Risk management, cyber operations, and the Westphalian system.
SecurityWeek's 2019 ICS Cyber Security Conference opened its second day with a fireside chat with retired Admiral Mike Rogers, formerly Director, US National Security Agency, and Commander, US Cyber Command. He offered a view of international conflict in cyberspace, and argued for taking the opposition's strategic objectives into account when one evaluates risk.
He reviewed the strategic motives of the opposition in cyberspace. Singling out North Korea, Russia, and China, he noted that these adversaries have different motives. North Korea seeks to circumvent the international sanctions that continue to strangle its economy. Russia’s goal is basically disruption, with Moscow strongly interested in eroding trust in Western, and especially in US, institutions. China works in the service of its economic development, and its characteristic activity is intellectual property theft. What they have in common, however, is an understanding of cyber as embodying new military and espionage capabilities, and they use those capabilities in the service of their strategic objectives.
Thus Admiral Rogers made a case for approaching cybersecurity, in the context of national security, as a risk management problem. And, he argued, sound risk management should begin with an appreciation of the opposition's strategic goals.
When we work through that risk calculus, he emphasized that we inevitably work with constrained financial and human resources. We can't, he said, "buy or human-capital our way out of the problem." Instead, we need to take risk-based decisions, and to make sure that those decisions are informed by a sound understanding of the opposition's strategy.
We have to prioritize what we defend. As he put it, “If someone takes down an unclassified website, who cares, really?” But if they get into a nuclear command-and-control system, that’s a very serious matter indeed.
Responding passively places us on the wrong side of the cost equation, Admiral Rogers argued. In any conflict, “I want to engage in actions that shape my adversary’s choices. I want to drive him to make choices that benefit me.” This is as true in cyberspace as it is in any other domain. He thinks that the future is about building integrated, multi-disciplinary teams. “You can’t improvise teams in a crisis,” as he put it. They must be formed in advance, and exercised appropriately. If you do this, then you have a proper basis for cooperation, and in a crisis you’re so much smarter and faster. One lesson he learned from Russian cyber operations in 2016 was the importance of communicating at high levels. “We thought that informing the normal working level in the private sector was sufficient,” he said. “If we were to do it over, we should have taken it to CEOs, CISOs, and not the lower levels.” Thus the teams assembled need to include high-level participants.
And of course effective cooperation for security requires effective information sharing. Admiral Rogers said, “The pain of the one has to lead to the benefit of the many. If it doesn’t, then the pain of the one is forgotten, and is repeated over, and over, and over again.”
Discussion of nation-state activity against industrial control systems inevitably raises questions about where responsibility for an appropriate response lies. Admiral Rogers pointed out that “A response always starts with the question, are you confident you know who did this?” This isn’t easy to determine. False flags are becoming more common, especially since one of the Russians’ takeaways from their experience in 2016 running information operations against the US is that they need to cover their tracks.
For this reason, and for others, he takes the view that hacking back, as it’s popularly called, is a non-starter. “I’m a believer in the Westphalian model, in which the application of force is fundamentally a governmental responsibility.” Drawing upon an example he used in his days at NSA and Cyber Command, he said that, if you’re the sheriff trying to keep order in a town, the last thing you want is more people walking down the street carrying guns. There’s a spectrum of purely defensive actions that private companies can take, but there are, he said, massive liability questions surrounding any of the active measures people talk about.
And he closed with an observation about kinetic versus cyber responses. The response to a cyberattack need not itself be a cyber reprisal. Whenever there’s a cyberattack, that attack has a physical dimension to it. There’s server, for example, at a specific latitude and longitude. There’s a human being at a keyboard. How to respond should be governed in all cases by the traditional laws of war, and how to respond should above all be determined by considerations of proportionality.