The Rules of Cyber-​​Engagement

March 5, 2013

The Obama admin­is­tra­tion is close to approving the nation’s first set of rules for how the mil­i­tary can defend or retal­iate against a major cyber­at­tack, according to a report last month in The New York Times. One such new rule would report­edly give the pres­i­dent power to order a pre-​​emptive strike if the U.S. detects a cred­ible threat from a for­eign adver­sary. We asked William Robertson, an expert in detecting and pre­venting Web-​​based attacks and an assis­tant pro­fessor with dual appoint­ments in the Col­lege of Engi­neering and the Col­lege of Com­puter and Infor­ma­tion Sci­ence, to assess this poten­tial new policy and the growing cyber­arms race.

The term “cyber-​​9/​11″ is quite clearly meant to con­jure up imagery sur­rounding the nation’s shock in reac­tion to the air­liner hijack­ings of 2001. One com­mon­ality between those attacks and an imag­ined cyber-​​9/​11 is the ele­ment of sur­prise, where the attackers might very well exe­cute an oper­a­tion against the nation without advance detec­tion. A strike against the nation’s crit­ical infrastructure—such as the power dis­tri­b­u­tion net­work or air traffic control—could have far-​​reaching effects that harm or in some other way affect mil­lions of Americans.

One can inter­pret the recent reported strate­gizing by the admin­is­tra­tion on the pre­emp­tive use of cyber­weapons as a form of deter­rence against would-​​be attackers, in much the same way that our nation’s con­ven­tional mil­i­tary serves as a deter­rent to poten­tial adver­saries. Given the his­tory of alleged attacks against Amer­ican assets by for­eign actors located in China and Russia, it is quite pos­sible that the recent deci­sion to allow for pre­emp­tive cyber­at­tacks is aimed squarely at nations such as these.

Unfor­tu­nately, deter­rence only goes so far. It’s unlikely to be effec­tive against those adver­saries that either do not antic­i­pate expe­ri­encing great harm from a pre­emp­tive cyberattack—for instance, if attack attri­bu­tion is dif­fi­cult or the attackers do not pos­sess sig­nif­i­cant tech­no­log­ical assets—or the attackers have suf­fi­cient motivations—e.g., reli­gious or political—that they are willing to risk the consequences.

One reason for the dif­fi­culty in recruiting cyber­op­er­a­tors is simply the scarcity of qual­i­fied labor. People with the nec­es­sary skills are few and far between, and this shortage is evi­dent in both gov­ern­ment and industry cir­cles. A related dif­fi­culty is that not every can­di­date who pos­sesses the req­ui­site tech­nical back­ground has the tem­pera­ment or incli­na­tion for these jobs. Both defen­sive and offen­sive roles are stressful and demanding, and as in the case of the con­ven­tional mil­i­tary, many choose career paths that do not involve these characteristics.

Another con­sid­er­a­tion is that con­vincing top talent to work in a state or fed­eral role can be an uphill battle. Gov­ern­ment is com­peting for a small pool of can­di­dates that can quite easily com­mand large salaries and ben­e­fits in the pri­vate sector, either by working for any number of estab­lished secu­rity com­pa­nies or as free­lance consultants.

In my opinion, prepa­ra­tion for cat­a­strophic cyber­at­tacks should be a top pri­ority for gov­ern­ment, in coop­er­a­tion with industry. Those who work in secu­rity are all too aware of the fact that our sys­tems are already being attacked, our data is already being exfil­trated, and our infra­struc­ture has already been demon­strated to be “porous” at best. When you con­sider that bol­stering our defenses against cat­a­strophic attacks will also likely trans­late to a more secure pos­ture against the low-​​intensity cyber­cold war that we are already expe­ri­encing, as well as stim­u­late the cre­ation of new jobs and tech­nolo­gies, it would seem to be the forward-​​thinking direc­tion to move.