The Cipher Brief spoke with Rob Knake, the former Director for Cyber Security Policy at the National Security Council (2011-2015), about the future of cyber weapons and cyber warfare.
The Cipher Brief: What are your thoughts on the role of cyber weapons in war, and what would a cyber war look like?
Robert Knake: Cyber weapons in war look like tools that can be used to achieve effects that in the past, we might have used kinetic weapons for. Now we can accomplish the same thing with 1s and 0s with the added benefit of less collateral damage and more stealth. In war, you need to be concerned about things like a cyber attack disabling your air defense systems ahead of a bombing run or turning down your radar capability so you will not see approaching ships or making it so your weapons systems malfunction and you are unable to respond. That’s what, in the military, the chief use of cyber weapons is intended to do, and that is the vulnerability that our military is increasingly concerned with - that as we become more reliant on digital systems, we will be creating new vulnerabilities.
That is the battlefield level, then there is the strategic level, which is the ability to cause strategic harm on a population that might have, in the past, been considered untouchable. We in the United States have fought many wars over the last 50 years and had very few enemies who were able, in any way, to touch us back in the homeland. Cyber may give our adversaries in future wars the ability to do that, to be able to do things like shut down our power grid, disrupt our stock market, make it so an aircraft can’t fly because we can’t trust the data in our civilian aviation systems. Those would be things that might cause a strategic moment of pause before the United States entered into a conflict.
That is what the future of cyber warfare may look like - it may not be so much about tactics on the battlefield but much more about attacks on the homeland that are carried over the internet from our adversaries abroad.
TCB: In that same vein, where is the US government most vulnerable? Where are the most likely targets in that future scenario?
RK: Our financial system is absolutely vulnerable. Not to say that the finance system hasn’t made significant investments in this area, but it is certainly heavily reliant on IT systems and is therefore very vulnerable to disruption through those systems. The power grid, I think, is the perennial concern – that power systems could be brought down and kept down and that, without power, all other critical operations in this country grind to a halt.
I think that those two are probably the two main areas that I worry about, but generally if you look across what we consider critical infrastructure – all 16 sectors – just about anything is going to be vulnerable to a destabilizing cyber attack.
TCB: What does the government need to be doing to enhance our cyber security posture? Is there a role for private industry to play?
RK: The U.S. government has a monopoly on a couple areas and then the rest of it is really dependent upon the private sector at this point. Offense is really something that only the military is permitted to do, and it’s the only organization that is trained and equipped to do that mission. Carrying out offensive cyber operations in support of warfighters overseas or in response to a cyber attack on the United States, that’s going to be something that the military is going to do. The military is also going to protect its own networks. Similarly, the federal government is responsible for the federal government’s defense. It is the federal government’s job to stop things like the OPM breach.
Outside of those missions, network defense is the responsibility of the private sector. We don’t live in a world right now in which any federal agency is trained or equipped or positioned to be able to do network defense for the private sector. We built an open Internet architecture, and the government has stepped away repeatedly from having a heavy hand in that. Our government is not in a position to actually be able to protect companies in cyber space the way that we can protect companies from bombing runs or from invading armies.
TCB: In light of the Sony hack or the Target hack, what are the ideal responses for the private sector? What are their means of effective recourse?
RK: The answer right now, under current policy, is that those companies should have invested more in their own security. In the case of Target, the government’s role would be law enforcement and investigation. In the case of Sony, it became a matter of national security because of the destructive nature of the attack and the reasons that they were carried out. The motivation was to suppress speech in the United States - a value we hold dear. So in that case, it did become an issue where the government stepped in and took over the rhetoric and the response to the North Koreans - it became a state on state issue.
Contrary to what most people take out of that incident, the U.S. government actually was able to achieve escalation dominance. North Korea attempted to keep the movie from being put out, but in the end the movie was shown online. While the North Koreans probably could have technically disrupted the viewing of that movie, they made a decision not to, showing that we were able to get escalation dominance over them. They understood that the consequences of any further interference would be higher than they would be willing to pay. Otherwise we would have seen a denial of service attack against the networks that were showing that movie.
TCB: What is your sense of what companies in key industries, such as finance and healthcare, need to be doing that they’re not doing already?
RK: The simple answer is spending more money. When you look at the value that companies get out of IT systems and moving things online, the efficiencies they’ve gained and the customers they’ve gained, what needs to be spent to secure these systems is a bare fraction of that.
Senator Jay Rockefeller, I think, famously at one point, said that maybe we would have been better off if we hadn’t built this whole thing (Internet) because of the security problems it caused. In my view, and I think most people’s view, for all the horror stories in the news about breaches and bad things that can go wrong, the value that we get out of the Internet on a daily basis is just massive. The basic thing that companies need to do is recognize that they get this value and that it is in their interest to secure their systems and to pay the money to do so.
It also wouldn’t be in their interest to have anyone else do that for them, because no one will like the solutions if it becomes a government responsibility. No one likes having TSA take over airport security, but it was a necessary evil given the threat. Well imagine having the TSA for the Internet. Imagine the same kind of disruption. Imagine the same kind of dislocation. Imagine your packets lining up one by one to go through a government inspection system on the backbone of the Internet. Nobody wants that; it’s not in anybody’s interest.
When cyber attacks happen, private companies always want the government to step in and solve the problem for them at the time. But when they step back and think about what would the consequences be of the government being able to do that – how disruptive it would be to the operation of the Internet, how disruptive going on the offense would be to world markets – they don’t like any of those solutions in the end.
Having companies invest in their own cyber defense is, ultimately, in the best interest of the Internet and it’s in the best interest of those companies. The main thing that companies need to do is increase their investments. If you, as a company, are spending less than 10% of your IT budget on cyber security, don’t complain – you have it pretty good.
TCB: Cyber attacks are usually difficult to attribute. How does that affect the U.S. government’s ability to respond to a cyber attack?
RK: The problem of attribution, I think, has been overstated. Given enough time and enough resources, the U.S. government, through a combination of law enforcement, intelligence, digital forensics, human operatives is almost always able to come to a definitive conclusion on who carried out a cyber attack. That takes time, it takes analysis, it takes resources, but it can be done.
Cyber attacks leave footprints; those who carry them out have motivations, and those can all be sorted out. We’re going to move from attribution, where we have to prove things, to responsibility, where, if the evidence is pointing at a country or an organization, at that point it is up to them to say, “No, it actually wasn’t us and we’re going to assist you in the investigation.” Usually, very few countries and companies do that. Why? Because the attacks have actually been correctly attributed to them.
So I think attribution on the whole is overstated as a problem. It becomes a problem if what you want to do is respond tactically in cyber space. If you want to shoot back to stop a cyber attack, you may not be shooting at whoever is actually responsible for it – and that is a problem. But on the whole scale, I would say that the idea that we can’t attribute cyber attacks and won’t be able to know who is attacking us really is no longer the reality.
TCB: What is the difference between cyber espionage and cyber warfare? I’m thinking of the OPM hack, which has been characterized as Chinese intelligence gathering, but where is the line?
RK: It is a little bit in the eye of the beholder. Generally, if you look at the OPM incident, this looks to many within the intelligence community like a legitimate target for espionage. Director of National Intelligence James Clapper, pretty much said as much. He sort of said, “My hat is off to the Chinese. I would have gone after it. We would want that information from a Chinese government agency. It’s not shame on them, it’s a shame on us.” That looks like what might have gone on in the Cold War.
Countries spy on each other. It has gone on for a very long time; it will continue to go on. It’s accepted at some level in the international community, and you generally don’t react to catching spies the same way you would react to an armed attack. The issue that we’re dealing with is that the scope and the scale and the consequences of cyber spying are very different from the kind of spying that went on in the Cold War. The volume of information you can extract out is huge by comparison. The number of operations you can carry out at any time is almost limitless. And the consequences for doing so are minimal.
When you contrast that with the Cold War, there were an awful lot of people who lost their lives spying, and a lot of people who betrayed their country and spent the rest of their lives in jail. The volume of information that they took would be the equivalent of a couple of megabytes, but it was printed paper and it had to be hauled out in safe houses and drop boxes, and smuggled physically.
I think the whole scale is suggesting to some people that we need to create limits on espionage, not through formal treaties but by how we react to incidents like OPM. We would create the kind of constraints that don’t seem to be in place right now. The danger to that is, if and when we ever get caught engaging in such behavior, we would be treated the same way. So is that the world we want to live in, or are we better off living in a world in which a certain level of cyber espionage is simply accepted?
