Cyber-Liberty Depends on Cyber-Security

My colleagues at the Fraser Institute have just published a report examining the issue of cyber-security from an underappreciated but crucial perspective, namely, the importance of cyber-security to liberty.

We all know the Internet was designed not with security in mind, but rather openness and the free flow of information. This has been beneficial for liberty. The no-barrier, global, connected nature of the Internet has brought unprecedented levels of information and commercial exchange, contributed enormous gains to individual prosperity, empowered individuals, bypassed governments, and promoted and expanded individual freedom. Only in recent years have people, businesses, industries, and governments come to recognize the importance of protecting this critical sphere of activity on which so much liberty, property, prosperity and security depends.

“Without a robust level of security,” reads the report, “the benefits of the extended liberty provided by the Internet would dry up.”

Just consider some of the economic costs of cyber-espionage and other forms of cyber-attack:

  • A 2014 study conducted by the Center for Strategic and International Studies (CSIS) on behalf of McAfee estimates the global costs of “malicious activity” at between $375 billion and $575 billion. To be sure, the CSIS estimate is imprecise. However, it does provide a sense of how this ungoverned zone of commerce, communications and collaboration is being exploited by bad actors to pursue nefarious ends.
  • Some 431 million people are victimized in cyberspace per year, and cyber-crime represents an economy “larger than the global black market for marijuana, cocaine, and heroin combined,” according to a report from the Canadian Defence and Foreign Affairs Institute.
  • It costs an average of some $600,000 per firm to respond to each cyber-security breach.
  • Pointing to figures produced by the Commerce Department’s International Trade Administration that extrapolate export values into U.S. jobs, CSIS concludes that the high-end estimate of $100 billion in U.S. losses from cyber-espionage “would translate into 508,000 lost jobs… roughly a third of a percent decrease in employment.”
  • According to Gen. Keith Alexander, former commander of U.S. Cyber Command, 162 of 168 Fortune 500 companies surveyed report being victimized by cyber-attacks of some sort. But the scope and scale of the danger is much worse. In fact, “They’re the ones that know they’re being hacked... there are more than a hundred companies for every one that knows they’ve been hacked that don’t know they’ve been hacked.” In 2013, the U.S. government notified more than 3,000 companies -- many of them defense contractors -- that their computer networks/systems had been compromised.

That brings us to the national-security costs and risks associated with cyberspace.

In what has been called “Web War I,” Russian-orchestrated cyber-assaults essentially cut off NATO member Estonia from the digital world in 2007. Russia employed cyber-attacks to augment kinetic military operations against Georgia in 2008 and Ukraine in 2014. And Russia has conducted sophisticated cyber-espionage and intrusion into Western energy firms.

Iran’s Shamoon computer virus destroyed data on 30,000 computers linked to the Saudi oil industry.

North Korea’s “DarkSeoul” attacks wiped clean the master boot records (MBRs) of 32,000 computers at South Korea’s largest banks and broadcasting companies. Worse, as McAfee reported in 2013, the attacks “were actually the conclusion of a covert espionage campaign” aimed at military networks and military units in South Korea. “The true intention of the DarkSeoul adversaries,” according to McAfee, was “to spy on and disrupt South Korea’s military and government activities.”

And then there’s China. According to a study conducted for the U.S.-China Economic and Security Review Commission, China’s use of “computer network exploitation activities to support espionage has opened rich veins of previously inaccessible information that can be mined both in support of national-security concerns and, more significantly, for national economic development.”

In 2013, information-security firm Mandiant pointed to “an army unit in China” as the source of these attacks. The Mandiant report details a cyber-campaign that has “penetrated the networks of at least 141 organizations.” The report concludes that a cyber-force within the People’s Liberation Army (PLA) known as “Unit 61398” is conducting “extensive” computer network operations. For example:

  • In a 2007 case, some 1,500 Pentagon computers were compromised by Chinese cyber-attacks.
  • Beijing has used cyber-attacks to infiltrate subcontracting firms and systems related to the development of the Joint Strike Fighter and C-17 Globemaster.
  • Beijing exploited cyberspace to steal “user credentials” for more than 150 NASA employees and gain “full functional control over networks at the Jet Propulsion Laboratory,” according to an investigation conducted by the U.S.-China Economic and Security Review Commission.
  • Unit 61398 launched “spearphishing” attacks -- a tactic using email that appears to be from a trusted source to gain access to a target’s computer -- against Westinghouse Electric, Alcoa, Allegheny Technologies Incorporated, U.S. Steel, the United Steelworkers Union, and SolarWorld.

Another concern with Chinese cyber-attacks stems from the close relationship between the central government and China’s many state-owned enterprises. For example, some U.S. officials suspect telecommunications giant Huawei of placing a “bug, beacon or backdoor” into critical systems that could allow for “a catastrophic and devastating domino effect… throughout our networks,” as one congressman told Foreign Policy magazine. Hence, U.S. officials have tried to dissuade American firms in the defense and telecommunications arenas from contracting with Huawei. In 2011, for instance, Washington blocked Huawei from building a wireless network for emergency responders, and in 2013, Washington urged South Korea to exclude Huawei from participating in a wireless-network project.

Cyber-Defense

The concepts of deterrence, military-to-military signaling, arms control, and non-proliferation as developed in the kinetic, conventional, and nuclear realms are not easily transferred to the cyber-theater.

Yet some military officials are urging policymakers to move in that direction. “Our adversaries seek to operate from behind technical, legal and international screens as they execute their costly attacks,” argues Gen. James Cartwright, former vice-chairman of the Joint Chiefs of Staff. “If we apply the principles of warfare to the cyber domain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary to deter actions detrimental to our interests.” Toward that end, Cartwright has even suggested that Washington may have “to do something that’s illustrative” in order to communicate U.S. seriousness.

To assist the warfighters in their deterrence mission, it may be helpful for policymakers to let it be known that the U.S. would view a cyber-attack on critical infrastructure in the same way as a traditional military attack. It’s worth noting that Russian military officials have argued that “the use of information warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there were casualties or not.”

But because deterrence may not translate to cyberspace -- and the line separating the virtual world of code from the real world of blood remains blurry -- resilience is key.

“The operational concept best suited for cyber-security per se is resiliency,” says the Fraser report. “Given that the nature of cyber-attacks is still evolving and that attackers increasingly use third and fourth parties to channel their attacks, and thus create false leads, deterrence is more difficult… A better defence is the ability to sustain one or more cyber-attacks and to be able to counter and restore defensive capacity.”

This appears to be the path NATO has chosen. NATO’s 2011 cyber policy, for instance, focuses on “prevention, resilience and defense of critical cyber assets.”

How to detect, withstand, recover from and, if possible, stop illegitimate activity in cyberspace while protecting legitimate activity -- all without compromising the Internet’s open character -- is the challenge. According to the Fraser report, “Overemphasizing security can restrict freedom and stifle entrepreneurial potential… Conversely, cyber-liberty without an appreciation of cyber-security presents rising commercial and governmental costs as well as unacceptable threats to national security.” The choice is not only liberty or only security. Liberal democracies must aim for both.

Among the recommendations urged by the report:

  • recognition of the need for security and hence a continuing role for national governments in securing cyberspace, just as they play a role in securing airspace and seaspace;
  • recognition that the sprawling nature of cyberspace, outsize reach of cyber-actors, and fluidity between defensive and offensive actions in cyber-security make difficult the application of traditional forms of deterrence;
  • recognition that cyber-security is best understood as gaining and maintaining maximum overall resiliency; and
  • recognition in Washington and among America’s closest allies (Canada, Britain, Australia, Japan, Israel, etc.) of the benefits each derives from deepening and widening cyber-security cooperation.

Long before there was such a thing as cyberspace, Adam Smith, the father of free-market economics, noted that “the first duty of the sovereign” is to protect society from “violence and invasion.” What serves as the launching pad for violence or invasion -- land, sea, sky, space or cyberspace -- diminishes neither the danger nor the sovereign’s duty to confront it.

Alan W. Dowd is a senior fellow with the Fraser Institute.

My colleagues at the Fraser Institute have just published a report examining the issue of cyber-security from an underappreciated but crucial perspective, namely, the importance of cyber-security to liberty.

We all know the Internet was designed not with security in mind, but rather openness and the free flow of information. This has been beneficial for liberty. The no-barrier, global, connected nature of the Internet has brought unprecedented levels of information and commercial exchange, contributed enormous gains to individual prosperity, empowered individuals, bypassed governments, and promoted and expanded individual freedom. Only in recent years have people, businesses, industries, and governments come to recognize the importance of protecting this critical sphere of activity on which so much liberty, property, prosperity and security depends.

“Without a robust level of security,” reads the report, “the benefits of the extended liberty provided by the Internet would dry up.”

Just consider some of the economic costs of cyber-espionage and other forms of cyber-attack:

  • A 2014 study conducted by the Center for Strategic and International Studies (CSIS) on behalf of McAfee estimates the global costs of “malicious activity” at between $375 billion and $575 billion. To be sure, the CSIS estimate is imprecise. However, it does provide a sense of how this ungoverned zone of commerce, communications and collaboration is being exploited by bad actors to pursue nefarious ends.
  • Some 431 million people are victimized in cyberspace per year, and cyber-crime represents an economy “larger than the global black market for marijuana, cocaine, and heroin combined,” according to a report from the Canadian Defence and Foreign Affairs Institute.
  • It costs an average of some $600,000 per firm to respond to each cyber-security breach.
  • Pointing to figures produced by the Commerce Department’s International Trade Administration that extrapolate export values into U.S. jobs, CSIS concludes that the high-end estimate of $100 billion in U.S. losses from cyber-espionage “would translate into 508,000 lost jobs… roughly a third of a percent decrease in employment.”
  • According to Gen. Keith Alexander, former commander of U.S. Cyber Command, 162 of 168 Fortune 500 companies surveyed report being victimized by cyber-attacks of some sort. But the scope and scale of the danger is much worse. In fact, “They’re the ones that know they’re being hacked... there are more than a hundred companies for every one that knows they’ve been hacked that don’t know they’ve been hacked.” In 2013, the U.S. government notified more than 3,000 companies -- many of them defense contractors -- that their computer networks/systems had been compromised.

That brings us to the national-security costs and risks associated with cyberspace.

In what has been called “Web War I,” Russian-orchestrated cyber-assaults essentially cut off NATO member Estonia from the digital world in 2007. Russia employed cyber-attacks to augment kinetic military operations against Georgia in 2008 and Ukraine in 2014. And Russia has conducted sophisticated cyber-espionage and intrusion into Western energy firms.

Iran’s Shamoon computer virus destroyed data on 30,000 computers linked to the Saudi oil industry.

North Korea’s “DarkSeoul” attacks wiped clean the master boot records (MBRs) of 32,000 computers at South Korea’s largest banks and broadcasting companies. Worse, as McAfee reported in 2013, the attacks “were actually the conclusion of a covert espionage campaign” aimed at military networks and military units in South Korea. “The true intention of the DarkSeoul adversaries,” according to McAfee, was “to spy on and disrupt South Korea’s military and government activities.”

And then there’s China. According to a study conducted for the U.S.-China Economic and Security Review Commission, China’s use of “computer network exploitation activities to support espionage has opened rich veins of previously inaccessible information that can be mined both in support of national-security concerns and, more significantly, for national economic development.”

In 2013, information-security firm Mandiant pointed to “an army unit in China” as the source of these attacks. The Mandiant report details a cyber-campaign that has “penetrated the networks of at least 141 organizations.” The report concludes that a cyber-force within the People’s Liberation Army (PLA) known as “Unit 61398” is conducting “extensive” computer network operations. For example:

  • In a 2007 case, some 1,500 Pentagon computers were compromised by Chinese cyber-attacks.
  • Beijing has used cyber-attacks to infiltrate subcontracting firms and systems related to the development of the Joint Strike Fighter and C-17 Globemaster.
  • Beijing exploited cyberspace to steal “user credentials” for more than 150 NASA employees and gain “full functional control over networks at the Jet Propulsion Laboratory,” according to an investigation conducted by the U.S.-China Economic and Security Review Commission.
  • Unit 61398 launched “spearphishing” attacks -- a tactic using email that appears to be from a trusted source to gain access to a target’s computer -- against Westinghouse Electric, Alcoa, Allegheny Technologies Incorporated, U.S. Steel, the United Steelworkers Union, and SolarWorld.

Another concern with Chinese cyber-attacks stems from the close relationship between the central government and China’s many state-owned enterprises. For example, some U.S. officials suspect telecommunications giant Huawei of placing a “bug, beacon or backdoor” into critical systems that could allow for “a catastrophic and devastating domino effect… throughout our networks,” as one congressman told Foreign Policy magazine. Hence, U.S. officials have tried to dissuade American firms in the defense and telecommunications arenas from contracting with Huawei. In 2011, for instance, Washington blocked Huawei from building a wireless network for emergency responders, and in 2013, Washington urged South Korea to exclude Huawei from participating in a wireless-network project.

Cyber-Defense

The concepts of deterrence, military-to-military signaling, arms control, and non-proliferation as developed in the kinetic, conventional, and nuclear realms are not easily transferred to the cyber-theater.

Yet some military officials are urging policymakers to move in that direction. “Our adversaries seek to operate from behind technical, legal and international screens as they execute their costly attacks,” argues Gen. James Cartwright, former vice-chairman of the Joint Chiefs of Staff. “If we apply the principles of warfare to the cyber domain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary to deter actions detrimental to our interests.” Toward that end, Cartwright has even suggested that Washington may have “to do something that’s illustrative” in order to communicate U.S. seriousness.

To assist the warfighters in their deterrence mission, it may be helpful for policymakers to let it be known that the U.S. would view a cyber-attack on critical infrastructure in the same way as a traditional military attack. It’s worth noting that Russian military officials have argued that “the use of information warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there were casualties or not.”

But because deterrence may not translate to cyberspace -- and the line separating the virtual world of code from the real world of blood remains blurry -- resilience is key.

“The operational concept best suited for cyber-security per se is resiliency,” says the Fraser report. “Given that the nature of cyber-attacks is still evolving and that attackers increasingly use third and fourth parties to channel their attacks, and thus create false leads, deterrence is more difficult… A better defence is the ability to sustain one or more cyber-attacks and to be able to counter and restore defensive capacity.”

This appears to be the path NATO has chosen. NATO’s 2011 cyber policy, for instance, focuses on “prevention, resilience and defense of critical cyber assets.”

How to detect, withstand, recover from and, if possible, stop illegitimate activity in cyberspace while protecting legitimate activity -- all without compromising the Internet’s open character -- is the challenge. According to the Fraser report, “Overemphasizing security can restrict freedom and stifle entrepreneurial potential… Conversely, cyber-liberty without an appreciation of cyber-security presents rising commercial and governmental costs as well as unacceptable threats to national security.” The choice is not only liberty or only security. Liberal democracies must aim for both.

Among the recommendations urged by the report:

  • recognition of the need for security and hence a continuing role for national governments in securing cyberspace, just as they play a role in securing airspace and seaspace;
  • recognition that the sprawling nature of cyberspace, outsize reach of cyber-actors, and fluidity between defensive and offensive actions in cyber-security make difficult the application of traditional forms of deterrence;
  • recognition that cyber-security is best understood as gaining and maintaining maximum overall resiliency; and
  • recognition in Washington and among America’s closest allies (Canada, Britain, Australia, Japan, Israel, etc.) of the benefits each derives from deepening and widening cyber-security cooperation.

Long before there was such a thing as cyberspace, Adam Smith, the father of free-market economics, noted that “the first duty of the sovereign” is to protect society from “violence and invasion.” What serves as the launching pad for violence or invasion -- land, sea, sky, space or cyberspace -- diminishes neither the danger nor the sovereign’s duty to confront it.

Alan W. Dowd is a senior fellow with the Fraser Institute.