Should We Prepare for a Cyber War? A Response to Seymour Hersch
The following is a special guest post:
About two weeks ago, The New Yorker published Seymour Hersch’s article “The Online Threat: Should We be Worried About a Cyber War?” Reflecting on Hersh’s controversial views which question the legitimacy of the national – indeed global response – to the cybersecurity threat, I recognized an incongruent juxtaposition of my own conclusions from my direct participation in this global effort versus Hersch’s conclusions. Because I believe Hersch’s views, extolled in a national publication, are both wrong and destructive, I am offering my observations and conclusions as a counterbalance.
In 2005, while participating in a planning event for the first-ever BULWARK DEFENDER Exercise – a Department of Defense exercise designed to test the military’s preparedness against cyber attack – a lively debate ensued between military attorneys, senior civilians and military planners. There was considerable disagreement concerning military authorities and permissible response actions to defend against such an attack. A persistent theme of the dialogue centered on the frequency in which attacks could not be attributed – that is, the inability to identify the source responsible for launching or sponsoring the attack. Under prevailing nation-state sovereignty rubric of international law, such attribution is widely regarded as a condition precedent to invocation of self-defense principles
Other legal issues also emerged, such as whether a cyber incident amounted to an “armed attack” – the critical factual trigger for self-defense authority. There was also debate over whether the Department of Defense was even authorized to respond to a domestic cyber incident, and if so what amount of harm and national security nexus were required. The most common cyber threats in 2005 were denial of service attacks, network intrusions, and data extraction from sensitive networks. Against this cyber incident factual background, an espionage analogy emerged: because espionage had occurred throughout the history of the Nation with no perceived necessity nor authority for a military response to espionage threats. Accordingly, some asserted a military response was equally inappropriate in response to the standard fare of cyber threats in 2005.
Since 2005, the world has witnessed a tangible change in the known risks from cyberspace, which have morphed from hypothetical to actual. Indeed, the security posture of a nation has now actually been threatened from cyberspace. In 2007, hackers attacked the vestiges of government legitimacy and economic viability in Estonia – occurring at a time of increased tension between Estonia and Russia. Georgia’s critical communications and other key resources were disabled in 2008 in concert with a Russian armed attack of Georgia. More recently, the highly sophisticated worm Stuxnet – widely reported as produced by a nation – targeted industrial control systems associated with the nuclear industry in Iran. And, just a week ago, the entire country of Myanmar was knocked offline just as the nation’s elections were to start.
This all indicates that we are in an era when cybersecurity threats pose a genuine national and economic security threat to the nation. Unlike espionage, the nature of this threat justifies the implementation of comprehensive risk mitigation strategies. It is equally imperative, however, that such plans ensure protection of core American values so that security will not trump liberty. Rational observers surely cannot doubt the documented incidents that have already occurred. Nor should anyone fail to recognize the lessons from all the cybersecurity challenges emerging daily: cyberspace can be used either as a direct vector to deliver an attack; or it can be used as a supporting vector – disabling first responses – to deliver a conventional attack. Notwithstanding the growing severity of incidents and their implications, in some important and influential corners of society, the Doubting Thomas continues to question the Government’s response to threats from cyberspace.
The article posits the thesis that “cyber war” is nothing more than a Defense Department and defense industry ploy to trump up fear about threats from cyberspace in order to bolster increased defense spending during a period of feared spending cuts. In truth, the author engages in a little fear-mongering himself by conjuring images of Eisenhower’s “Defense Industrial Complex” message with Hersch’s characterization of a new “military-cyber complex”. He also implies that former senior government officials who now have government consulting businesses are over-inflating cybersecurity risks to benefit their businesses. Indeed, in one cited instance, Hersch implies the government influence extended to the former official’s Senate testimony, stating that his firm received a lucrative defense contract shortly after his testimony. The implication that the former official compromised his integrity under oath is wholly unsupported in the article, and therefore is unjustified.
Hersch further writes:
American intelligence and security officials for the most part agree that the Chinese military, or, for that matter, an independent hacker, is theoretically capable of creating a degree of chaos inside America. But I was told by military, technical, and intelligence experts that these fears have been exaggerated, and are based on a fundamental confusion between cyber espionage and cyber war.
Hersch repeatedly references sources inside government, but Hersch fails to offer competing views or explain whether the sources’ views are themselves extreme. Indeed, Hersch overtly states that “[B]lurring the distinction between cyber war and cyber espionage has been profitable for defense contractors…” There can be little confusion over Hersch’s intended purpose for the article: to cast doubt over the legitimacy of the threats from cyberspace.
Later in the article, Hersch offers some insightful comments, quoting some recognized cybersecurity leaders. He offers some discussion regarding whether America’s core strategic interest is associated with defense or economic competitiveness. Certainly that is a worthwhile topic for discussion and debate. What Hersch misunderstands, however, is that risk mitigation entails planning for two scenarios: the most likely scenario, and the most deadly scenario. The military must necessarily plan for both. And, it does a disservice to society to minimize or sensationalize all the efforts that are needed in society and government to create effective security frameworks using a public-private partnership model that the country has never implemented on the scale needed in a post-9/11 environment.
Hersch also offers a legitimate critique of the role of the National Security Agency in the emerging cybersecurity plans of the Federal Government. However, his message is lost by his ad hominem attacks, and rhetoric – such as noting that the NSA facility that houses some cybersecurity capability, FANX, is known as “Friendship annex”. This new global threat and America’s response strategy requires serious debate, not glib references that might appeal to a reader’s emotion rather than to his intellect.
Reading The New Yorker article, I became frustrated that a large and reputable media outlet was oversimplifying an extremely complex and critical issue. The ascendence of the Internet has presented society with a revolutionary, complex societal challenge – one that poses grave threats to civil society, government and business interests. A mobilizing of a “Cyber Citizenship” responsibility among all Internet users is needed – as users have become increasingly targeted. The comprehensive risk mitigation response called for necessitates societal awareness of the threat and of individual responsibility as first steps toward cultural modifications to society’s interaction with the Internet. Yet, Hersch undermines this central “Cyber Citizenship” approach by raising questions about the legitimacy of the cyber threat.
Since 2005, the Federal Government has taken many steps to address the issues we debated at BULWARK DEFENDER planning in 2005. The Government has improved interagency authorities and coordination through promulgation of the CNCI program under NSPD-54/HSPD-23, issuance of the White House 60-day Cyberspace Policy Review, creation of the White House Cybersecurity Coordinator, and a host of initiatives at multiple federal departments. While these improvements are welcome, there is much work to be done. Indeed, many of the central points debated in 2005 remain: the proper role of government, assessing attribution for purposes of application of the Law of War and international law, and privacy considerations. What is no longer a legitimate point for debate, however, is whether cyberspace poses a threat that might rightfully be called “cyberwar,” and whether the Government has a core responsibility to plan for it. Whether the term “cyberwar” itself is objectionable is beside the point. Threats from cyberspace pose serious risks to society, government and economic interests. The media, sometimes referred to as the “Fourth Branch of Government”, should more studiously approach this challenge, and use its impressive resources to help society address the changes that are afoot.
Doug DePeppe is a cybersecurity attorney, having advised Army cyberspace operations, the National Cyber Security Division, and US-CERT. He now advises both commercial and government clients concerning cybersecurity legal risks, governance and public-private partnerships.