As the US (and the world) prepare for the possibility of Cyber War, there seems to be little consensus on what the term means. Merriam-Webster defines it as “of, related to, or involving computers or computer networks (like the Internet). Yet we have a government Cyber Command and reports are full of military metaphors. Put the phrase in the DOD’s public site and you get 1270 One such article, “Defending a New Domain: Pentagon Cyber Security,” had 77 references and included the following: cyberwarfare, cyberattacks, cyberwarriors, cyber strategy, cybertheat, cyberdense, cyberspace (of course), cybersecurity, Army Cyber Commend, Marine Forces Cyberspace Command, National Cyber Range (really? You shoot electrons at targets, maybe?), Cyberweapons, cybersecurity professionals.
The United States Accounting Office (GAO) released a July 2011 report, “DOD Faces Challenges in Its Cyber Activities” expressing the same concern: definitions and responsibilities are literally everywhere on the map. Various defense organizations do not coordinate their efforts and do not even agree on some basic definitions.
So it is perhaps not surprising that Senator Kirsten Gillibrand of New York demands clarification on who or what “cyber” really means. Gillibrand wrote to Secretary of Defense Leon Panetta to say “I remain concerned that the lack of cross-cutting, clear definitions of cyber personnel throughout the Department of Defense is a significant impediment to your ability to carry out this important mission.” Among her complaints are DOD’s 90,000 people working on cyber issues, but many are basic computer maintenance workers rather than current military cyber experts. It’s not that “just IT guys fixing hard drives” (as the author does themselves) are not important, but that they would be there in a similar capacity, whether or not there was concern about military cyber threats.
The lack of a coherent response and sufficient security has resulted in several large data breaches. According to Deputy Defense Secretary Willam J. Lynn, foreign crackers stole 24,000 military cases in March 2011. Lynn said “It’s a significant concern that in the last decade, terabytes of data have been extracted by foreign intrusions from corporate network of defense companies. DOD believes” more than 100 foreign intelligence agencies are trying to break into US networks. “
Given that there are about 195 countries in the world, that is a significant number.
Continuing from the DOD document, “whereas a missile comes with a return address, a computer virus is generally not. The forensic work required to identify an attacker can take months if identification is possible at all. And even when the attacker is identified, if it is a stateless actor, such as a terrorist group, it may not have any assets against which the United States can retaliate. Moreover, what constitutes an attack is not always clear. In fact, many of today’s incursions are closer to espionage than that acts of war … Given these circumstances, deterrence will necessarily be based more on denying any advantage to attackers than on imposing costs through retaliation. “
Gillibrand believes the threat is significant. In honor of the new tradition of using military terms for threats on government networks, Gillibrand in June called for the creation of a “Cyber ROTC.” She believes that the government needs to pull some of the talent in the private sector to become cyber-wise and that a CyberROTC can become the farm team in developing new talent.
Are we jumping too fast and too far into the military classification of what has so far largely been the domain of Silicon Valley and Route 128? We seem to require the creation of organizations and staff based on concepts that are not fully defined.
This writer thinks it would need us to understand what we do before we do it. I repeat Senator Gillibrand’s call for common definitions. But I think we need definitions and responsible issues before we wholeheartedly jump into pushing treasuries for amorphous plans – solutions to problems we don’t yet understand.