Sunday, June 12, 2011

Cyber War, Part 4

If not U.S. Cyber Command, then it must be Homeland Security's job to defend civilian infrastructure, right?  Richard A. Clarke writes "...Homeland has no current ability to defend the corporate cyberspace that makes most of the country work.  Neither does the Pentagon.  As [former NSA Director] Minihan puts it, 'Though it is called the 'Defense' Department, if called on to defend the U.S. Homeland from a cyber attack carried out by a foreign power, your half-trillion-dollar-a-year Defense Department would be useless.' ... "  The inescapable conclusion from reading Clarke's work is that nobody is defending civilian infrastructure other than the IT departments of large corporations, subject as they are to the vagaries of board politics, fiscal constraints, and infiltration by foreign agents and malware.  Another problem is that - as with the advent of nuclear weapons - policy development is trailing technology badly.  In other words, because cyber war is so new, there is a great temptation to "go first", precisely because the U.S. is more dependent on cyberspace than any other country in the world, and because in a cyber war you may quickly lose the ability to respond to an attack.  Some sort of Mutual Assured Destruction (MAD) policy, that which kept countries from nuking each other for the past 66 years, would seem to be in order.  Clarke writes "...we cannot deter other nations with our cyber weapons.  In fact, other nations are so undeterred that they are regularly hacking into our networks.  Nor are we likely to be deterred from doing things that might provoke others into making a major cyber attack.  Deterrence is only a potential, something that we might create in the mind of possible cyber attackers if (and it is a huge if) we got serious about deploying effective defenses for some key networks.  Since we have not even started to do that, deterrence theory, the sine qua non of strategic nuclear war prevention, plays no significant role in stopping cyber war today."