From the recent September/October 2010 issue of Foreign Affairs – William Lyn U.S. Deputy Secretary of Defense writes about defending a new domain.
The long, eloquently phrased article, demonstrates that the US has fundamental flaws in it’s strategic thinking about fighting terror:
Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats…..Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.
And in summary:
“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces …to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe…”
It is unfortunate that a politruk has so much influence on US cyber security.
The US and European governments consistently adopt strategic policies that were obsolete years before they came into office.
Just as the Obama administration is crippled by flawed assumptions about the regional balance of power in the Middle East, Washington still sees security as an exercise in organizational constructs, inter-agency collaboration and better defenses and pats itself on the back for recognizing that there is a new domain of threats….when the Internet was invented 20 years ago.
Lyn’s laundry lists of strategic objectives phrased in politically-correct corporate-speak are the wrong answer for improving cyber-security. When Lynn himself, speaks extensively about the need for speed and flexibility, the answer cannot be more government-funded monolithic, bureaucracies.
The private – public partnership is particularly problematic in my view. The really smart people in security technologies are at small startups – not at Raytheon and Symantec and all the other big corporates that have enough lobbyist resources to line up and eat pork from the Federal plate. And – why – if I may challenge some conventional wisdoms – should companies like Symantec be allowed to influence US cyber defenses when they have done an abysmal job protecting civilian networks and digital assets? And – why- should Microsoft be part of the solution when they are part of the problem.
Perhaps the US should start by outlawing Windows and using Ubuntu which is not vulnerable to removable USB device auto run attacks.
Perhaps the US should start getting more humint on the ground instead of gutting the CIA from it’s human assets and relying on satellites and network intercepts. At the time of 9/11 – the CIA had no human assets in Saudi and since the Clinton administration – investment in people on the ground has gone downhill. I hear the sign in the CIA station chief office in Riyadh says “Better to do nothing then to do something and look bad”.
Perhaps the US should consider that there are numerous offensive alternatives to retaliation (which indeed is not an effective countermeasure due to the extreme asymmetry of cyber attacks).
Perhaps the US should consider that cyber attackers are not motivated by economic utility functions and therefore utility-function-based defenses are not appropriate.
The security concept proposed by Lynn is sadly divorced from reality.