On 16 May 2012 I attended, with Alex Olesker and defense contractor Robert Caruso the Atlantic Council/Cyber Conflict Studies Association’s event “Lessons From Our Cyber Past: The First Cyber Cops.” Jason Healey of ACUS/CCSA moderated a discussion between the ODNI’s Steven R. Chabinsky, Crowdstrike President Shawn Henry, the State Department’s Christopher Painter. Alex has already written a wonderful summary of the event itself, but I’d like to add a different angle.
Cybersecurity is a field very much focused on the future. That’s unsurprising–the technology is improving by leaps and bounds, and the tech community as a whole makes a living by predicting and creating the future as we know it. I wouldn’t have it any other way. We should be focused on future threats and opportunities. But future-centrism has a cost. First, we can succumb to the problem of “presentism” by extrapolating the present to the future without consideration of the often disruptive breaks in history. Second, we can also have a “everything is new” attitude that blinds us to useful information and experiences from the past.
For example, why do so many cybersecurity and information warfare discussions ignore the Cuckoo’s Egg case? And Gregory Rattray has also observed that cyberpower theory has mirrored some of airpower theory’s problematic assumptions about the vulnerability of industrial complex architectures to cascading destruction. Finally, Samuel Liles has traced the evolution of cyber approaches from the invention of the telegraph (!).
That’s why what Jason Healey is doing with his cyber conflict history project and event series is so important. Healey is making a conscious effort to capture the lessons of the last 30 years (yes, there was cybercrime before the Facebook era) and make them available for future network defenders, policy analysts, and laymen. Moreover, cyber history also can help the analyst draw connections that might not seem readily obvious. As Alex points out, a look at cyber history also yields some meatspace parallels:
The similarities and overlaps between cyber and physical crime also mean that many solutions are the same as for any crime wave. Much of cybersecurity focuses on reducing vulnerabilities, but as in the case of burglary, simply locking your door isn’t enough to deter burglars, you also have to catch and punish the criminals. To do so, law enforcement faces the age old problem of getting victims to talk to the police. Just as many crimes in bad neighborhoods go unreported for fear of retaliation, a reputation as a snitch, and getting into deeper trouble with the law, many companies fear working with law enforcement due to the stigma surrounding getting hacked and fears that the investigation will only make things worse by confiscating servers or hampering recover.
Being an Angeleno transplanted to DC, I’d also add another interesting parallel: the problematic status of law enforcement in maintaining order. The federal government and its law enforcement functions, on one hand, is responsible for a sizable aspect of cyber defense. But just like in certain “bad neighborhoods,” the presence of the government is very thin and defense is privatized. There is also lot of suspicion of the government among many “residents” of the neighborhood, some of which take to defacing the odd government billboard or two. As noted in the briefing, the government’s power came to be seen as more legitimate—especially once the hacking shifted from the Kevin Mitnicks of the world to politically motivated hackers and Advanced Persistent Pandas…cough cough…Threats.
One interesting subject, covered to some extent in the briefing, is the tension between evolving law enforcement approaches and national security imperatives. While much of cybersecurity deals with crime, the international nature of many criminals as well as the growing involvement of foreign intelligence organizations and proxies created a wedge between law enforcement approaches and national security decisions. Law enforcement does have a role to play in national security (the FBI does counterintelligence, for example) but the divide certainly exists. I’m hoping to see more of this in future briefings, although I’m sadly going to miss part of the Estonia event.