24 December 2016

America Is Not ‘The’ Cyber Super-Power, and That’s a Super Problem

By Richard Kelsey

The United States, not surprisingly, is a cyber super-power. We are not, however, the world’s leading cyber super-power. More accurately, we do not enjoy a significant edge or large gap in our capabilities relative to other nations. Our technical expertise is certainly as strong as any, but we do not have the man-power, brain-power, or organization of other cyber-warfare super-powers. We are not in the best position as a country to survive a strong, coordinated, cyber-attack against our critical infrastructure. 

The recent hot political news about cyber intrusions into the DNC, and alleged “hacking” by Russia or Russian sympathizers who were part of a purported coordinated effort to meddle in our election raise again the flags of our weaknesses. The “Russian Hacking” story is not unimportant, even if it is misleading, inconclusive, and dangerously political. Investigating foreign meddling in our election should be a non-partisan, bipartisan effort. 

Suggesting that the Russians “hacked” our elections is both irresponsible and grossly misleading, as it suggests to Americans that a state sponsored entity hacked in and changed votes. There is no evidence of that, and the misuse of certain terms like “election hack” for political purposes is a combination of ignorance and deliberate misinformation. The story, however, once again raises the issue of a fundamental weakness of our super-power country in a world where wars have been and will be fought in cyber space.

Ten years ago, I took over a small company that ultimately worked in cyber space, combating cyber-fraud, innovating defenses, and learning a great deal about sophisticated cyber-criminals. It was then I learned just how far behind our country was, and how exposed our critical infrastructure had become. Worse than that, I realized that our enemies were both state actors and loosely affiliated networks of highly-skilled, motivated, cyber-criminals capable of launching cyber-attacks to destabilize businesses, steal financial data, and even act as a pre-invasion force for ground combat troops.

How far behind are we in this struggle? One of the country’s largest cyber-defense firms just started to look at cyber-intel gathering and combining human intel with technology this past year. It is encouraging that the private sector, including major defense contractors, is now entering the space. Still, as a country, we are at great risk because of exposed infrastructure, our lack of cyber intel sharing, outdated systems, and our bureaucracy. The criminal networks that have been hacking our banks, card processors, retailers, and American consumers are smart, mobile, and always a step ahead. They rose from the ashes of the fallen Soviet Union, and they often have loose if not direct ties to state actors. They act with impunity, cover, encouragement, and support from foreign countries, and their sympathies are strongly anti-America. These groups are the militia men who know these cyber back trails better than we do, and they are called upon when needed to do jobs to which state actors can’t or don’t want to be tied.

State actors from China to Russia and from North Korea to Iran have sophisticated command and control, as well as outstanding technical capabilities. Some of these entities have been directly tied to infiltrating and stealing corporate and military secrets, acts that appear to be an essential part of a coordinated national policy. Others have directly attacked U.S.-based companies, like the Sony hack. 

Just as law enforcement, including the FBI and Secret Service have struggled to combat and stay ahead of cyber-criminals, so too have our other government agencies. The silo effect combined with bureaucratic pace and the rule of law make the U.S. a reactionary force. Turf wars, Intel protection and hoarding also decrease our cyber visibility. The DOD’s 2015 Cyber initiative was a good start, as far as it went. However, it is one silo. 

We need a national cyber-war strategy that includes all cyber stake-holders. Collectively, between DIA, NSA, CIA, FBI, DOD, the Secret Service, and the private sector, we have the resources and power to rise to the top of the cyber-warfare, super-power food-chain. We need a collective mission, a unified command, and unprecedented resource sharing. Likewise, we need a national commitment to investing in critical infrastructure protection and asset hardening. That’s a shovel ready project essential to national defense. We need our education system to continue to turn out cyber-warriors and to invest much more deeply in training and education. Americans are pouring into institutions of higher learning to pay as much as $40,000 a year for a degree in glass-blowing. We need homegrown, home-trained, technical experts. We need incentives for our colleges to help build out this critical need to attract and retain experts and students in cyber-related fields. 

Right now, universities are failing us in large number because they do not and cannot be directed to these growing cyber needs. Likewise, we are not as a nation properly incentivizing these institutions to change, which is essential to meet this market and national security imperative. We need our professional schools, from public policy to law schools to be on the front lines of cyber-related law and policy. With no national initiative or strategy, our policies are piecemeal and reactionary policies.

Even today, FBI, CIA, and the Director of National Intelligence are at odds about alleged Russian-backed hacking of political entities. It is time for a national initiative to grow our cyber capabilities. Senator McCain’s call for a committee to investigate this matter is a surprising and welcome development. We need a central command, a robust workforce, policy and law experts, hardened defenses, and the human capital to provide a cyber-warfare super-power gap like the strategic gap we built in our traditional fighting forces. The future of warfare and protecting American lives, intellectual property, and assets, resides in a strong, unified effort to modernize and lead on the front lines of cyber technology. We are a cyber power, but not “the” cyber super-power, and that’s a super problem.

Richard Kelsey is an attorney practicing with The Impresa Legal Group. A former Assistant Law School Dean and a former Virginia state court law clerk and commercial litigator, Kelsey was also the CEO of a technology company. He has previously taught legal writing and pre-trial practice. He is a regular commentator on legal and political issues in print, and on radio and TV. His opinions are his own, and do not represent any institution or entity.

No comments: