If there were any lingering doubts that cybersecurity is a geopolitical issue with global implications, such opinions were cast on the rocks by discussions this past week at the 2015 World Economic Forum in Davos, Switzerland.
Coincidentally – perhaps – amid the palpable unease over cybersecurity concerns coursing through formal discussions and in the hallways, two alternative views of U.S. cybersecurity strategies were receiving notice. One was hopeful; the other doubtful. Both geopolitical.
First the doubtful.
On January 17th, the German publication Spiegel Online strove to further capitalize on the eighteen-month old Edward Snowden security leaks to once again raise and extend the public critique of U.S. National Security Agency practices. The viewpoint expressed characterized U.S. cyber security operations as policies seeking control of the Internet and aimed at aimed “undermining the very foundations of the rule of law around the globe.”
The article dusted off prior examples of the National Security Agency’s offensive measures such as Tailored Access Operations and Fourth Party Collection and others, positioning them as threatening to transform the Internet into a lawless zone in which the superpowers of the world operate according to their own whims with little accountability.
Such views seemingly choose to ignore that the Internet is already a lawless zone without formal international rules and standards of conduct in which cyber crime, cyber espionage and offensive state vs. state cyber operations abound.
Thus defense is mandatory. Cyberspace encourages aggressive behavior by providing the advantage to the assailant, necessitating those under attack to undertake extensive efforts to control damage and recover. The U.S. is a prime example. In 2014, U.S. corporate, government and military organizations succumbed to unprecedented levels of damaging, expensive and in particularly in the case of Sony Pictures, destructive and embarrassing breaches of their information networks.
The Spiegel argument sidesteps the reality that, given the serious and threatening realities of today’s cyber environment, those under attack must take the measures necessary to protect themselves. Without aggressive cyber intelligence and proactive cyber defense measures, protection is nigh-impossible, forcing the U.S. and its Western allies to live in a world centered around mitigation and catch-up.
Alternatively, a contemporary view of U.S. cybersecurity posture reflective of today’s increasingly threatening global environment was expressed by Clint Hinote, a Military Fellow at the Council on Foreign Relations in a January Foreign Affairs article, “How to Stop the Next Hack.”
Hinote acknowledges that “establishing an impenetrable defense is practically impossible.” He further acknowledges retaliation in cyberspace is filled with attribution issues and escalation dangers. The focus for defense, he believes, should thus be on deterrence consisting of deliberate steps which cause the opponent to “choose action, or inaction” favorable to the initiator.
Effective deterrence, he argues, minimizes emphasis response in cyberspace and instead focuses on a combination of virtual, physical, political and economic measures. “Moving from the virtual to the physical world allows the United States to shift competition from the cyber domain, where it suffers from a competitive disadvantage (because it has much more to defend), to the physical domain, where it enjoys considerable advantages.”
“It may only require one or two demonstrations of this seriousness,” he adds, “to establish deterrence.”
Hinote’s sense of urgency for the need of more effective cyber defense capabilities and policies resonated with similar sentiments echoing through the halls in Davos.
According to Fortune, cybersecurity fears held the prospect of stopping companies from making important investments in technology. CISCO Systems CEO John Chambers, as head of a corporation which depends on security-driven technology spending, emphasized that “security was bad last year” and unfortunately “this year is going to get worse.” “You can never win,” said Robert Smith, chief executive of Vista Equity Partners, a private equity firm. “It’s a constant battle to just to stay even.”
Other executives expressed concerns that they were expecting the volume of attacks to increase dramatically in the coming year while defenses remained largely ineffective. Mr. Smith added that “The security breaches we had in the last 12 months are going to pale in comparison to these we’re going to have in the next 12 months.”
“However security gets done, it needs to get done” was a common sentiment of executives when referring to cyber security measures to protect their organizations and national economies. The stakes are simply too high not to.
Whether it be through strategies of deterrence espoused by Clint Hinote or by increased preemptive measures to prevent or disrupt attacks, effective intelligence methods by the NSA and other nations’ intelligence agencies are an essential ingredient for success. Corporate and national interests thus are fused geopolitically as one as the battle over security in cyberspace races on.
Beyond concern over economic and reputational cyber-induced risks lay executives’ concerns of vulnerability of facilities such as power supplies and communications networks.
A popular figure in Davos, cybersecurity guru and Kaspersky Labs head Eugene Kaspersky, a man who knows his way around global cyber threats, confirmed such fears, stating what most attendees perhaps didn’t want to hear: “The main threat scaring me is attacks on critical infrastructure.”