Cyber Security Public Policy
January 21, 2015
Imagine a scenario where a highly motivated, trained, and well equipped enemy launched an invasion against the United States. Upon arriving at our shores, this enemy began grabbing anything of value—everything not literally fastened to the ground, and loaded these things onto a ship to take it back home. This scenario sounds far-fetched—but it’s happening every hour of every day here in the United States. Who is this enemy? Anyone and everyone who would like to profit from the enormous amount of intellectual property developed, improved, and economized here in the United States and other modern western countries. The method of invasion: cyberspace.
A recent visible example of this phenomenon was the May 1st, 38 page indictment of five Chinese army officials for computer crimes after major Pittsburgh area businesses were attacked, with the specific goals of acquiring information regarding the outlook for the U.S. steel industry. Alleged in the attack were the use of spear phishing and malware—often the “usual suspects” regarding intellectual property theft. FBI Director James Comey, in an interview with CBS’ “60 Minutes,” had this to say, “I liken them a bit to a drunk burglar. They’re kickin’ in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: ‘We’ll just be everywhere all the time.’”
Now to be fair, this isn’t a Russia problem, a China problem, or a North Korea problem. This is an intellectual property problem. The innovative history of our post World War II society has yielded a treasure trove of life improvements which any nation would, of course, wish to have access to. Our science, technology, entertainment, and engineering prowess as a nation obviously make us a target for any actor who wishes to improve their lot in life. A recent PWC report cited an estimate from the Center for Strategic and International Studies of cyber crime’s annual cost to the global economy between $375 billion to $575 billion, but the same report from PWC estimates the annual loss of trade secrets from $749 billion to $2.2 trillion — a staggering 1% - 3% of GDP! This is easily the greatest transfer of wealth the world has ever seen.
Why does this phenomenon continue, given how quantified the damages have been and how public U.S. officials have been regarding the issue, up to and including the extremely unusual step of indicting foreign military and government officials? It’s no secret that we are engaged in an ongoing cyber war, and it’s also becoming more obvious that our existing policy mechanisms and our technology approaches to cyber warfare aren’t working.
First, we are spending too much time attempting attribution. Trying to figure out who the enemy is and what they are doing is a waste of cycles in today’s complex web of actors and methods. What’s ironic about this approach is that corporate America has, for about the last decade, embraced the notion of, “we don’t care who it is; we must consider most of the outside world untrusted.” Just look at the evolution of security technology—we have gone from a focus on preventative controls (anti-virus, IPS, etc.) to data-centric controls, whitelisting, and better understanding of “normal activity.” From a public policy perspective, we need to take this approach—if we don’t know who you are and what you’re going to do with the information, you don’t need it. This sounds easier in theory than it would be in practice—but today we are investing all of our energy in watching the “burglar” on video trying to figure out who he is versus locking the front door.
Second, we must have a clear and open policy on cyber warfare and intellectual property at the highest levels of our society. Even if our policy is to be ambiguous regarding our response, this ambiguity needs to be codified. For instance, the United States has a policy of deliberate ambiguity regarding its intent to retaliate to a chemical or biological attack with nuclear weapons. This policy was developed during the Persian Gulf War and remains, in essence, our policy. On the cyber battle space, not even a policy of deliberate ambiguity is in force. We are telling our enemies nothing—which is, in effect, “Come get us, we’ll try to keep you out, and do nothing if you succeed.” The definition of a proportionate response, an idea of an overwhelming response, and what constitutes an action which warrants a response are all areas which need the same clarity in cyberspace which exist in the physical space.
Third, it’s time to start hitting back. Attribution is difficult and often not worthwhile—but during those instances where we clearly can identify the enemy, we should be leveraging every cyber capability at our disposal. Until our government can provide better clarity and policy, corporate America is left to absorb the impact of this mass transfer of intellectual property. The private sector has the ability to deal with the problem, but who wants to engage in cyber warfare when our own government’s stance is uncertain? If we are unwilling to “take the gloves off,” we should expect foreign countries profit off the last three generations of innovation without benefit to the U.S. It’s hard to imagine a middle ground.
Finally, the cyber industry needs help from the media in educating the public on what’s really happening here. Security professionals tend to not be able to deliver the message to the masses—and we shouldn’t have to. Journalism exists for a reason—and we in the industry have been hesitant to leverage the media in fostering the right questions and policy debates around cyber security. The American public knows more about cyber security than it ever has, predominately due to the recent high-profile credit card breeches. We as an industry must continue to educate the public on just how serious the rampant theft of their innovation and productivity has become.
The threats to our intellectual property are real, they’re constant, and we’re asleep at the switch. Unless we are comfortable with, one generation from now, losing our edge in innovation, we must act. The time is now.