As the Internet spreads its tentacles into every nook of society, attacks are rapidly increasing against individuals, companies, governments, and the very Net infrastructure upon which they all rely. The attackers range from cyber criminals to non-state actors like ISIS and nation-states. But law enforcement, government regulation, and an established military response are not even close to keeping up, said a group of experts at the Techonomy Policy conference in Washington on June 9.
Before the advent of the Internet, there were four accepted domains of warfare: land, water, air, and space. Cyber is the fifth, and newest, domain, and by the far the hardest one to patrol, the panelists on a session devoted to “The Militarization of the Internet” agreed. “Unfortunately, the Internet doesn’t conveniently stop at our border,” said Craig Mundie, a longtime top executive at Microsoft who has been deeply involved in Federal tech policy efforts. “We don’t have a good way of defining what and when we will do something.”
Mundie, who retired from Microsoft in December,, was joined onstage by Alan Marcus, head of technology sector industries for the World Economic Forum and co-author of “Beyond Cybersecurity: Protecting Your Digital Business,” Michael Cote, who heads Dell SecureWorks, a major information security company, and Shane Harris, the senior national security and intelligence reporter at The Daily Beast and author of “@War: The Rise of the Military-Internet Complex.” The discussion was moderated by Cory Bennett, cybersecurity reporter at The Hill.
The discussion became even more urgent in the wake of the disastrous hacking of the Federal Office of Personnel Management (OPM) a week earlier. A Chinese group is said to have stolen the records of millions of federal employees, apparently to compile a database of U.S. government workers. The same organization is thought by many experts to also be responsible for the hack of the health insurance company Anthem’s site last year.
It’s unclear how much information was stolen or the purpose the data will be used for in the future. It appears that all federal employees and retirees were affected by the breach, including military veterans and personnel—that’s a total of more than 4 million people. The exact identity of the hacker group has not been established and thus it’s hard to know how to responsd.
Attacking or going after malcontents on the Internet is not simple. It’s difficult to discern the difference between a military, nation-state, or non-state attack, said Marcus from the World Economic Forum, and hence difficult to figure out an appropriate response.
“If you don’t know where the missile came from, where do you send the army?” said Mundie.
Despite the uncertainties, as cyber attacks like the OPM one have grown beyond business-specific attacks, government and law enforcement now have no choice but to present a coordinated approach to them, panelists said.
The Internet, said Mundie, is something like the Wild West where “people feel rightly or wrongly that they can act with impunity,” adding that this state of affairs will continue until law enforcement and government step in. All the panelists agreed that it was the role of law enforcement and the government to patrol the Internet’s byways and not something businesses can address on their own. In any case, laws prohibit cyber vigilantism.
As the severity of attacks rises, the government will have to establish a set of threat levels and responses, said panelists. After Sony released “The Interview,” which offended the North Korean government, its devastating attack on Sony’s corporate infrastructure created a new environment, Harris said.
But the limits and expectations of what kind of response is called for remain undeclared and apparently undecided. “What are the levels of aggression that are necessary before the U.S. attacks a country for cyber attacks?” Harris asked. “If the U.S. banking system is taken down? When a few key sites are?”
“Does Congress have to declare war for the U.S. to attack a country, a rogue state, or individuals, as it must do now before U.S. troops can be involved?” Mundie said.
Because militarization of the Net is so new, no scale of threat levels have yet been created and it is up to each victim how they respond. How many bits and bytes would an attacker have to wipe out for someone to feel compelled to respond?
The response needs to differ depending on whether the attack is caused by a nation-state, rogue country, or a criminal syndicate. “When does the military get involved?” Marcus said. “Again, what threat level and how many bytes would have to be destroyed for troops to respond? If cyber is considered another trade route like the blue waters, do you expect your military to protect cyber?”
It’s also not clear which government agency should be in charge of a response to an attack or which would formulate a policy on the matter. Four years ago, when the World Economic Forum gathered government officials to discuss U.S. cyber policy, it had to gather representatives from 19 separate agencies, Marcus said.
There are glimmerings of progress, nonetheless. Federal agencies are starting to work together on cyber responses to save money and resources. Companies, spooked by the attack against Sony as well as recent attacks against Target, Anthem Healthcare, and others, are also taking security much more seriously than a few years ago. A more sophisticated view of security is developing. Marcus summarized the necessary attitude: “Security isn’t about patches after the fact. It’s about building it into the system.”