- "Cyber threats often come from overseas, which makes it difficult for law enforcement to deter or punish them, yet they rarely rise to the level that would warrant a military response."
- Using the term "cyber war", however, implies that in fact that military have a responsibility to get involved in our nation's network defense.
- Most acts of "cyber warfare" are better described as "commercial espionage", "sabotage", "subversion" or just "cyber crime".
- CYBERCOM per se is not bad, but using it as a tool for dealing with the aforementioned cyber-societal ill carries the following risks:
- We don't want to encourage the civilian world to think that this is the military's role, when most cybersecurity experts agree that good cyber hygiene at the level of both individuals and corporations is the first big step to reducing network vulnerabilities. (Indeed, the Department of Defense's own cyber-awareness training, flawed though it might be, takes this stance.)
- There are simply too many information systems underlying our country's infrastructure and commerce; the military can't protect them all, and doing so would like require major civil liberties infringements.
- Military doctrines are inherently offensive, which is why we don't want DoD determining our cyber policy and doctrine (note that he's quoting Barry Posen to make this argument).
- I think Wallace and Rid both need to retire the argument that there is no such thing as "cyber war" (even though I've heard Michael Daniel echo this rhetoric at countless cyber-related discussions on K Street, which suggests that the administration agrees with them). Referring to "trade wars", after all, does not conjure up images of Special Operations Forces and drones being used to attack foreign trade ministers in retaliation for trade barriers. And President Johnson's "War on Poverty" isn't associated with the National Guard going into the ghettos to hand out relief checks and food stamps.
- Wallace's chief concern is not semantic ("cyberwar" vs. "cyber theft"), but rather the (wholly legitimate and oft-debated) question of who should protect American interests in cyberspace. So maybe a better question to ask is how DoD became so strongly associated with cyber defense in the first place. I suspect it's pretty simple:
- The military-industrial complex gave us the Internet and programming languages, not to mention some of the first modern digital computers. It's rather difficult to shake the assumption that they'll take the lead on cybersecurity when they've always taken a leading role in the existence of computing itself.
- Whatever obvious flaws exist in their approach, the Department of Defense seems to be taking cybersecurity far more seriously than anyone else right now; they're set to spend $23 billion on it in the next five years. For comparison purposes, the energy sector is trying to reassure us that it's taking cyber seriously - despite much evidence to the contrary - because it's planning to spend $7.25 billion by 2020. And the Department of Homeland Security's ICS-CERT is still so woefully underfunded that they're regarded as a joke by almost everyone.
- To me, a more convincing argument against handing control of cyber doctrine to the military is the fact that right now, the military is struggling to educate its leadership to think about cyberspace as both a security and war-fighting domain. This was the subject of a recent Pew Center report that was discussed and debated at the National Defense University (full disclosure: my fellow at NDU was one of the panelists, and I did most of the research he presented to counter the Pew Center's argument). However, even this study still admits that "[military higher education's] efforts are commendable, especially in comparison to the much slower or nonexistent integration of cybersecurity components in non-technical graduate programs across American civilian universities".
So long as the military doesn't have a crippling image problem regarding its activities and efforts in cyberspace*, it seems pretty natural to expect most Americans to look to the Pentagon as the most willing and capable actor in cyberspace. I don't like the idea of cyberspace becoming "militarized" any more than Ian Wallace and Thomas Rid, but if we don't want to assume the cyber-soldier and lay aside the cyber-citizen (to butcher a quote by a certain someone), then perhaps it's best to consider how DoD came to dominate the discussion about cyber security strategy in the first place.
* Obviously, this claim depends on how the Snowden affair affects one's perspective. But even Snowden is still complaining about the "indifference" of Americans to the NSA's efforts to "control" the Internet.
No comments:
Post a Comment