Military Review English Edition May-June 2014 | Page 41
CYBERSECURITY
Well, let’s take a look at the difficult situation
our SIGO faces. First, in simple terms, three typical kinds of cyberattackers pose a threat: criminals,
ideologues, and nation states. Usually, professional
criminals are motivated by greed. They fall under
the jurisdiction of law enforcement although the
technology they use tends to be beyond the capabilities of ordinary police agencies. Next are the
ideologues and so-called “hacktivists,” such as
WikiLeaks or Anonymous, who generally are motivated by their political or philosophical worldview,
or perhaps by cynicism. They often announce their
targets and, sometimes, conduct attacks merely to
gain attention or to get a laugh. The law treats them
as criminals, too. The third type is nation states,
which usually are motivated by security, economic,
or other interests. They can plan and execute
coordinated cyberattacks against their enemies.
Normally, they have access to more resources than
criminals and ideologues. It is not always easy to
assign cyberattackers to neat categories, however.
Further muddying the water is the open question of
whether a cyberattack is a use of force.
Moreover, determining which specific cyberthreats are most dangerous to U.S. national security
and which are most likely to do damage is difficult.
Specific cyberthreats arise in unexpected ways. For
example, Stuxnet, the fiendishly destructive malware that targeted centrifuges at the uranium enrichment facility in Natanz, Iran, now poses a threat
well beyond its original purpose. This is because
code used to build Stuxnet (discovered in 2010 and
widely considered a state-sponsored cyberattack)
was leaked inadvertently onto the Internet. Some
analysts believe its descendants (such as Duqu and
Flame) or their progeny could already be residing in
the databases of critical infrastructure worldwide.3
The bad things going on are beyond any SIGO’s
skill set or resources. How should we respond at
this point?
United States Cyber Command (USCYBERCOM),
a subunified command subordinate to United States
Strategic Command. The service components are
duly organized to provide support. The Army has
the U.S. Army Cyber Command, the Navy has the
U.S. Fleet Cyber Command, the Air Force has the
Twenty-Fourth Air Force (Air Forces Cyber), and
the Marine Corps has the Marine Forces Cyber
Command. However, as capable as these units are,
they focus mainly on the cybersecurity threats to
U.S. defense information networks. On the other
hand, “the government is often unaware of malicious activity targeting our critical infrastructure,”
said Gen. Keith Alexander, former head of the
National Security Agency and USCYBERCOM.4
When it comes to the civil sector, U.S. Congressman Mike Rogers of Michigan says that “today, we
are in a stealthy cyberwar … and we’re losing.”5
However, there is no doubt U.S. business leaders
realize the cyberthreat is real and that it would
behoove them to work closely with the government
to prevent a big attack or be ready to respond to
one effectively. To them, if something affects their
profits, it is important. Even so, companies currently
have little incentive to alert federal officials after
being hacked because the feds will then turn around
and share that information with their competitors.
Moreover, if businesses share certain information
with some of their competitors, they risk prosecution
from the government under antitrust laws. Therefore,
More Bureaucracy?
The typical, and even mandatory, response of
government is to give an office or agency the
responsibility and resources to fix a problem. This
predictable, slow, and top-down approach to problem
solving at the national level is ineffective against an
uncertain, fast-changing, and bottom-up problem.
For example, the Department of Defense established
MILITARY REVIEW
May-June 2014
39