On the second and final day of the Global Cyber Innovation Summit in Baltimore’s Fells Point, the focus shifted to the dynamics of cyber conflict.
Author and cybersecurity expert Richard Clarke opened the conference on May 2nd with a discussion about some of the conclusion he reaches in his forthcoming book, Fifth Domain. He observed that his earlier book, Cyber War, written with Robert Knake and published in 2010, had drawn scoffing reviews as being nothing more than alarmist fiction. He noted with satisfaction that much of what they predicted, especially their claim that we’d soon see the rise of military offensive operations in cyberspace, including attacks on infrastructure, had been borne out by the events of the last few years. Clarke, a US State Department veteran and former National Coordinator for Security, Infrastructure Protection and Counter-terrorism, is currently chairman of Good Harbor Security Risk Management. [Note: Updated 5.9.19 to correct the reference to Mr. Clarke's current position.]
An unusual note of optimism about cyber defense.
But, interestingly, he wanted to draw attention to some of the positive developments that he and his coauthor did not foresee. Specifically, he argued that the last few years had shown that existing technology properly applied can indeed defend the corporate network. He has seen that appropriate levels of investment in cybersecurity by corporate leadership that understands the risk to the company can make security a priority, and when that happens, companies are generally successful in fending off attacks.
He offered NotPetya as his proof case. taking NotPetya as grounds for optimism. NotPetya was a Russian military action against Ukraine, but many companies around the world were collateral damage, and that damage was severe. But a lot of other companies deflected the attack, and "these are the dogs that didn't bark."
The Government’s role might be diplomacy and regulation.
And he argued that companies should defend themselves, and not expect Cyber Command or other elements of the US military to protect them in cyberspace. He offered a sourly realistic review of military failures to protect their own weapons and networks, and suggested that this argued that the military is not the place to look for defense of the private sector. He did note recent language in a recent Defense Authorization Act that noted, blandly and off-hand, that the US military was authorized in effect to hack adversary systems in peacetime. Clarke viewed this as a positive sign that the “government lawyers,” as he characterized them, who had regarded such offensive cyber action as illegal under Title 10, have been effectively overruled. “Now there’s every reason to think Cyber Command is doing that,” he said, and he added, “They weren’t doing that before.”
He saw three areas in which Federal action can make a positive contribution. First, appropriate regulation, particularly in electrical power and election security. Clarke sees the potential for regulation to have the sort of positive effects he argued it had on the financial sector. Second, investment in research, particularly in defensive artificial intelligence and machine learning. And third, in diplomacy. There were some genuine achievements in arms control during the Cold War, and Clarke thinks there are reasons to hope for comparable diplomatic success with respect to cyber conflict.
Don’t give the opposition reason to think it can win.
He closed with general observations on conflict, and with a plea for an understanding of how the Federal government can help. Reflecting on his early career in nuclear arms control negotiation, he remarked that, “Crisis instability comes when an aggressor thinks it can win.” When the offense thinks it has an advantage and the defense isn’t credible, you’re in a dangerous phase.