert Joyce, suggests that the order may favor a military approach. That would be the wrong way to go: Offensive technical skills are important, but they will not address all of our current internet security challenges.

Trump is right in saying that “no computer is safe,” and as a businessman, he knows the value of inside information. Therefore, he should pretty much understand computer hacking. For years, the Russians have been arguing that cybersecurity is just one part of something more important, information security, and it turns out they were right. We thought that Russian spies would change the tally of votes in the ballot box, but instead they simply leveraged (and abused) the power of social media. For professional hackers and spies, the sky is now the limit, with national sovereignty and legal jurisdictions flouted every day.

But Sun Tzu would blame the election debacle on Americans, for overlooking what were clearly vulnerable defenses. For the future, democracies must undertake political reform, increase investment in education, and support science with an eye toward making our politics less hackable. Then, foreign “active measures” will fall flat. Exclusively political, military, intelligence, or law enforcement answers to what are essentially technical questions would be a disservice to both cybersecurity and America.

President Trump’s predecessors all found that cybersecurity is a tough nut to crack. It has been decades since the U.S. government was at the forefront of computing — witness its struggle to keep up with the Windows operating system. And Cyber Czars don’t grow on trees; just ask Rod, Melissa, Dick or Howard. Trump promised us a “60-day cyber miracle,” but thank God we don’t have one because that could only be written by the Ministry of Truth. In the end, Trump is likely to do what Obama, Bush and Clinton did: name critical infrastructures and throw money at them.

Hopefully, the Cyber Executive Order will avoid words like “terrorism” and “war,” and instead talk about “authentication” and “integrity.” We do need to protect electricity and elections, but we don’t need a war on cyberwar. John McCain asked CIA Director Mike Pompeo whether the U.S. can “adequately respond” to cyberattacks. The answer is yes, the U.S. can defend itself, but this new type of warfare is more strategy than tactics, more Sun Tzu than Stalingrad.

Name a hacker group more powerful than the Shadow Brokers: How about the Internet Engineering Task Force (IETF)? These are the scientists who write the code that makes the internet work. In short, the Cyber Executive Order should help real hackers (the good ones) close the holes that allowed the Shadow Brokers to steal our shorts. And what about fake news? That is a bigger challenge, but I still trust scientists more than politicians.

The internet is too important to try and fix in a bureaucratic timeframe. The internet is a machine, but cyberspace lies somewhere in the human mind. VP Pence promised “aggressive action against cyber hacking,” and Trump is offering billions toward cybersecurity, but the most effective way forward is to work with the smartest people, both in the U.S. and overseas. Tech companies, and the NSA, know that math does not lie. That is why many immigration watchers, including Trump, have lauded the Canadian system, which is merit-based, and not family-centric as in the U.S.

But boys will be boys. The lion’s share of attention and funding from the White House will likely go to the military. And in light of North Korea, which is stealing money from foreign banks and building missiles that can hit Disneyland, this is understandable. We should be hacking the hell out of North Korea. That said, the North Korea problem will eventually go away (most likely managed by its “big brother” in Beijing), and then world history will march forward once again.

Human rights and law enforcement concerns are ultimately more important than military questions because they address not only foreign threats, but domestic ones too. Once the war is over, how do we want to live? The armies of Eurasia are always on the march, but Inner Party members like O’Brien live just down the street. How Trump handles Snowden and Assange is just as important as how he deals with Russia because that will speak not to Kremlin threats, but to American responses. The U.S. military can defend our country, but with almost as many military band members as diplomats, we have forgotten the Art of War, which stresses victory without fighting.

So what about Russia? Is the U.S. 2016 presidential election what a “Cyber Pearl Harbor” looks like? Dick Cheney and John McCain think so. Obama clearly anguished over how to respond, in the end expelling 35 Russian diplomats from U.S. soil. As with China, Trump will offer Russia some kind of a deal, but it shouldn’t come at the expense of human rights, Ukraine or any issues where the West knows it is in the right. Anyway, who wins a disinformation war? To paraphrase Zhou Enlai, it will always be too soon to tell.

In his search for cyber allies, Trump will likely turn to Israel, which has first-class capabilities and battlefield experience to boot. But given the overwhelming importance of this issue, that is still more of a tactic than a strategy. The president should, in fact, look no further than the NATO Alliance, which is far and away the most powerful international organization on earth. Cybersecurity is an international problem that demands an international solution, and the best path forward is to align the law enforcement, military, intelligence and technical prowess of 28 (soon to be 29) sovereign democracies.

Ultimately, cyberspace looks more like democracy than autocracy, and the West should be confident in the fact that it possesses far more strategic depth on the internet than all dictatorships combined.

Kenneth Geers (PhD, CISSP) is a senior research scientist at Comodo, a global innovator and developer of cybersecurity solutions. He is also a NATO CCD COE (Cyber Centre) ambassador, a non-resident senior fellow at the Atlantic Council, an affiliate at the Digital Society Institute of Berlin, a visiting professor at Taras Shevchenko National University of Kyiv in Ukraine, and an accomplished author. Kenneth spent 20 years in the U.S. government, with time in the U.S. Army, NSA, NCIS, and NATO, and was a Senior Global Threat Analyst at FireEye.

No comments:

Post a Comment