The U.S. government needs a comprehensive doctrine addressing cyber security instead of the current patchwork of policies and agencies dealing with cyber threats, according to a group of experts.
The lack of an overarching cyber security doctrine inhibits the ability of the U.S. and its allies to work together and provides little deterrence for groups that attack the U.S., the experts said during an event to unveil a new book, “#Cyberdoc No Borders — No Boundaries” at the Potomac Institute for Policy Studies, a technology and science think tank.
Without a doctrine defining the U.S government’s response to cyber threats, the U.S. will “lurch from crisis to crisis,” said Timothy Sample, co-author of the book, and vice president at the Battelle Memorial Institute Special Programs Organization, another tech and science think tank.
A doctrine could define several aspects of cyber security, including defence against attacks, steps the U.S. will take to deter attacks and ways to safely use the Internet, said Michael Swetnam, co-author and CEO and chairman of the Potomac Institute. The authors wrote the book with the hope of opening a dialog on U.S. cyber security doctrine, he said.
The U.S. government needs to define what kinds of attacks it will respond to, added David Smith, director of the Potomac Institute Cyber Center. While U.S. officials say their networks are attacked thousands of times a day, phishing emails promising to share millions of dollars from a Nigerian bank may not qualify as national security threats worth responding to, he said.
But attacks leading to physical damage, or espionage that leads to large intellectual property losses, may require responses, Smith said. The U.S. government should be concerned with the sheer volume of economic espionage that happens during cyber attacks, he said.
“We’re talking about a massive robbery of American intellectual property,” he said. “We’re basically funding the research and development for the People’s Liberation Army and the armies of the Russian Federation and a few others. That’s serious if that’s what’s really going on.”
The U.S. needs to start thinking about measures to deter those kind of attacks, Smith added. “Deterrence works on a declaratory policy: ‘If you do these things, we will do bad things to you,’” he said. “You don’t have to be explicit: ‘If you do this, we will do exactly that,’ but you need to be pretty firm.”
A U.S. doctrine should include the development of capabilities for a “full range” of deterrence, ranging from diplomacy to military options, Smith said.
Smith discounted concerns that it’s hard to identify the attackers in many cases. Computer forensic methods work better than many people seem to think, he said, and investigators can also look for actions by a country or group outside of cyberspace to find clues.
Other governments should have responsibility for hacking done inside their borders, he added. “At some point, you have to say: ‘I’m not going to worry about attribution. I’ll do the best I can, but I’m going to hold countries responsible for what’s going on inside their borders,’” he said.
While a doctrine is needed, it needs to balance security with the economic benefits of the Internet, said Ronald Marks, president of Intelligence Enterprises, a security consultancy, and a former CIA officer. “If we try to do anything heavy-handed at this point, we’re going to basically step on a market that has developed quite well over the years,” he said.
But the U.S. continues to have major security vulnerabilities, he added. “We’ve had now a market that is really not interested in dealing with security,” he said. “It’s a cost centre in any organisation.”
It will be difficult for the government to get people to change their cyber security behaviours, he added. “How do you, as a government make people behave?” he said. “Do you want to make a law? Do you want to tell people what to do? You know how successful that’s been over time.”