Cybersecurity is in my opinion and the opinion of many in Washington the most significant national security challenge that the United States faces today. We are among the most computer-dependent of societies, and we have the most computer-dependent military and intelligence agencies, in the world. And with computer dependency comes computer vulnerabilities – vulnerabilities that are hard to find and hard to fix. My basic views on the issue are laid out here, in a long review of Richard Clarke’s and Robert Knake’s good book, Cyberwar. I am writing my own book on the topic and hope to write about it a lot in this space over the next year.
But in the meantime, in the last few weeks four important essays on cyberecurity have appeared.
The most significant is Deputy Secretary of Defense William’s Lynn’s essay in Foreign Affairs (subscription needed), Defending a New Domain: The Pentagon’s Cyberstrategy. Lynn begins the essay by revealing that in 2008 the Pentagon suffered “the most significant breach of U.S. military computers ever” when a flash drive inserted into a U.S. military laptop at a base in the Middle East surreptitiously introduced malware into Centcom’s classified and unclassified computer systems. He describes DOD's response to this intrusion, and then explains why DOD is establishing Cyber Command; why it is skeptical about deterrence through retaliation; why arms control agreements are probably not a model for international cybersecurity norms; why the U.S. military “must respond to [cyberattacks] as they happen or even before they arrive;” why the National Security Agency (whose Director is also in charge of Cyber Command) is heavily involved in such “active defenses;” why the Pentagon and NSA should be involved in protecting private civilian critical infrastructure from cyber attack; and much more. I am persuaded by most of this forward-looking essay, but many will find it controversial. In any event, it is indispensable reading as a guide to DOD thinking on the topic.
The second essay, just posted, is Matt Waxman’s article, still in draft, entitled Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4). This is (along with Michael Schmitt’s ground-breaking work) in my view the most sober and interesting discussion yet on how the U.N. Charter’s prohibition on the use of force should apply to cyberattacks. It is conventional wisdom that the Charter’s conceptual framework – grounded in kinetic terms like “uses of force” and “armed attack” – is difficult to translate to the cyber context. Matt goes back to the Cold War and shows that very similar translation problems arose in connection with proxy wars, economic sanctions, and the like, and explains how the lessons of history should inform the modern cyber debate.
Third, Duncan Hollis also recently posted a new draft essay, An e-SOS for Cyberspace. A central problem for cybersecurity is the attribution problem: it is very hard (for reasons that I explain at length in my review) to know where a cyber attack originated or who is responsible for it. That in turn makes it hard to build norms against bad behavior; anonymity is a norm-killer. Duncan proposes to deal with this problem by establishing an international duty among nations to “assist” the victim of a cyber attack, akin to a duty at sea to assist someone who makes an SOS call. As he explains in his abstract, an “e-SOS system could help avoid harms from existing cyberthreats and deter others,” and could “make computer systems and networks more resilient to any harm they impose.” I agree that this could help in theory; the trick, it seems to me, is to reach a verifiable and enforceable agreement to this effect.
I have a similar reaction, finally, to the new essay by Robert Knake (Clarke’s co-author for Cyber War), Internet Governance in an Age of Cyber Insecurity. Robert’s essay is difficult to summarize but worth reading. I find his most of his international proposals unrealistic, for reasons hinted at in my review and that I will explain more fully when I complete an essay on the topic in about a month.