…we’re sure as heck going to spend billions of dollars and set up a military command to deal with it! That is, in short, the state of cybersecurity policy in the United States at the moment.
Yesterday marked and important event in the ongoing debate over possible threats to cybersecurity and appropriate responses to those threats. Lt. Gen. Keith Alexander, the Obama administration’s pick to head the newly-created U.S. Cyber Command, had his confirmation hearing in front of the Senate Armed Services Committee. Though I will likely say more about the hearing as I work through the transcript and continue to read other folks’ analysis, for now I’d like to return to those old definitional and ontological issues that so many seem to want to avoid: What is cyberwar? Does it exist?
Though some cybersecurity experts have thought these questions are “bullshit,” a mere distraction when “the time now is for action,” at least one Senator, Mark Udall, thought that the prospective commander of an organization tasked with conducting cyberwar should have answers to these questions. So Udall asked Alexander, “Do you think that a cyber war can exist? Can you define it?” Though Alexander did not define cyberwar, he did say that “I do think a cyber war could exist. I believe it would not exist in and of itself, but as part of a larger military campaign.” So, whatever cyberwar is, Alexander believes that it could exist–implying that it does not exist right now. (This was likely news to Senator John McCain, who said at the hearing that we need to be “taking effective measures in this new cyberwar that we are in.”)
Udall’s question was inspired by recent statements by the White House “cybersecurity czar,” Howard Schmidt, who Udall quoted as saying, “A cyber war is just something that we can’t define. I don’t even know how a cyber war would benefit anybody. Everybody would cease. There’s no win-lose in the cyber realm today. It affects everybody. It affects businesses. It affects government. So, number one, there’s no value in having one.” Of course, several weeks earlier, Schmitt made waves by claiming that “There is no cyberwar.“ Again, there’s nothing but confusion and ambiguity here. Schmidt doesn’t know how to define it, but he’s sure it doesn’t exist, but also that if did exist “everybody would cease.” Now maybe that bit about everybody ceasing was just sloppy language, but there are certainly others who have seriously claimed that cyberwar could lead to the end of civilization, could post an actual existential threat on par with WMD, including Gen. Wesley Clark (ret.) and the FBI. Is Schmidt in that camp?
Earlier this week, on April 13, another White House cybersecurity adviser claimed that “transnational cybercrime, such as thefts of credit-card numbers and corporate secrets, is a far more serious concern than ‘cyberwar’ attacks against critical infrastructure such as the electricity grid.” This focus on crime, theft, intellectual property, and economic issues is consistent with the President’s Cyberspace Policy Review and his statements about cybersecurity, both of which have put informational, criminal, and economic issues front and center as the main objects of the cybersecurity threat. In turn, White House policy is consistent with the a CSIS report that was influential in shaping the Cyberspace Policy Review. The CSIS report clearly signaled that the most serious object of the cybersecurity threat was “informational” rather than infrastructural. Referring to previous policy work on the cybersecurity threat, in particular work during the latter years of the Clinton administration, the report stated that “we expected damage from cyber attacks to be physical (opened floodgates, crashing airplanes) when it was actually informational” (12). Thus, the threat to private intellectual property and economic competitiveness is most prominent among the threats identified in the report.
Neither collectively, nor individually, have the top officials who are responsible for devising policy responses to the supposed threat of cyberwar been able to adequately define what it is or whether it even exists. And if we take White House statements as most authoritative on the matter, then cyberwar officially doesn’t exist at all, or is primarily about intellectual property, crime, and economic competitiveness. And for that we are creating a military command with an offensive mission?
Now is not “the time for action” if that action is going to continue to be based on such ambiguous articulations of the cybersecurity threat. Rather, now is the time to redouble efforts to answer Senator Udall’s fundamental questions about just what problem it is we’re trying to solve and whether or not that problem even exists. Not doing so is what is “bullshit.” (In a future post, I will have some more ideas about how and how not to do that.)