Military Review English Edition May-June 2014 | Page 41

CYBERSECURITY Well, let’s take a look at the difficult situation our SIGO faces. First, in simple terms, three typical kinds of cyberattackers pose a threat: criminals, ideologues, and nation states. Usually, professional criminals are motivated by greed. They fall under the jurisdiction of law enforcement although the technology they use tends to be beyond the capabilities of ordinary police agencies. Next are the ideologues and so-called “hacktivists,” such as WikiLeaks or Anonymous, who generally are motivated by their political or philosophical worldview, or perhaps by cynicism. They often announce their targets and, sometimes, conduct attacks merely to gain attention or to get a laugh. The law treats them as criminals, too. The third type is nation states, which usually are motivated by security, economic, or other interests. They can plan and execute coordinated cyberattacks against their enemies. Normally, they have access to more resources than criminals and ideologues. It is not always easy to assign cyberattackers to neat categories, however. Further muddying the water is the open question of whether a cyberattack is a use of force. Moreover, determining which specific cyberthreats are most dangerous to U.S. national security and which are most likely to do damage is difficult. Specific cyberthreats arise in unexpected ways. For example, Stuxnet, the fiendishly destructive malware that targeted centrifuges at the uranium enrichment facility in Natanz, Iran, now poses a threat well beyond its original purpose. This is because code used to build Stuxnet (discovered in 2010 and widely considered a state-sponsored cyberattack) was leaked inadvertently onto the Internet. Some analysts believe its descendants (such as Duqu and Flame) or their progeny could already be residing in the databases of critical infrastructure worldwide.3 The bad things going on are beyond any SIGO’s skill set or resources. How should we respond at this point? United States Cyber Command (USCYBERCOM), a subunified command subordinate to United States Strategic Command. The service components are duly organized to provide support. The Army has the U.S. Army Cyber Command, the Navy has the U.S. Fleet Cyber Command, the Air Force has the Twenty-Fourth Air Force (Air Forces Cyber), and the Marine Corps has the Marine Forces Cyber Command. However, as capable as these units are, they focus mainly on the cybersecurity threats to U.S. defense information networks. On the other hand, “the government is often unaware of malicious activity targeting our critical infrastructure,” said Gen. Keith Alexander, former head of the National Security Agency and USCYBERCOM.4 When it comes to the civil sector, U.S. Congressman Mike Rogers of Michigan says that “today, we are in a stealthy cyberwar … and we’re losing.”5 However, there is no doubt U.S. business leaders realize the cyberthreat is real and that it would behoove them to work closely with the government to prevent a big attack or be ready to respond to one effectively. To them, if something affects their profits, it is important. Even so, companies currently have little incentive to alert federal officials after being hacked because the feds will then turn around and share that information with their competitors. Moreover, if businesses share certain information with some of their competitors, they risk prosecution from the government under antitrust laws. Therefore, More Bureaucracy? The typical, and even mandatory, response of government is to give an office or agency the responsibility and resources to fix a problem. This predictable, slow, and top-down approach to problem solving at the national level is ineffective against an uncertain, fast-changing, and bottom-up problem. For example, the Department of Defense established MILITARY REVIEW May-June 2014 39