The Cipher spoke with Frank Cilluffo, who runs George Washington University’s Center for Cyber and Homeland Security, to discuss the U.S. government’s cyber security posture. Prior to joining GW, Cilluffo served as Special Assistant to the President for Homeland Security.
The Cipher Brief: What’s the role of cyber weapons in war and what does a cyber war look like?
Frank Cilluffo: I wish that there were an easy answer to that because the definition is not as clear-cut as it should appear. I would suggest that the Tallinn manual probably has the closest definitional term for cyber warfare, but let me try to provide context.
I think it’s fair to say that the future of conflict in its various forms is going to have a cyber dimension to it. Whereas cyber is its own domain and has its own ethos and everything else, it also transcends all the existing domains of air, land, sea, and space. You can have conflict that has a cyber only dimension to it and you’re seeing how that can serve as either a force multiplier, or enhance the lethality, or provide greater intelligence, surveillance, and reconnaissance (ISR) as the conventional domains that are land, sea, and space. Both of these equations are going on simultaneously.
From my perspective, there is a difference between countries that are integrating computer network attacks and computer network exploits into their war strategy and doctrine.
Part of the challenge here is that not all hacks are the same, not all hackers are the same, not all intentions are the same, nor are all capabilities the same. If you were to rack and stack the threat, from my perspective, you have major peer nations at the very high end of the threat spectrum, many of whom are also turning to proxies to do their bidding, which makes it difficult to discern with 100 percent certainty who is behind that clickity-clack of the keyboard. Even when you talk about nations, Russia and China are not the same as North Korea and Iraq. What Russia and China are deeply engaged in is computer network exploit, Russia in particular in psy-ops. Whereas Iran and North Korea may not have the capabilities of Russia and China, they certainly don’t lack the intent, so you’re looking at a little more in terms of the disruptive kinds of attack or what we would define as computer network attacks.
There are a bunch of ideas. I wish I had a good, clear concise answer. This is something I think the international community needs to come to some modicum level of agreement on – what precisely is cyber warfare? But I think it’s fair to say to one extent or another, if it happens in the physical world, it happens in the cyber world, both in its own domain and as an adjunct to the existing domains.
TCB: What should the U.S. Government be doing to enhance its cyber security posture?
FC: Firstly, the reality is that we’re never going to firewall our way out of this problem so I do think it’s important that the U.S. maintain its comparative advantage and competitive advantage in terms of its offensive capabilities.
I also think there is a genuine need to articulate a clear cyber deterrence strategy, defining what are really off grounds and what demands a proportionate and commensurate response. Right now, we’re blaming the victim and there’s not a whole lot of penalty or repercussion to engaging in computer network exploits and even computer network attacks. I think, for starters, we have to articulate what our deterrence strategy is.
All that said and done, we need to do more to defend our systems. The majority of the incidents are not strictly due to sophisticated tools that the adversary is using, like spearfishing. And a majority of the successful breaches are due to poor cyber hygiene. I think it’s something along the lines of 80-90 percent actually.
Not to sound defeatist here, I don’t think we will ever be in a position to prevent all of that, but we sure do have a responsibility and must minimize the consequences of attacks. For starters, Sun Tzu in The Art of War says, “Know yourself, know your enemy.” First we have to know where our own information is. We need to segregate family jewels and most valuable information in a smart, coherent kind of way. If you’re breached, it shouldn’t be the keys to the entire kingdom, as we’ve seen in some of the recent breeches, where the data is not segregated, where the family jewels aren’t even encrypted. So there is a lot that needs to be done there.
We all talk about critical infrastructure, but not all infrastructures are equally critical. I would say electric power is clearly at the very top of the list. None of our other critical infrastructure is going to be up and running if you don’t have power. From a warfare perspective, that is integral and the most critical of our safety infrastructures. And we’re not even there in terms of protecting those systems as well as they are to be protected. We’ve all talked about public-private partnerships. My expression has been “Long on nouns, short on verbs…”
We need to translate this concept into reality. When we talk public-private partnership, it shouldn’t be as “us and them.” The private sector owns and operates the vast majority of these infrastructures. If you look at the legislative proposals, it is exceedingly difficult to move the needle on those. Those are simply enhancing the ability to share information. I see a point in time where we need to go beyond simply sharing information and have automated responses, and the private sector’s got to be front and center. None of these companies went into the business thinking they had to defend themselves against foreign militaries and foreign intelligence services, yet that’s precisely what happened.
How do we translate all of our talk into action, and how do we ensure that the private sector is not an after thought, but literally has a parked seat at the table? And if the government isn’t going to exact a response, we’re doing a Hewlett Foundation-funded project on what’s called “Active Defense,” looking at a more proactive role the private sector can take to better defend their own system. But we don’t want a company taking down servers in China, which can escalate to a hot war so we’ve got to figure out what those rules of the road are and start putting some of the rules down.
TCB: Cyber attacks are typically pretty difficult to attribute. How does the problem of attribution affect the U.S. government’s ability to respond to a cyber attack?
FC: Attribution has improved dramatically in recent years, but by no means is 100 percent. Even if you have attribution, you don’t necessarily know the intent behind the particular attack. In other words, even if you get down to the right IP address, is it someone doing it as a moonlighter, is it someone doing it on behalf of the PLA or FCR or you name it? I do think further investment in attribution is critical, especially since the smartest perpetrators are using proxies to do their bidding anyway. They’re not going to send the footprints back to the Kremlin or Beijing or wherever else.
While it’s improved, even when you have it 100 percent, it’s sometimes challenging to turn that over to a court of law because you are potentially compromising your own sources and methods. It becomes a difficult issue to meet some of the judicial processes that are appropriately in place. So, even when you have attribution, can you fully disclose it all the time? I think that’s a dilemma we’re grappling with now. And how do you do so in such a way where it doesn’t tip off, not only the actual perpetrator, but future perpetrators as well?
TCB: What is the line between cyber espionage and cyber warfare? Particularly in light of the OPM hack, does the U.S. Government’s approach to the cyber problem need to change?
FC: I see OPM as just the latest in a barrage of wakeup calls. It seems like we tend to want to hit that snooze button enough already. I would suggest the line between CNE and CNA (computer network exploit and computer network attack) is incredibly thin and hinges largely around intent. In other words, if you can exploit, if your intent is there to attack, you can attack. That’s why there’s a lot of concern around entities doing the cyber equivalent of intelligence preparation on the battlefield.
For example, there have been a number of front-page stories in the New York Times, Wall Street Journal, Washington Post, and everywhere else, that countries have mapped our electric grid or mapped our energy sector. To me, that has zero economic espionage value, or even traditional political-military and diplomatic secret value. So the point is: the line is very thin and it hinges around what the perpetrator’s intentions are. Bottom line, from a security standpoint: they can exploit, they can attack if they wish to do so.
Just one thing on OPM—I think it does demand a response. The administration has recently promulgated a number of executive orders on cyber, including one on the potential to levy sanctions against perpetrators. The OPM hack is a litmus test if we’re serious about response, and this flows back into my thoughts in terms of a cyber deterrence strategy. There is nothing worse than having a strategy out there and then when the line is crossed, you don’t respond. I think recent history has a number of examples where that has played out. In my eyes, this is a litmus test and it’s going to be important to see how the U.S. responds because this was not warfare, but the foreign counterintelligence implications of this are enormous and it does have very significant implications to our national security. I do think this is an important test case to see how the U.S. will respond. I think it demands one.