The overall challenge of protecting our vulnerable cyber infrastructure grows more complex each day, yet government must find a way to erect sensible defensive mechanisms and safeguards which simultaneously assure access, privacy, security and data credibility to millions of users in academia, the private sector, our military, our government and among ordinary citizens. The pathways forward are much less than clear because the operational, technical and policy issues are exceedingly complex and defy simple deductive analysis. We know that measures are needed in the policy, legal and operational world right now to devise a stalwart castle wall against interlopers, criminals, hackers, enemies and the curious. However, our ability to enhance defensive instruments is thwarted at almost every turn despite the fact that we can readily isolate persistent issues and dilemmas which afflict the global digital commons and often preclude our best efforts to define and defend our legitimate interests. Worse of all, the international dimensions of digital security and defense resides in the unpleasant and yet unsettled limbo realm of undefined acts of war, espionage, piracy and crime. This fact almost ensures its malevolent continuation for some time.
The litany of digital shortfalls and ills is fairly extensive and affects our governments and major commercial operations most severely. Subject to external digital probes and outright theft of data we also fear data elimination, manipulation and alteration of digital entities which must remain accurate and reliable against the daily onslaught of penetrations which can be characterized on a continuum from ‘intrusions’ to ‘attacks’. Therein lies the first-order problem of policy, law and regulation as we are bereft of serious international norms and rules of the road which help define what an ‘attack’ really is. For example, Chapter 51 of the UN Charter allows every sovereign state the right of self defense against ‘armed attack’ but falls short in allowing a modern definition of a digital ‘attack’ to be clarified and understood within that context.
In the same way, the nominal definition of ‘economic warfare’ which many would see as relevant to hostile digital intrusions lacks the cache of enjoying a globally recognized legal and enforceable definition. The second dilemma is wrapped up in the conundrum of determining whether digital intrusions constitute some form of economic warfare. Therefore, any digital offensive, attack or intrusion however characterized or labeled drops below any globally acknowledged standard of illegal or illicit behavior.
Another frustrating reality deals with attribution and identifying the source of the attack or intrusion as a state, a group or a lone hacker. The third dilemma is finding the ‘bad guy’ and holding that party accountable. Digital forensics remains in relative infancy as an elusive and misunderstood form of alchemy which fails to gather enough widespread support for its principles, technical requirements and digital rigor.
A fourth issue and dilemma is the angry debate over enhanced defensive measures and the value of devising an offensive digital strategy to allegedly deter hostile states, criminals or hacktivists. What constitutes an adequate, robust, invincible and effective array of defensive digital measures? Defensive strategies are validated based on their proven success—what criteria do we have to measure that? We all know that it seems to be much cheaper to hack, intrude and attack data systems than budget for their overall defense. Can we demonstrate which defensive measures are best?
Is this likely to invite more or less innovation on defensive maneuvers and architecture or simply default to more creative methods for mounting newer and fanciful avenues of penetration? Where should we be spending our resources and investing our talent? Worse case scenarios can be considered where digital daredevils hire their skills to the highest bidder or steadfastly elude capture by sustaining their operations in apartments, cubicles, dedicated military cyber units and cartel garages.
Digital disruption, alteration of digital databanks, evisceration of digital repositories, and wholesale takeovers of digital networks are already here and intensifying at lightning speed with no obvious government or business silver bullet or master strategy to defend our legitimate interests. So the fifth issue here is one of keeping ahead of those ’12 monkeys’ who engage in daily attacks and intrusions without letup. How can and should this be done?
No easy answers or facile solutions emerge from just these five dominant dilemmas which challenge the validity and authenticity of every conceivable digital system. Instead we reckon that devising new laws, policies and regulations might help or somewhat alleviate the situation without really knowing with any confidence that we have actually reduced our net vulnerability or ramped up our security.
Nevertheless, with FBI and DHS policing the .gov websites and DoD and NSA watching the .mil sites, we assume that our national ramparts against targeted attacks and intrusions appear sufficient enough for now. This is purely a band-aid for a much larger wound that continues to bleed and we know it all too well. Here, even the best minds in academia and among esteemed scientists cannot find a solution that fixes the set of problems identified and nullifies the few dilemmas we have discussed.
In the clear absence of global harmony and unity on these issues and dilemmas the way forward seems murky at best. The interests of the United States as a heavily invested player in geopolitics together with the realities of international trade played out in the digital arena require better approaches to defend our digital interests while promoting better digital security. One pathway requires that we act unilaterally and erect whatever protective systems, laws, regulations and practices which maximize our own national interests. Another pathway suggests we ad hoc our incremental way through an unsettled ‘business-as-usual’ quagmire for another unsavory decade.
Other options and pathways exist with inherent risks of failure and success embedded within their assumptions and analysis. We await serious decisions about which way forward seems best allowing for the fact that our interests deserve protection.