Monday, August 21, 2017

Cyber Command Gets a Promotion


On Friday, Aug. 18, President Trump announced that the Defense Department's U. S. Cyber Command would be elevated to the status of a "unified combatant command," joining the nine other commands such as the U. S. Central Command (CENTCOM) that oversees all military operations in the Middle East, and the U. S. Strategic Command in charge of nuclear weapons.  The heads of these commands are just below the Secretary of Defense in the chain of command, and each unified combatant command cuts across the traditional armed-services divisions of army, navy, and air force. 

According to a report at the website Politico, the promotion of the Cyber Command has been in the works for years, but carrying out this promotion is in line with the President's campaign promises to bolster the Cyber Command.  Currently that Command is headed by Admiral Mike Rogers, who also heads the National Security Administration (NSA).  The Senate must confirm a new Cyber Command leader before the reorganization is fully implemented, but no particular problems are expected on that score.

After taking an initial leadership position, the U. S. has appeared lately to be lagging in the recognition that cyberwarfare is no longer some science-fiction pipe dream.  The nature of cyberwarfare makes it difficult to state with certainty exactly who is responsible for what.  But most experts agree that, for example, Russia has been plaguing the Ukraine with cyberattacks of many kinds for the last few years, ranging from invading servers used by news media to causing widespread power blackouts in large cities such as Kiev in the middle of the winter.

Probably the first cyberattack that became widely known and has definite attribution was called Stuxnet.  Developed by the U. S. NSA, possibly with cooperation from Israel, it was a clever attack on Iran's uranium centrifuges in 2010 that caused numbers of them to self-destruct.  Stuxnet was the last major focused cyberattack we know of that the U. S. has committed, but by the nature of the business, there may be others we don't know about yet. 

In conventional warfare, the enemy is in a clearly defined geographical area, and even wears uniforms and puts insignia on their equipment so you can tell who are the good guys and who are the bad guys.  Alas, such formality is long gone in many battlefields, and in the anonymous world of cyberspace it is next to impossible to identify the source of an attack in terms of a physical location and which people are doing the bad stuff.  In this regard cyberwarfare borrows from the world of espionage the mysteries and guesswork that makes spy novels so interesting, and makes actual espionage work so frustrating. 

But just because the enemy can't always be clearly identified, that doesn't mean we can ignore what they can do.  There is an old saying that generals always prepare to fight the last war, meaning that military thinkers are slow to deal with combat innovations.  The elevation of the Cyber Command to a level equal to the Strategic Command says that, organizationally at least, we are taking the threat of cyberattacks and the damage they could cause at least as seriously as we are taking the threat of nuclear attacks, which are far less likely but have a higher potential for damage.

Or maybe not.  At any given time, there is probably a maximum amount of damage that a determined cyberattacker could do with the capabilities they have and the nature of the target.  One advantage that the U. S. has compared to smaller and more tightly organized countries is that we have a lot of diversity in our technical infrastructure.  For example, in the recent flap about Russia's attempt to sway U. S. elections, no one has found any convincing evidence that Russian hackers were able to manipulate electronic vote counting.  Even if they had wanted to, the hackers face the difficulty that votes are counted in literally thousands of different jurisdictions using a wide variety of systems.  Anybody wanting to mess with a voting district that was big enough to make a difference would probably have to have a spy physically present for some time in order to gather enough information to give a cyberattack even a chance of success.  Something of the same principle applies to our electric grid, which is a congeries of old and new technology with a bewildering variety of SCADA (supervisory, control, and data acquisition) systems.  Again, a determined cyberattacker would have to focus on one system that is particularly vulnerable and large enough to make a terrorist attack worthwhile in terms of headlines.

Despite these built-in defenses, the U. S. should not be complacent with regard to the possibility of a crippling cyberattack, and the promotion of the U. S. Cyber Command to the board of Unified Combatant Commands is a step in the right direction.  As I mentioned not long ago in a blog on ransomware, one of the U. S. government's primary responsibilities is to defend the nation against attacks, and this includes cyberattacks.  The spectacle of private companies, even small ones, getting held up for ransom by hackers is morally equivalent to a cross-border raid by physical invaders.  What would normally be a domestic police matter then becomes an international incident, and the intervention of the U. S. military would be appropriate in both cases.

But a lot is yet to be defined about the responsibilities of the military on the defense side.  Historically, the computer industry has held consumers responsible for cybersecurity to the extent of installing patches and upgrades promptly and following good cybersecurity "hygiene."  But as attacks become more sophisticated, there may have to be closer cooperation among private technology developers, their customers, and the military, which up to now has not had much input into the business except as a good customer. 

If history is any precedent, not much will change in a major way until a foreign cyberattack succeeds with a truly crippling blow that costs many billions of dollars, affects millions of people, or results in multiple deaths and injuries.  Then we will get serious about how the military can fight the next war—a cyberwar—and not the last one.

Sources:  Politico.com carried a story entitled " Trump elevates U.S. Cyber Command, vows 'increased resolve' against threats" on Aug. 18, 2017 at http://www.politico.com/story/2017/08/18/trump-us-cyber-command-elevated-unified-combatant-command-241783.  I referred to an article in Wired Magazine published June 20, 2017 at https://www.wired.com/story/russian-hackers-attack-ukraine/ and the Wikipedia article on Unified Combatant Command.  My blog on ransomware appeared on Mar. 27, 2017 at http://engineeringethicsblog.blogspot.com/2017/03/ransomware-comes-to-heartland.html.

No comments:

Post a Comment