Security Experts:

RSA Conference: On the Subject of Cyber War and Industrial Espionage

RSA Conference News

Talk of an impending ‘Cyber Pearl Harbor’ is not an uncommon image evoked during discussions of cyber threats to the critical infrastructure of the United States. But the countries with the most capability do not necessarily have the most interest in launching the types of attacks against the United States that make for movie plots, a panel of experts said at the RSA Conference Wednesday.

“There are nation-states that absolutely have the capability (to launch a major attack), but they don’t have the intent – mostly because it wouldn’t be in their own interest, and the spillover effects would be very damaging to the world economy and a lot of other things,” said Eric Rosenbach, deputy assistant secretary of Defense for Cyber Policy in the Department of Defense. “The other reason is, that type of attack, contrary maybe to what the conventional wisdom is, I think would be very difficult to disguise.”

Cyber Warfare Discussion at RSARosenbach was joined on the panel by Martin Libicki, senior scientist with the RAND Corporation, a global policy think tank; Adam Segal, senior fellow for counterterrorism and national security studies for the Council on Foreign Relations; Jim Lewis, senior fellow and program director for the Center for Strategic and International Studies; and Dmitri Alperovitch, co-founder of newly-created CrowdStrike.

Though the panel did not downplay the threat posed by nation-states, they did look to offer some perspective on the topic of cyber-war, discussions of which sometimes slip into hype. According to Rosenbach, countries like Iran that may have the strongest desire to launch crippling attacks against the U.S. government or the country’s critical infrastructure lack the capability.

“It’s one thing to hack into a system and do damage to it; it’s another thing to hack into a system and get everything to go off at exactly the right time [for cyber-war to be successful],” noted Libicki, who added that while some have spoken about cyber war being potentially waged by terrorists, it is not likely they have the skill level to launch a major attack.

“There are not that many good hackers out there among the jihadists,” Libicki said.

Before something like a major attack on critical infrastructure could happen, Rosenbach said, the nation state involved would have to do a lot of upfront work, performing the digital equivalent of battlefield preparation – something that would likely set off alarm bells and could trigger a response from the United States.

“Technically smart people know there’s not a cyber-nuke that you just shoot down the pipe and suddenly whole networks blow up,” Rosenbach said. Still, there have of course been reports of probes of critical infrastructure before. Reports of hackers targeting the U.S. electric grid, military systems and so on are not uncommon topics in the media. Charges of economic cyber-espionage, often leveled against China, are far from uncommon as well.

Addressing that kind of espionage is complicated by the fact that it requires a diplomatic trade-off, Libicki said. For example, countries that keep a tight hold on information view the flow of information itself as a cyber-threat –something that can make discussions about curtailing Web-based industrial espionage difficult as the U.S. is reluctant to endorse censorship.

“We’re not going to give up the First Amendment,” Libicki said.

“If the cost of stealing IP, for the Chinese or whoever else is doing it, is somehow raised then they’re less likely to do it,” Rosenbach added.

Lewis noted it is important not to underestimate the capabilities of other countries, and he noted that the public and private sector should work to share more information – a sentiment also expressed in a keynote Tuesday by U.S. Deputy Secretary of Defense Dr. Ashton Carter.

“This is a national security issue; it’s a public safety issue - and you don’t rely on private action for national security or public safety,” Lewis said.

The question now is how intrusive should the government be in the name of cyber-security, he said.

“How far into people’s systems…or networks should they go? And there is a debate over the line,” Lewis said. “But almost no one who isn’t being paid to say it will say, ‘leave it to the private sector’ anymore, because you are not going to be able to beat the PLA [China’s People’s Liberation Army] or the FSB [Russia’s Federal Security Service] or any of the other…folks who are out there.”

A Video of Deputy Secretary of Defense Ashton Carter's Keynote is embedded below.