Experts Discuss How the U.S. Would Respond to a Cyber Attack
Over the last year, websites operated by the governments of Iran, Egypt and Tunisia, as well as corporations including PayPal, Sony, Mastercard and Visa, have all been taken down by hackers. A concerted cyber attack against targets in the United States could have serious consequences, experts agreed at a AAAS discussion.
The power grid in particular “is a very tempting target,” said John Steinbruner, professor of public policy at the University of Maryland and director of the Center of International and Security Studies at Maryland. “You can be very disruptive, in principle. And there are countries and people with reason to do it.”
He spoke at a public discussion titled “Cyber Attack: Crime, Terrorism, or National Security?”, the first of a four-part “Science and Society: Global Challenges” lecture series, held 3 October at AAAS. The series is sponsored by AAAS, Georgetown University’s Program on Science in the Public Interest, and the American Chemical Society.
“If you talk to people in the private sector, you will hear that they are regularly under attack, sometimes directly attacked, sometimes by viruses or worms that are out there, maybe by people searching, doing corporate espionage,” said moderator David Kestenbaum from National Public Radio’s Planet Money. Even President Obama, when he proposed a cyber-security czar, said that his presidential campaign had been hacked, Kestenbaum said, and recently, the Stuxnet worm changed “how a lot of people think about what can be accomplished with cyber-terrorism.”
The costs of cyber attacks range from $300 billion to $1 trillion annually according to “James,” who chose not to be identified further, given that those known to be working in cybersecurity have become personally targeted for cyberattack. One private organization James worked with lost a lot of their intellectual property (IP), potentially including innovations, designs, and trade secrets, to cyber-attackers most likely working for a foreign entity. “The only way they stayed in business prior to the attack was by being six months ahead of the competition,” he said. “That country just closed the gap in a matter of a few seconds by taking their IP.”
“You can debate how much it hurt national security,” James added, “but these things are happening. I don’t think we’ll ever be able to actually measure the impact of intellectual property that has left the continental U.S. from U.S. corporations due to cyber exfiltration.”
An attack on the power grid is “very plausible,” James concurred. “We buy just about all of our microelectronics offshore at this point,” he said. “Much of the software comes from offshore.” Moreover, university researchers have demonstrated how a cyber attacker could incorporate rogue circuitry in a chip or lines of code into equipment meant for applications in critical infrastructure with potentially crippling results, James said.
Currently, the cyber security situation in the U.S. largely utilizes commercial, off-the-shelf software, James said, meaning that our adversaries have access to that technology as well. “Right now we’ve got a system where everyone went down to Home Depot and bought a lock with a key but everyone has the same key and the same lock and it’s on everyone’s computer system and by the way, the adversary can go to Home Depot and buy that as well,” he said. “We need a system that has a different key for everyone’s lock. It’s what you’d kind of depend on for your home security.”
A more secure system may include digital watermarks—embedded information which verifies a user’s identity or authorization—and software that detects anomalies in a user’s behavior, James said, though such a system would not make breaking in impossible. “But if we can raise the bar high enough so it’s much more costly for them to do that exploit, then maybe they go to a ‘neighbor’s house’ instead of mine.”
Preventing cyber attacks is important, but Stewart Baker, author and former assistant secretary of policy for the U.S. Department of Homeland Security, argued that there also needs to be an
emphasis on prosecuting cyber criminals. “We wouldn’t have a lot of security in our home if people who wanted to break in were free to sit on our doorstep and just pick our lock while we sat at home until they could get in,” he said. “If the cops didn’t come by and bust them, they would get in.”
Baker, a partner at the law firm Steptoe and Johnson, said that the age of cyber attacks has a lot of similarities to the rise of air power preceding World War II, a time in which the rules of warfare dramatically changed as targeting of civilian populations became acceptable. A similar expansion in the scope of warfare now looms in the age of the Internet, he said.
“By the 1930s, everybody could see that the horrors of the trenches in World War I were going to be the horrors of the cities and women and children and families in World War II because the bombers would take the war to everybody’s home,” Baker said. “And there was real horror at that and an effort to negotiate solutions, to find a way out of it.”
Steinbruner argued for international cooperation in the fight for cyber security. “Enforcement has to be global, clearly, and we’re dealing with a global phenomenon,” he said. “The problem at the moment is that the three big players—the United States, China and Russia—are not talking to each other about it and accusing each other of malfeasance with some reason, and if you want a global rule that’s defended, those three, at a minimum, have got to buy into it and we don’t have such a thing as yet.”
Baker disagreed. “You don’t go into a negotiation with another country and say, ‘You know what I’m really scared of? You taking down my power grid. How about we agree that you won’t do that and I promise I won’t take down yours,’” he said. “They’ll say, ‘Well this is great. He’s really afraid I’m going to take down his power grid.’
“I’m not saying we can’t deal with them on anything, but we have to go in with our eyes open about where our advantages and theirs are and anytime you put it in the context of law, we’re at a disadvantage because we will enforce those rules strictly down to the platoon level,” Baker added. “And it’s not clear that anybody else will.”
Our adversaries “know our laws better than we do,” James added. “And they use them against us.”
Meanwhile, the anonymous nature of the internet makes it a challenge to attribute cyber attacks to a specific individual. “You’re going to need to say, you broke the rules, not someone broke the rules,” Kestenbaum said. “Rules only make sense in the context of being able to enforce them or find out who broke the rule.” However, the growth of cloud computing will lead to a decreasing anonymity on the internet, James said.
Baker expressed concerns that there is too much focus on which U.S. agency is responsible for providing defense from cyber attacks. “Really, we should start out with the question: How are we going to win? You know, what will it take to deter attackers, to beat attackers, to make sure that our attack is more effective than others? Once we have an idea of what that would look like, we can ask the lawyers to solve the problem and we can come up with new legal structures inside the U.S. for making sure that whoever needs to have that authority has it.”
The Obama administration debated launching a cyber attack against Libya’s air defenses, according to a recent report in The New York Times. Ultimately, the administration decided not to conduct a cyber offensive because of concerns about setting a precedent for other nations, mounting an attack on short notice, and the need for Congressional authority.
“I’m not saying that we should launch the attacks but we have to have an idea of how it turns out the way we would like it to turn out,” Baker said. “If we haven’t got that idea, we are completely at sea.”
Learn more about the AAAS Center for Science, Technology and Security Policy.
Learn more about the “Science & Society: Global Challenges” discussion series.