Shifting from Cybersecurity to Cyberwarfare...
Its a big week in the field of cybersecurity. President Obama just announced the creation of a new "Cybersecurity Coodinator" position at the Defense Department, released his larger strategy for securing the nation's vital cyber assets, and is currently meeting with officials from the Russian government over a proposed new international treaty on the issue.
This is all great fodder for someone who's writing his doctoral dissertation on national cybersecurity policy. Let's just hope it doesn't require a total re-write :-)
There has been a marked shift in the cybersecurity debate from as recently as just a few months ago. In a field where national cybersecurity was, since 9/11, predicated on the best way to defend vital digital infrastructure, suddenly there is open talk surrounding the need to go on offense as well.
In other words, the framing of the debate in policy circles has openly shifted from cybersecurity to cyberwarfare.
As the Wall Street Journal wrote...
The military is far ahead of civilian agencies such as Homeland Security and is now focused on cyber offense as well as defense. Cyberspace, says Gen. Kevin P. Chilton, commander of the U.S. Strategic Command, is the new "domain," joining the traditional domains of air, land and sea.
This shift in framing the issue has consequences that are apparent in President Obama's meeting with Russia. As the New York Times reports, Russia favors an international treaty along the lines of those negotiated for chemical weapons, essentially looking to ban offensive weapons and tactics. On the other hand, the U.S. instead advocates improved cooperation among international law enforcement groups, basically trying to formalize the criminalization of such acts through legal channels.
The truth is that both approaches are necessary and cyberwarfare must be tackled offensively and defensively.
In an attempt to be prescriptive and add my own two cents to the debate, cybersecurity policy would be wise to address the protection of cyber assets at four separate internet layers...
- Infrastructure Layer - protect the physical hardware of the Internet; focus policy on the telecommunications industry.
- Protocol Layer - protect the network through the technical standards and protocols that allow the Internet to operate; focus policy on international standards-setting organizations like the IETF and W3C.
- Software Application Layer - protect the network from viruses, botnet attacks, and other programmable cyber weaponry through more secure code; focus policy on the software industry.
- Content Layer - engage in both offensive and defensive cyberwarfare through the informational content that is out there for all the Web to see; focus policy on ISPs, and on individual behavior.
Cybersecurity is difficult to achieve, particularly on a national level where the vast majority of assets are privately owned and operated. Previous attempts to rely exclusively on voluntary public-private partnerships are rightfully, and finally, being seen as grossly inadequate. The fact is that America is not going to build its own Great Firewall of China, and focusing only on protecting the Internet's infrastructure and government assets, as we have done in the past, just won't cut it. We desperately need a more comprehensive approach.