Cybersecurity and Cyberwar (34 page)

The cyber world is a place of exponentials, from the continual growth of online information, literally multiplying upon itself year after year, to the equivalent growth of online threats. But there is
one piece that doesn't work at exponential speed: the government. It moves at a glacial pace, if that.

In 2004, the Government Accountability Office identified a set of characteristics that the US executive branch needed in a national cybersecurity strategy (as American writers, we focus on the United States, but the lessons below apply to most every other country). It encompassed everything from allocating resources to defining policies and helping to ensure accountability. A full decade later, the GAO reported that the White House was essentially at the same point. “No overarching cybersecurity strategy has been developed that articulates priority actions, assigns responsibilities for performing them, and sets timeframes for their completion.”

At the other end of Pennsylvania Avenue, the legislative branch was no further along. Congress was certainly interested in cybersecurity, holding as many as sixty hearings a year to talk about it. But it wasn't able to pass a single piece of major cybersecurity legislation between 2002 and the writing of this book more than a decade later.

It is not that the government isn't taking cybersecurity action. Indeed, time and again, major governmental programs have taken shape, from Cyber Command to Stuxnet. Rather, it is the government's pace that is different, which matters greatly when thinking about how it can better organize for cybersecurity.

One of the best examples of the US government acting quickly to reorganize itself for cybersecurity actually illustrates the complexities of policy change. The Federal Risk and Authorization Management Program, or FedRAMP certification, was a program launched in 2013 that allowed, for the first time, a government contractor to be cleared just once to provide services for the entire civilian US government. This was a huge step forward, as it replaced a structure that had each and every agency performing its own mandatory security examination.

The process was celebrated with some irony in the media, as it took “only six months” for the first provider to win approval, which is a
lifetime in the cyber world
. But when one looks at the structure required for FedRAMP, that six months seems blindingly fast for the federal government. The Office of Management and Budget has legal responsibility for ensuring each federal agency is secure, and it delegates enforcement to the General Services Administration, which oversees FedRAMP. In turn, the Department of Defense and the
Department of Homeland Security design the risk assessment process with technical support from the National Institute of Standards and Technology inside the Department of Commerce. Guidance and cross-agency coordination is provided by the government-wide CIO Council. So six months is, in fact, an impressively short amount of time, when you consider all the players and steps.

The outcome of this disconnect of time, problem, and organization is that government efforts in cybersecurity are a patchwork of agencies and projects, often with little clear strategy and mixed levels of control. As we explored in
Part II
, the defense and intelligence establishments have the largest footprint organizationally in the cyber domain, simply because they have focused on attacking other networks and defending their own for so long. Beyond securing themselves, their experts, particularly in the NSA, occasionally share that expertise with other agencies and sometimes with the private sector for issues of national interest. For instance, the NSA and DoD have worked together to share attack signatures with a group of critical defense contractors, while the NSA agreed to offer technical support to Google following attacks in 2010 and to the financial industry following a series of
DDoS attacks in 2012
.

Relying on intelligence organizations for on-call protection and outsourced expertise may be the default mode, but it raises a number of concerns. First, there is always the question of privacy and the legal safeguards that are supposed to prevent intelligence agencies like the NSA or CIA (which are supposed to be focused on foreign threats) from gathering information about their own citizens. This is a huge area of controversy; in a number of instances the NSA has gathered information on US citizens' Internet activity without a warrant, either through their communications with foreign citizens or via
massive levels of data mining
of everything from online bank transactions to travel records. Much of this remains in the classified realm, but the rough privacy protection mechanism requires that the information be generalized; pulling out specific information on an individual is supposed to require a warrant. However, a long trail of scandals and abuses that run from the NSA's Prism and Verizon scandal in 2013 (as revealed by the Edward Snowden leaks) to the 2005 controversy over warrantless surveillance programs ordered by the George W. Bush administration, to the CIA and NSA roles in the illegal domestic phone wiretaps under President Nixon, show
why many do not trust the sort of protections that are supposed to be baked into such arrangements.

Second, the intelligence establishment has a strong focus on espionage and the ability to exploit other systems. Their mission also includes building in backdoors to communication networks and maintaining open exploits to attack other nations' systems, which, of course, can run counter to a
solely defensive focus
. You wouldn't always want to close all the open doors if you depended on
them being open elsewhere
. Finally, these agencies also operate with less oversight and transparency than normal agencies; their sources and methods must be kept secret for operational reasons, which can sometimes be a problem in cyber defense, in which information sharing is a paramount.

While the military and the intelligence community have much of the capital, both human and technical, the official lead for American cybersecurity policy falls to the Department of Homeland Security (DHS). Unfortunately, that leadership role has so far come with relatively little in the way of enforcement authority. DHS coordinates the security of the civilian government networks and is directed to work with the private sector. Yet legal analysis in 2012 found that with great responsibility has come little power. DHS provides support to both the government and critical infrastructure but cannot compel any specific action. In response to an attack, “even when existing [legal] authorities provide DHS with responsibility to intervene during a cyber incident, they may not fully support actions necessary to manage and
coordinate cyber incident response
.”

The same story also holds in the comparative budget numbers. DHS spent $459 million on its various cybersecurity programs in 2012. The Pentagon spent roughly
eight times as much
, not even including the NSA's classified budget (roughly $10.5 billion according to the Snowden leaks).

Despite unclear authorities and a much smaller budget, DHS has become the central square in the American patchwork of cybersecurity policy. Its United States Computer Emergency Response Team (US-CERT) serves as a hub of technical expertise, collaboration, and security information dissemination. A similar organization exists for industrial control systems, such as those that run water treatment plants and the power grid. Where DHS has been perhaps
most effective is as an advocate for new technical security measures, including the security of the domain name system.

Instead of DHS, it is the government regulatory bodies in the United States that are the primary authority for the cybersecurity issues of their respective industries. They are often aided by the National Institute of Standards and Technology (NIST), which is located in the Department of Commerce. NIST is the federal agency that works with industry to develop and apply technology, measurements, and standards in everything from the weights used at grocery stores to the primary building blocks of information systems, such as hash functions. NIST experts have developed standards and frameworks for areas where industry has no clear consensus on new technologies such as cloud computing and digital identity. Occasionally, they will weigh in on security in specific applications, such as electronic voting or electronic medical records, but their primary focus has been to offer guidance on the technical components that apply to many different sectors. NIST expertise may take the form of formal, prescriptive standards developed with input from industry, but it can also come with a lighter touch, such as through published best practices and research reports.

Sometimes this organizational setup works well. For banks, the Federal Reserve sets policies on the transfer of money between banks. This includes consumer protection for unauthorized transfers: the consumer is only liable for a maximum of $50, regardless of what was stolen from the account, or how it was stolen. By clearly assigning responsibility for fraud, this policy has forced the banks to develop fraud detection practices themselves. And, as we've explored, the banks have incentives to take cybersecurity seriously since they both understand and more directly feel the costs if they don't.

The problem is when the incentives are not aligned or where government regulatory agencies are not so focused, set unclear standards, or have overlapping or gaps in authority. In contrast to the clear liability of credit card processors for fraudulent transactions, for instance, the electricity sector is a mess when it comes to cybersecurity organization. Generation, transmission, and distribution are governed by separate entities. This leads to both overlapping regulations and gaps in coverage. Both NIST and the North American Electricity Reliability Corporation
(NERC) are responsible for developing Smart Grid standards, but neither has an explicit responsibility to lead security initiatives. Furthermore, the distribution layer of the power grid is not covered by either entity, creating a situation where two agencies simultaneously have and do not have the
ability to set security standards
.

Absent a uniform strategy, the dominant approach has been for each regulatory agency to look after its own industry. But the result, as the CEO of one cybersecurity firm told us, is that “The ‘most critical' of the critical infrastructure are the
biggest laggers in cybersecurity
.” While much attention has been paid to securing areas like finance, where the incentives are more in alignment for regulation and investment, other areas of even more core importance and danger like water control, chemical industry, or the ports have almost none. In 2013, for instance, a study we helped guide of six major American ports found only one had any proper level of cybersecurity, due to the fact that the Coast Guard and Department of Transportation officials, who are in charge of regulating and protecting the ports, had literally
no power or expertise
in the area.

This is why many have called for more national standards, especially for critical infrastructure industries. This has been the target of recent attempts at legislation. However, the idea of dictating security requirements at a legal level raises the hackles of many. They argue that firms always know best and always have the best incentives to protect themselves (something we've seen the opposite of over the course of this book). Of course, the very same arguments were made against regulation of the shipping community prior to the
Titanic
and of the nuclear power industry pre-Three Mile Island. So, as of now, the bills to establish standards have failed and Congress has not empowered regulators with any further legal tools to foster information security in industry.

With no new laws, in 2013, the Obama White House directed its executive agencies to “use their existing authorities to provide better
cybersecurity for the Nation
.” But what this meant in execution remains opaque. This returns us to the question of coordination and broad strategy. What is missing most is a clear delineation of authority and leadership across the board for cybersecurity, setting more
consistent standards and approaches in what does exist. The present mix is the worst of both worlds. It leads to increased expenses, where firms either aren't held to standards or have to sort out what regulation must be complied with. It also dilutes the ability of any agency to effect meaningful change and can create dangerous gaps in regulation that bad guys can hide in.

Besides establishing more consistent standards and ideally an update to legislation, there are other levers that governments can use to shape cybersecurity policy. One is buying power. As the country's largest purchaser of just about everything, the government has the capacity to affect the market, not just as a regulator but as a client. As one policy report noted, “Security requirements set by U.S. government procurement policies have the potential to become standardized for inclusion by other consumers, giving the government the ability to guide and direct industry developments in ways that would not be possible through
legislation or regulation
.” This blends the role of customer and policymaker by subtly selecting IT security solutions at large scales. There is a caveat: it is no longer 1960 and the government no longer is the main player in the world of computers. The head of IT lobbying organization TechAmerica testified in 2010, “The Department of Defense accounts for only slightly more than
0.1 percent
of all information technology expenditures worldwide.” The tool should be used, but no one should think it a silver bullet.

The government is still a large enough market—almost $100 billion each year—that it can drive some change. Even if it can't simply demand that the systems it buys are 100 percent secure, it can mandate some accountability for where those systems come from and how they are produced. This will help bring attention to the “supply chain problem,” highlighting the risks of the hardware we use as the building blocks for just about everything. Since the supply chain for these parts spans countless countries and companies, attackers can introduce corrupt or malicious components upstream of the final vendor. Use of electronics is ubiquitous, so that, as one industry observer noted, “a $100 microchip might keep a
$100 million helicopter
on the ground.” Not only do we have scant protection against this attack, but it's currently difficult for any vendor to know who was involved in the upstream production to certify their security.