Rational Security

How to Protect Yourself from the Online Axis of Evil

What has happened to the notion of cyberdefense?

PO1 Joshua Wahl/DVIDS
PO1 Joshua Wahl/DVIDS

North Korea and Iran are viewed as threats to the world because of their potential to field weapons of mass destruction, but they are far more likely to focus their malfeasance on "mass disruption" via cyber attacks. Should either state ever step out of nuclear line, overwhelming retaliation would follow. But in cyberspace, both Tehran and Pyongyang are credible powers capable of and apparently quite willing to make considerable mischief. Iran appears to have mounted a serious attack on the Saudi oil industry recently, wiping out critical data on tens of thousands of machines with the so-called Shamoon virus. North Korea is thought to have just attacked its southern neighbor’s banking sector — the latest in a steady stream of cyber strikes spanning several years.

Yet there has been no response-in-kind, which suggests that cyber attackers will press on with a growing sense of impunity, making the task of deterring them quite difficult. Indeed, instead of posing retaliatory threats — the key to successful deterrence during the Cold War — there appears to be a willingness to live under cyber siege, relying instead on improving defenses. Over the past few days, while all eyes have been riveted on the Snowden leaks, word has also gotten out, more quietly, about ongoing American efforts to craft cyber defensive coalitions with countries in the Persian Gulf region and in Northeast Asia. Information about these alliances remains proprietary, but it would be hard to think of them arising in the absence of Saudi Arabia and Qatar in response to the perceived threat from Iran, or without Japan and Taiwan when it comes to dealing with North Korea.

It is a very good thing that these alliances are forming. That they may rely on American cybersecurity strategies is a bit more problematic. The United States rates quite low in terms of its defensive capabilities. Last summer at the Aspen Security Forum, General Keith Alexander, head of both Cyber Command and the National Security Agency, publicly rated American cybersecurity a "3" on a scale of 1-10. Former government cyber czar Richard Clarke was a tougher grader, giving Washington a "1." The point is, it is one thing to build cyber defensive alliances, quite another to actually mount robust defenses. And ambiguous American threats either to "pre-empt" imminent cyber attacks or to respond with physical force are simply not very credible. It is extremely difficult to catch enemy electrons while they are massing — or whatever they do before being launched — and highly unlikely that the U.S. military will be authorized to go off and break things, and possibly kill people, in response to even costly cyber disruptions.

So the defensive alliances forming up should perhaps start, not so much by taking American direction as by opening up a spirited discourse on alternative cybersecurity paradigms. This would be good both for them and for the United States, as it is clear that American reliance on anti-virals and firewalls will not get the job done. One master hacker of my acquaintance likes to put it this way: "There are no firewalls, because they only recognize what they already know." This does not mean throwing these defenses out completely, as they do have some value. But it does mean shifting emphasis to more effective means.

For reasons that still baffle me, the ubiquitous use of very strong encryption has been neglected, sometimes resisted. Indeed, under American law there was a time not too long ago when it was illegal for the average citizen to have and use the strongest code-making capabilities. This silliness stopped some years ago yet, with our first cyber president in office — he is very attached to his personal information technology suite — but his bully pulpit is hardly being used to tell Americans to encrypt, encrypt, encrypt.

There are additional strategies that the emerging cyber defensive alliances should consider, perhaps the best among them being the resort to concealment in "the Cloud," an airy place in cyberspace outside one’s own system where information can be encrypted, broken into several pieces, stored with much improved security, and called back home with a click. A place closer in, the area of unused capacity in a friendly network called "the fog," for example, is another way to move information around and keep it concealed. Both these approaches deal with another of the problems that my hacker friend describes: "If data just sits in your system, someone will get at it. Data at rest is data at risk. Keep it moving."

Not only will consideration of these alternative strategies improve security against the threats posed by Iran and North Korea, but adopting them would go a long way toward dealing with the nettlesome intrusions that are believed to emanate from China. President Obama has made very little progress with President Xi on cyber matters; in addition to jawboning Beijing, Washington should develop a sense of urgency about getting better at cyberdefense. After all, when the head of Cyber Command and a long-time senior official with a cyber portfolio both give failing marks to our cyberdefenses, it is high time to do something in addition to talking. If there is ever to be an effective behavior-based agreement to refrain from cyber attacks on, say, civilian infrastructure, I guarantee it will only happen when all parties have strong defenses in place as well.

So let me suggest that, for all the attention that will no doubt be devoted to the PRISM debate — so relevant to the matter of dealing with terrorist networks — equal time should be given to the matter of developing defenses as strong as the alliances that are being forged against the looming threat of cyberspace-based weapons of mass disruption. For it is possible, in the course of what may become a protracted, divisive domestic debate about big-data intelligence gathering methods, that the crucial need to improve our and our allies’ cyberdefenses will be neglected. The anguish over possibly undue intrusions into our privacy will pale in comparison to the economic, social, and strategic costs that will be inflicted on the world — not just the United States — if we fail to act now to improve cyberdefenses.

North Korea and Iran are viewed as threats to the world because of their potential to field weapons of mass destruction, but they are far more likely to focus their malfeasance on "mass disruption" via cyber attacks. Should either state ever step out of nuclear line, overwhelming retaliation would follow. But in cyberspace, both Tehran and Pyongyang are credible powers capable of and apparently quite willing to make considerable mischief. Iran appears to have mounted a serious attack on the Saudi oil industry recently, wiping out critical data on tens of thousands of machines with the so-called Shamoon virus. North Korea is thought to have just attacked its southern neighbor’s banking sector — the latest in a steady stream of cyber strikes spanning several years.

Yet there has been no response-in-kind, which suggests that cyber attackers will press on with a growing sense of impunity, making the task of deterring them quite difficult. Indeed, instead of posing retaliatory threats — the key to successful deterrence during the Cold War — there appears to be a willingness to live under cyber siege, relying instead on improving defenses. Over the past few days, while all eyes have been riveted on the Snowden leaks, word has also gotten out, more quietly, about ongoing American efforts to craft cyber defensive coalitions with countries in the Persian Gulf region and in Northeast Asia. Information about these alliances remains proprietary, but it would be hard to think of them arising in the absence of Saudi Arabia and Qatar in response to the perceived threat from Iran, or without Japan and Taiwan when it comes to dealing with North Korea.

It is a very good thing that these alliances are forming. That they may rely on American cybersecurity strategies is a bit more problematic. The United States rates quite low in terms of its defensive capabilities. Last summer at the Aspen Security Forum, General Keith Alexander, head of both Cyber Command and the National Security Agency, publicly rated American cybersecurity a "3" on a scale of 1-10. Former government cyber czar Richard Clarke was a tougher grader, giving Washington a "1." The point is, it is one thing to build cyber defensive alliances, quite another to actually mount robust defenses. And ambiguous American threats either to "pre-empt" imminent cyber attacks or to respond with physical force are simply not very credible. It is extremely difficult to catch enemy electrons while they are massing — or whatever they do before being launched — and highly unlikely that the U.S. military will be authorized to go off and break things, and possibly kill people, in response to even costly cyber disruptions.

So the defensive alliances forming up should perhaps start, not so much by taking American direction as by opening up a spirited discourse on alternative cybersecurity paradigms. This would be good both for them and for the United States, as it is clear that American reliance on anti-virals and firewalls will not get the job done. One master hacker of my acquaintance likes to put it this way: "There are no firewalls, because they only recognize what they already know." This does not mean throwing these defenses out completely, as they do have some value. But it does mean shifting emphasis to more effective means.

For reasons that still baffle me, the ubiquitous use of very strong encryption has been neglected, sometimes resisted. Indeed, under American law there was a time not too long ago when it was illegal for the average citizen to have and use the strongest code-making capabilities. This silliness stopped some years ago yet, with our first cyber president in office — he is very attached to his personal information technology suite — but his bully pulpit is hardly being used to tell Americans to encrypt, encrypt, encrypt.

There are additional strategies that the emerging cyber defensive alliances should consider, perhaps the best among them being the resort to concealment in "the Cloud," an airy place in cyberspace outside one’s own system where information can be encrypted, broken into several pieces, stored with much improved security, and called back home with a click. A place closer in, the area of unused capacity in a friendly network called "the fog," for example, is another way to move information around and keep it concealed. Both these approaches deal with another of the problems that my hacker friend describes: "If data just sits in your system, someone will get at it. Data at rest is data at risk. Keep it moving."

Not only will consideration of these alternative strategies improve security against the threats posed by Iran and North Korea, but adopting them would go a long way toward dealing with the nettlesome intrusions that are believed to emanate from China. President Obama has made very little progress with President Xi on cyber matters; in addition to jawboning Beijing, Washington should develop a sense of urgency about getting better at cyberdefense. After all, when the head of Cyber Command and a long-time senior official with a cyber portfolio both give failing marks to our cyberdefenses, it is high time to do something in addition to talking. If there is ever to be an effective behavior-based agreement to refrain from cyber attacks on, say, civilian infrastructure, I guarantee it will only happen when all parties have strong defenses in place as well.

So let me suggest that, for all the attention that will no doubt be devoted to the PRISM debate — so relevant to the matter of dealing with terrorist networks — equal time should be given to the matter of developing defenses as strong as the alliances that are being forged against the looming threat of cyberspace-based weapons of mass disruption. For it is possible, in the course of what may become a protracted, divisive domestic debate about big-data intelligence gathering methods, that the crucial need to improve our and our allies’ cyberdefenses will be neglected. The anguish over possibly undue intrusions into our privacy will pale in comparison to the economic, social, and strategic costs that will be inflicted on the world — not just the United States — if we fail to act now to improve cyberdefenses.

John Arquilla earned his degrees in international relations from Rosary College (BA 1975) and Stanford University (MA 1989, PhD 1991). He has been teaching in the special operations program at the United States Naval Postgraduate School since 1993. He also serves as chairman of the Defense Analysis department.

Dr. Arquilla’s teaching interests revolve around the history of irregular warfare, terrorism, and the implications of the information age for society and security.

His books include: Dubious Battles: Aggression, Defeat and the International System (1992); From Troy to Entebbe: Special Operations in Ancient & Modern Times (1996), which was a featured alternate of the Military Book Club; In Athena’s Camp (1997); Networks and Netwars: The Future of Terror, Crime and Militancy (2001), named a notable book of the year by the American Library Association; The Reagan Imprint: Ideas in American Foreign Policy from the Collapse of Communism to the War on Terror (2006); Worst Enemy: The Reluctant Transformation of the American Military (2008), which is about defense reform; Insurgents, Raiders, and Bandits: How Masters of Irregular Warfare Have Shaped Our World (2011); and Afghan Endgames: Strategy and Policy Choices for America’s Longest War (2012).

Dr. Arquilla is also the author of more than one hundred articles dealing with a wide range of topics in military and security affairs. His work has appeared in the leading academic journals and in general publications like The New York Times, Forbes, Foreign Policy Magazine, The Atlantic Monthly, Wired and The New Republic. He is best known for his concept of “netwar” (i.e., the distinct manner in which those organized into networks fight). His vision of “swarm tactics” was selected by The New York Times as one of the “big ideas” of 2001; and in recent years Foreign Policy Magazine has listed him among the world’s “top 100 thinkers.”

In terms of policy experience, Dr. Arquilla worked as a consultant to General Norman Schwarzkopf during Operation Desert Storm, as part of a group of RAND analysts assigned to him. During the Kosovo War, he assisted deputy secretary of defense John Hamre on a range of issues in international information strategy. Since the onset of the war on terror, Dr. Arquilla has focused on assisting special operations forces and other units on practical “field problems.” Most recently, he worked for the White House as a member of a small, nonpartisan team of outsiders asked to articulate new directions for American defense policy.

More from Foreign Policy

The Taliban delegation leaves the hotel after meeting with representatives of Russia, China, the United States, Pakistan, Afghanistan, and Qatar in Moscow on March 19.

China and the Taliban Begin Their Romance

Beijing has its eyes set on using Afghanistan as a strategic corridor once U.S. troops are out of the way.

An Afghan security member pours gasoline over a pile of seized drugs and alcoholic drinks

The Taliban Are Breaking Bad

Meth is even more profitable than heroin—and is turbocharging the insurgency.

Sviatlana Tsikhanouskaya addresses the U.N. Security Council from her office in Vilnius, Lithuania, on Sept. 4, 2020.

Belarus’s Unlikely New Leader

Sviatlana Tsikhanouskaya didn’t set out to challenge a brutal dictatorship.

Taliban spokesperson Zabihullah Mujahid

What the Taliban Takeover Means for India

Kabul’s swift collapse leaves New Delhi with significant security concerns.