The Rules of Cyber-​​Engagement

The Obama admin­is­tra­tion is close to approving the nation’s first set of rules for how the mil­i­tary can defend or retal­iate against a major cyber­at­tack, according to a report last month in The New York Times. One such new rule would report­edly give the pres­i­dent power to order a pre-​​emptive strike if the U.S. detects a cred­ible threat from a for­eign adver­sary. We asked William Robertson, an expert in detecting and pre­venting Web-​​based attacks and an assis­tant pro­fessor with dual appoint­ments in the Col­lege of Engi­neering and the Col­lege of Com­puter and Infor­ma­tion Sci­ence, to assess this poten­tial new policy and the growing cyber­arms race.

Former Defense Secretary Leon E. Panetta has warned that a cyberattack from a foreign nation or extremist group could be equally as destructive as the terrorist attack of 9/11. What would a cyber-9/11 look like and how does the president’s power to order a pre-emptive cyberstrike against a foreign adversary impact the chances of such an attack?

The term “cyber-​​9/​11″ is quite clearly meant to con­jure up imagery sur­rounding the nation’s shock in reac­tion to the air­liner hijack­ings of 2001. One com­mon­ality between those attacks and an imag­ined cyber-​​9/​11 is the ele­ment of sur­prise, where the attackers might very well exe­cute an oper­a­tion against the nation without advance detec­tion. A strike against the nation’s crit­ical infrastructure—such as the power dis­tri­b­u­tion net­work or air traffic control—could have far-​​reaching effects that harm or in some other way affect mil­lions of Americans.

One can inter­pret the recent reported strate­gizing by the admin­is­tra­tion on the pre­emp­tive use of cyber­weapons as a form of deter­rence against would-​​be attackers, in much the same way that our nation’s con­ven­tional mil­i­tary serves as a deter­rent to poten­tial adver­saries. Given the his­tory of alleged attacks against Amer­ican assets by for­eign actors located in China and Russia, it is quite pos­sible that the recent deci­sion to allow for pre­emp­tive cyber­at­tacks is aimed squarely at nations such as these.

Unfor­tu­nately, deter­rence only goes so far. It’s unlikely to be effec­tive against those adver­saries that either do not antic­i­pate expe­ri­encing great harm from a pre­emp­tive cyberattack—for instance, if attack attri­bu­tion is dif­fi­cult or the attackers do not pos­sess sig­nif­i­cant tech­no­log­ical assets—or the attackers have suf­fi­cient motivations—e.g., reli­gious or political—that they are willing to risk the consequences.

The Washington Post recently reported the Pentagon is planning to significantly expand the Defense Department’s Cyber Command to counter attacks against the nation’s computer networks and execute operations on foreign adversaries. From your vantage point as a co-principal investigator of a $4.5 million grant from the National Science Foundation to train the next generation of cyberdetectives, why is the federal government having such a difficult time finding and training qualified cyberspecialists?

One reason for the dif­fi­culty in recruiting cyber­op­er­a­tors is simply the scarcity of qual­i­fied labor. People with the nec­es­sary skills are few and far between, and this shortage is evi­dent in both gov­ern­ment and industry cir­cles. A related dif­fi­culty is that not every can­di­date who pos­sesses the req­ui­site tech­nical back­ground has the tem­pera­ment or incli­na­tion for these jobs. Both defen­sive and offen­sive roles are stressful and demanding, and as in the case of the con­ven­tional mil­i­tary, many choose career paths that do not involve these characteristics.

Another con­sid­er­a­tion is that con­vincing top talent to work in a state or fed­eral role can be an uphill battle. Gov­ern­ment is com­peting for a small pool of can­di­dates that can quite easily com­mand large salaries and ben­e­fits in the pri­vate sector, either by working for any number of estab­lished secu­rity com­pa­nies or as free­lance consultants.

According to reports, critics have suggested that contractors and consultants looking for a big payday are overstating the cyberthreats to the nation’s critical infrastructure. Where should the potential for a catastrophic cyberattack rank on the federal government’s list of security concerns?

In my opinion, prepa­ra­tion for cat­a­strophic cyber­at­tacks should be a top pri­ority for gov­ern­ment, in coop­er­a­tion with industry. Those who work in secu­rity are all too aware of the fact that our sys­tems are already being attacked, our data is already being exfil­trated, and our infra­struc­ture has already been demon­strated to be “porous” at best. When you con­sider that bol­stering our defenses against cat­a­strophic attacks will also likely trans­late to a more secure pos­ture against the low-​​intensity cyber­cold war that we are already expe­ri­encing, as well as stim­u­late the cre­ation of new jobs and tech­nolo­gies, it would seem to be the forward-​​thinking direc­tion to move.