The final portion of the Cyber Statecraft Initiative‘s and the Cyber Conflict Studies Association‘s ”Addressing Cyber Instability” event was a panel discussion and question and answer session. The panel included Greg Rattray, CEO of Delta Risk and former Commander of the Operations Group of the Air Force Information Warfare Center, Kris Martel, Senior Cybersecurity Architect at Intelligent Decisions, Michael Mulville, Client Solutions Executive at Cisco Systems, and Jason Healey, director of the Cyber Statecraft Initiative, as the moderator.
Martel began by addressing the growing trend of hacktivism. Hacktivism is different from regular cyber crime as the goal is to penetrate governments and organizations to “teach them a lesson” and, with this different motive, can be more difficult to combat as well. As hacktivist groups are ideologically motivated, organizations are afraid to fight them or strike back and incite retribution. Hacktivist groups also tend to be part of a movement rather than an organization and hence do not have leaders to target but you can’t go after everyone in, for example, Anonymous. When asked how governments and organizations can reach out to Hacktivists rather than trying to fight them, he suggested giving them a chance to express themselves in order to bring them over to our side. Martel thought more freedom and creativity would benefit cybersecurity as a whole. For resiliency, he suggested education focusing on the solutions we want tomorrow rather than what we have now, starting young, and giving students the freedom to innovate. Martel also saw the rise of cloud computing as an opportunity to get cybersecurity right by “baking security into the cloud” rather than adding it as an afterthought like we did for the Internet. Another trend Martel noted was significant for security was Bring Your Own Device.
Mulville reiterated one of the themes of the events, that deterrence is essentially void in cyberspace. Many agencies don’t even know what it is they hope to deter as they are not sure what is happening on their networks until days or weeks later. Achieving deterrence would require a sweeping change of approach as cybersecurity faces organizational, not simply technical, problems. At this point, we’ve been trying to solve the same problems for so long that we’re faced with diminishing returns and need to try new strategies.
Rattray confirmed the sorry state of national cybersecurity. He recalled how two senior Federal Bureau of Investigation officials had told him that the problem only got worse under their watch, He also continued with the theme of the difficulty of deterrence in cyberspace, noting that the risk of losing deterrence by not acting is smaller than the risk of miscalculating a response and hitting an innocent party due to flawed attribution and containment or violating fledgling norms and laws. Rattray also corrected some misconceptions about cyber deterrence. Though cyber weapons are often shrouded in mystery, we do have a fairly good idea of other nations’ capabilities and they understand ours. Also, cyber espionage is not a deterrence problem, it’s an espionage problem like physical spying.
Jay Healey discussed the idea of cyber war. While we are not at cyber war, as that would mean we could take kinetic action to kill attackers, Stuxnet crossed more than one rubicon. Aside from being the first cyber weapon with important kinetic effects, it was also the first truly autonomous weapon as it did not need to check back at any point. Using Stuxnet was a huge decision that required more transparency. It also weakened norms in cyberspace, as it is harder for the United States to say China can’t engage in cyber espionage while we launch cyber attacks. As cyberspace is unstable, there’s an advantage to attacking early, especially as offense has the advantage in cyber. With regards to measures meant to increase stability and security at the price of privacy, Healey noted that most of the currently discussed solutions are the ones that least affect privacy and are the low-hanging fruit of cybersecurity.