Should We Prepare for a Cyber War? A Response to Seymour Hersch

You may also like...

6 Responses

  1. Adam says:

    While I too think Hersch’s tone is regrettable, a charitable reading of his arguments presents issues that Mr. DePeppe chooses to avoid. First, Mr. DePeppe trots out the often invoked instances of hacks against Eastern European states involved in diplomatic conflicts with Russia. What he leaves out, however, is the nature of these hacks, which, I submit, are crucially important given Mr. DePeppe’s acknowledgment in this article that some attacks are not serious national security threats. The attacks on Estonian government websites were just the kind of denial of service attacks along with some hacks that redirected visitors to sites expressing an anti-Estonian or even a false message about the location of a statue. While these websites are extensions of the government in a loose sense, they are not an extension of the government’s sovereignty or national security interest. I hope Estonia doesn’t record its troop movements on its public access servers of course. Similarly, the Russian attack on Georgia in 2008 is improperly characterized in this post. Hacking Georgian websites to portray information comparing Georgian leaders to Adolf Hitler or denial of service attacks did not affect Georgia’s inability to provide for its national security during the South Ossetia crisis. Not only was the Georgia hack the work of Russian nationalists acting privately, not the Russian government, it in no way attempted to assist Russia’s military. If Mr. DePeppe is suggesting that national security is weakend by such attacks, he must present some justification for how that would occur divorced from those attacks which gather information in a traditional espionage activity.

    It is most telling that this article starts with an exercise in which Mr. DePeppe and others assumed particularly bad outcomes resulting from hacks without any discussion of what outcomes fall into the realm of possibility. We could prepare for all nuclear weapons to launch because they are connected to computers which may be exposed to flash-drive based viruses like Stuxnet that could have a heretofore unseen characteristic of being able to allow people set a timer for doomsday that can’t be overridden without Dennis Nedry’s “white rabbit” backdoor password, but that layers speculation upon speculation. What we know is possible now lies far more in the realm of espionage than military attack.

    I’ll also admit that Hersch resorts to ad hominem attacks that have no bearing on the truth of the issue. But ad hominem attacks do call into question the authority of people who make claims premised upon that authority. And if individuals make significant profits from advocating particularly extreme, absolutely unheard of, and supremely unlikely hacks against the United States, that calls into question their position. It does not independently prove the opposite position but it does weaken the impact of the advocacy which the opposite position seeks to rebut. Taken alone, an ad hominem attack on the authority which is used as the premise for a claim is not sufficient to undermine an argument. But it is probative if the ad hominem attack actually relates to how much trust should be placed in an authority figure.

    I don’t dispute that intelligent people do work on these issues and do bring their considerable intellect to bear in their deliberations. But it is akin to arguing that coming up with a strategy guide for getting the top score at SimCity is a good use of time for HUD and other federal agencies. Cyberwar is preposterous without a showing of a real-world effect. That real world effect must involve the kinds of rights/interests/privileges/etc. that exist sans Internet. If someone creates a virus that allows them to blow up my computer when I’m sitting in front of it thereby clearing the way for them to challenge John McClain to a macho duel, then Mr. DePeppe has a reason to spend his time doing this kind of work. Otherwise, if viruses keep stealing information alone in the name of small-scale fraud against private individuals, Mr. DePeppe’s paean to the Cassandras of cyberwar will remain hollow.

  2. Logan says:

    Not that your necessarily wrong in your argument but given your job seems to depend on there being a substational cyber threat, I find it funny that your complaining about Hersch’s assertation that the threat isn’t as large as some might argue. Not to mention you also oversimplfy the same topic but come to a different conclusion. If you really want to debate the on the exact nature of cyberthreats and what we should do about them, how about getting another symposium going so both sides can be fairly heard because neither has been as of yet.

  3. Frank Pasquale says:

    I think a critical cyberthreat comes from global finance. Mike McConnell has recognized this, and the Pentagon has already “war gamed” various scenarios involving unconstrained global capital flows. (See, for instance, the March 17, 2009 exercise at the Johns Hopkins University Warfare Analysis Laboaratory.) If traceable and clear financial flows could (as demosntrated in this exercise) seriously undermine US economic activity, imagine what unattributed algorithms and other surreptitious manipulation of flash trading could do.

    By the way, amazingly enough, the head of the SEC was on cable news shying away from the idea that the agency would want to have full attribution for all algorithms in electronic trading markets. Given that Jack Goldsmith has called the attribution problem one of the most critical ones for cybersecurity, this was disappointing to say the least.

    Given the global resistance to QE2, many actors will probably be eager to engage in a kind of “financial warfare” against the US…an area of force we have pioneered (see Virtually all modern finance is computerized and internet enabled. Whereas a utility can in principle be “taken off the grid,” we can’t relocate finance decisions to real space.

    Finally, I would like to note the “politics” of the issue. The ACLU and liberals generally have protested “militarizing” the internet. I also worry about this, but I think massive surveillance is just a matter of time. Given that reality, we need to rechannel privacy advocacy toward an equality of (non)privacy before the law. Nancy D. Edwards once wrote that “Drug testing in nontherapeutic settings will remain and unfair and unjust ‘new surveillance’ scheme until the day when the poor begin drug testing the rich.” I would add that cybersurveillance of average people should only go ahead once the activities of those who can wreck economies with hot capital flows are under constant monitoring.

    @Logan: I’d be up for another symposium.

  4. Jason W. says:

    Hersh. Seriously.

  5. Hersh’s article is levelheaded, fair, and quite perceptive both about the nature of recent hacking and computer espionage issues, and about the difficulties of fitting them into a “warfare” frame (as opposed to an existing “computer security” frame or some new model yet to be invented). Doug, you disagree with him about his overall argument and about his interpretation of some of the evidence. Fair enough; this is a difficult subject where the policy answers are far from clear. Smart people can and do disagree here.

    That said, I am troubled by the tone of this post. You assert that Hersh’s views are out of the mainstream, that no rational person could disagree with your assessment of the situation, that Hersh’s article is biased and makes ad hominem attacks, that the article is destructive, and that Hersh is undermining responsible citizenship just by asking questions. These allegations, especially taken together, attempt to shut down the debate by portraying Hersh’s views as so extreme that they’re not acceptable for responsible people to hold. In areas of uncertain policy, though, we need as robust a debate as possible.

    I am disappointed that Concurring Opinions lent its space to a post so out of step with the academic ideals of open exchange and respect for other points of view. Who invited this “special guest?”

  6. Doug DePeppe says:

    In response to some comments here, my purpose was to criticize Hersch’s narrow focus on cyberwar as emblematic of society’s failure to appreciate the true nature of cyberspace-borne threats. The post’s title unfortunately conveyed a perception that I was primarily focused on the legitimacy of cyberwar, but my larger premise is that cyberspace threats are fundamentally changing traditional notions of security and societal roles in security – yet society does not sufficiently understand or appreciate the changes afoot. The prospect of cyberwar is just one component of the changed dynamic. In my judgment, Hersch’s article failed to understand the core issue, and instead took up and trivialized the risk of cyberwar in a way that further complicates the need to educate society.

    Contrary to Hersch’s view that cyberwar has been trumped up and over-hyped, I believe greater exposure should be devoted to raising awareness of the changed nature of the Internet. The potential of cyberwar should be part of a broader discussion. Unfortunately, some say – as did Hersch – that the very notion of cyberwar is a baseless agenda promoted by parties having vested interests in increasing government spending. Indeed some questioned the motivation for the post; yet, my ‘call to arms’ comes from many angles – professional interests, academia, and the nonprofit perspective (I have ties to all three). So, other than perhaps penning a different title for the post, it’s entirely appropriate to criticize the content of Hersch’s failings in his article. And, to those suggesting a symposium to get at the hard issues – you are spot on. The threats posed from cyberspace are like none other ever faced by society, with harmful risks to governments, industry, and individuals alike.

    Did you know that: the biggest “cloud” on the Internet is not owned by Amazon, or Ebay, or Google – it’s actually controlled by organized hackers; botnets possess more bandwidth and computing power than any other online presence; China (and other nations) possess cyber warfare units; China’s national strategy reportedly involves the use of asymmetric methodologies to challenge the United States economically and militarily; and, in just one foreign scheme – disclosed as the US counter-operation code-named “Titan Rain”- more terabytes of data than exist in the Library of Congress were exfiltrated to foreign servers?

    To some, these facts simply underscore the point that the threat is espionage and national economic security-related. Perhaps. Yet, keep in mind that “asymmetric” in the cyber realm refers to nonlinear strategies. In my post, I referred to the use of the Internet in warfare either as a direct attack, or as a supporting attack. During the 1973 Yom Kippur War, Israeli drones were used as decoys to “light up” Syrian air defenses, so that air forces could locate and target those defenses, successfully destroying Syria’s air defense network. A similar strategy using cyberspace could have any number of strategic effects during war or terrorism – the only limit is the creative capacity of an aggressor. So, the point is that while one might argue whether the current use of cyberspace should be considered cyberwar or not, creative planning by combatants and terrorists presents a serious threat to national security. The semantics of what we call the threat is beside the point.

    Calling out Seymour Hersch for misunderstanding the core issue hardly squelches debate. The media, academia, nonprofits and government have a responsibility for addressing the hard issues of the Internet Age: like whether the Westphalian international legal order fits the borderless age of the Internet; and, whether a universality principle should be invoked to protect the Internet rather than fighting the impossible battle of attribution in a framework where the sovereignty principle reigns. The list goes on.