Despite concerns about the impact of debt ceiling spending cuts, 2011 is shaping up as a break-out year for the cyber defence industry. Amid tightening defence budgets and the wind-down of major operations in Afghanistan, cyber defence is a growth area, because policy makers are becoming more and more worried about the vulnerability of their governments and largest corporations to commercial and national security espionage, online activism and organised crime.
There were concerns overnight that the debt ceiling might limit cyber defence growth but no sooner had those concerns been uttered than it was revealed the Pentagon’s research arm was intending to spend up to $42 million trying to track what’s happening on social media. That’s part of a $2.3 billion spend next year on cyber security by the Pentagon alone next year.
Cyber defence covers myriad activities. There’s online theft, fraud, identity theft and espionage. There are denial of service attacks, and sabotage, and malware. It covers criminals, spies, states, activists and hackers. And then there’s the apparent danger of ideas themselves to spread virus-like on the internet. In bizarre remarks to a security conference last week, the head of ASIO, David Irvine, made this highly-revealing complaint:
The rampant use of the internet, the democratisation of communication, has resulted in new and effective means for individuals to propagate and absorb unfettered ideas and information and to be radicalised — literally, in their lounge rooms.
Hyping the internet as a potential source of significant or even existential threats isn’t new. Leon Panetta, then CIA chief, warned in February that “the potential for the next Pearl Harbor could very well be a cyber attack”, and repeated the threat at his confirmation hearings for Defence Secretary in June, saying “the next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems … we have to aggressively be able to counter that. It is going to take both defensive measures as well as aggressive measures to deal with it.”
For cyber defence contractors, Panetta’s statements are less a warning than a cry of “come and get it”.
Panetta’s words echo claims that date back to the 1990s; in fact Pearl Harbor references have long been a favourite phrase of what cyber security columnist Jerry Brito calls “cyber hawks”. In July, the appalling Joe Lieberman called for a “gold standard” in cyber defence. “The alternative could be a digital Pearl Harbor — and another day of infamy.”
The outbreak of warnings about “cyber Pearl Harbors” have been accompanied by a flurry of activity. Earlier this month (correction, in July), the Pentagon launched a new, if rather high-level cyber strategy, and in May the White House launched its own International Strategy for Cyberspace. In October last year, the UK government committed £650 million to cyber defence, with a strategy announced in April this year. The Canadian government announced one late last year as well. In June, a draft report for NATO, general rapporteur Lord Jopling warned of the need to protect against “asymmetrical attacks” by online activists. And the Australian government announced in June that it was developing its own cyber white paper.
While governments have been ramping up the rhetoric and funding and putting together strategies, academics and consultants have been trying to match them. Earlier this year, two US defence academics argued it was time for the US to ape China’s internet censorship strategy and “close the frontier” by imposing borders on the internet, enabling the US to impose greater online control and identify the source of attacks. They also argued the US should lead the world in establishing an offensive cyber military capability that could “attack, defend, and collect information globally”, in contrast to continental European dithering “mired in lengthy debates on civil liberties and economic progress threats”.
This proposed translation online of the good ol’ boy adventurism that has served the US so well in the past decade was taken further by former CIA and National Security Agency director Michael Hayden, who last week called for consideration of the use of mercenaries to counter cyber threats, through a “digital Blackwater”, named after the murderous military services company responsible for almost systematic human rights violations in Iraq and Afghanistan (where Blackwater continues to operate in reputation-management name-change form, as Xe). Hayden:
I mean, we have privatised certain defence activities even in physical space and now you’ve got a new domain in which we don’t have any paths trampled down in the forest in terms of what it is we expect the government or will allow the government to do
But some are refusing to be caught up in the hype. Howard Schmidt, President Obama’s cyber security co-ordinator, has explicitly rejected and criticised the war analogy. This distinction is more than rhetorical. As the steady erosion of civil liberties over the course of the War on Terror demonstrated, framing something as a war justifies violations of civil rights in a way that mere law enforcement can never do, as Brito observed.
In any event, it is difficult to conceive of an event that could resemble anything like a “cyber Pearl Harbour”. “Cyberhawks” conjure scenarios such as water systems being contaminated remotely, power grids being shut down, nuclear power plants being made to explode or ATC systems being used to crash aircraft, without any explanation of how difficult, or impossible, such acts might be. Moreover, similar or much worse disasters have actually befallen the US in recent years — hurricane Katrina, for example, or even the blackout in the north-eastern US in 2003 — with damage confined to the immediate stricken area. In a 2006 paper on cyber security and critical infrastructure, a senior US foreign policy specialist argued “it remains unclear, however, if even a skilled opponent can translate the degradation of key infrastructure services into military advantage for a conflict whose combat phase is likely to be of short duration and depend more on existing inventories”.
In short, the actual threat of a “cyber Pearl Harbor” appears wildly overstated.
Tomorrow: the deliberate confusion that justifies ever greater internet controls.