Protecting the Digital Domain
If the Internet had been created in China or the Soviet Union, its architecture would have been very different. America created cyberspace in its own image: free, open, decentralized, distributed and self-governing.
Unfortunately its very openness and freedom have become the source of its vulnerability. Authoritarian nations, whether secular or theocratic, find freedom of cyberspace very threatening. And they are trying to build firewalls to protect their societies from freedom; or attack the U.S. to cripple its systems.
A most intriguing feature of cyberspace is that its threshold of entrance is so low that a self-trained person with access to computer can create apps and new platforms; or become a hacker and get into financial or military systems without leaving a trace. Terrorists and rogue states use footloose hackers to damage others’ infrastructures, spy and steal their intellectual property, or pry into their diplomatic and strategic plans.
On his way to the Shangri-La Security Dialogue in Singapore on June 1, 2013, the U.S. Secretary of Defence Chuck Hagel described the cyber security threats as “quiet, stealthy, insidious,” not only to the United States but also other nations. “Rules of the road” are necessary to protect cyberspace, the domain into which all our activities, military, economic, commercial, political and cultural activities are being done now.
This fear is not irrational because power grids, financial systems and defense networks could be brought down by not only hostile states but also non-state actors acting alone or in collusion with their patron states. Most importantly, one of the most precious assets, intellectual property, could be stolen.
Last May the U.S. Defense Department reported to Congress that Chinese hackers had accessed the designs of some major U.S. weapons systems to modernize its military. The hacking according to the report was “attributable directly to the Chinese government and military.”
NATO systems, particular the systems used to coordinate military actions among the 28 allied nations, also face frequent computer attacks. The attacks on the security of cyber-dependent European nations are diverse in nature and origin. They range from simple distributed-denial-of-service attacks that make websites inaccessible to strikes that can cause physical destruction to vital installations.
But attacks can come from anywhere. A case in point is Estonia. In 2007, the Baltic country was subjected to a large, sustained cyber attack that lasted several days and paralyzed its commerce. The cyber attack was thought to have originated in Russia, but it couldn’t be determined who was responsible.
In 2008, Georgia came under Russian cyber attack during their war over the dispute regarding South Ossetia. Although the attack was limited to disabling a few Georgian government websites, it was ominous, however, as to what might happen in the future if hostilities were to erupt between any two nations.
The knowledge and technology needed to conduct cyber attacks are easily accessible. Today most perpetrators can conceal their location thanks to the anonymous nature of the Internet. Given current technology, attribution of cyber attacks is problematic.
But the cyber age is the age of big data and data mining software is being developed to pinpoint and locate the perpetrator. Mandiant, an American computer security company, reported last May that a unit of the People’s Liberation Army, APT I, Unit 61398, located in Shanghai has “systematically stolen hundreds of terabytes of data” from American corporations, organizations and government agencies. They stole “product blueprints, manufacturing plans, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of Mandiant’s clients, predominantly in the United States.”
What can be done? The United States has been droning al Qaeda terrorists in Yemen and Pakistan and sent Navy Seals to Abbottabad to kill Osama bin Laden. What can be done with hackers if they originate from Iran, Russia or China?
The Commission on the Theft of American Intellectual Property, an independent commission, has issued an interesting report. The report says, “Intellectual Property (IP) theft needs to have consequences, with costs sufficiently high that state and corporate behavior and attitudes that support such theft are fundamentally changed.”
The most intriguing recommendation is this: “without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information.”
And, the report recommends, “both technology and law must be developed to implement a range of more aggressive measures that identify and penalize illegal intruders into proprietary networks, but do not cause damage to third parties.”
This is a call for limited and calculated private retaliation. But will it work? Could Google, for example, fight the People’s Liberation Army of China? Yes, Google could have retaliated in 2010 when it faced cyber attacks and censorship of its search results but the company wisely decided to leave China and moved its operations to Hong Kong.
One would think that Silicon Valley software wizards must have developed foolproof encryption systems to protect themselves and their data. But last year’s revelations by former contractor Edward Snowden that the NSA has been having unlimited access to information about U.S. citizens and foreigners has made such claims dubious.
The NSA conducts surveillance under the authority of a most secretive court established under the Foreign Intelligence Surveillance Act (FISA). It collects metadata from telephone companies and Internet data from Internet Service Providers. Under other secretive programs, such as Boundless Informant and PRISM, the NSA has been carrying out global surveillance, including on major world leaders. U.S. President Barack Obama in his recent address at the Justice Department has vowed to modify the surveillance program but not give it up totally because he, and many in Congress, consider NSA’s operations to be indispensable not only for national security but also for global security.
With so much surveillance power, why can’t the NSA give Americans complete cyber security? The answer is simple: No single system is good enough to offer such a thing.
Information technology companies must develop weapons of self-protection and must be allowed to use them, which will require amendments to he existing laws. Most importantly, the marketplace for cyber security systems must be incentivized to grow.
The three pillars of cyber security are: the National Security Agency but only under the close scrutiny of lawmakers, courts, and the news media; lawful cyber tools of active defense; and last but not least, a highly developed cyber security marketplace.
Cyberspace has been called the fifth domain: land, air, water, space, and now cyberspace, and it’s evolving. America like rest of the world has become a cyberspace-dependent nation. Cyberspace is going to define the future of humanity. It cannot be left alone as the Wild West.
Dr. Batra is author of The First Freedoms and America’s Culture of Innovation (Rowman & Littlefield, 2013) and a professor of communication and diplomacy at Norwich University. He is working on a new book, India Must: Compete or Perish.