Monday, April 27, 2009

Comparing the Strategic Defense Initiative and the Comprehensive National Cybersecurity Initiative

This past week, during a panel discussion I moderated at RSA on how lessons from the Cold War could be applied to cyber conflict, an interesting line of discussion emerged. A member of the audience compared the use of cyber warfare strategies and tactics to the Strategic Defense Initiative (SDI).

While I am typicall skeptical of embracing historical analogies due to their frailties and tendency to lead policy makers astray, the similarities between cyber warfare and SDI are appealing enough to warrant further investigation. Our panel discussion and further in-depth discussions with colleagues revealed the followed parallels:
  • During the Cold War, the Soviet Union felt compelled to invest increased amounts of resources into its nuclear weapons delivery systems in an effort to counter the purported defensive capabilities of SDI.
  • In response to the threat of cyber warfare, the United States feels compelled to invest increased amounts of resources into cyber defenses designed to protect critical infrastructure targets. The Bush administration's Comprehensive National Cyber Security Initiative reportedly allocated close to $30 billion over the life of the program.
  • In both cases, the efficacy of the strategies and tactics were unproven. SDI was never fully deployed, but the mere idea of a space based ballistic missile defense system spooked the Russians into allocating extra resources to countering its purported capabilities. Similarly, advanced cyber warfare strategies are at this moment theoretical. Yes, Estonia and Georgia have been attacked by crippling DDoS attacks, but large-scale coordinated attacks against critical infrastructure targets like the power grid have not yet been proven possible. While it is unclear whether or not the grid could be taken down by remote attackers, we are frantically spending money to counter this threat.
  • In each case, the Soviet Union and the United States response appears to have been based on fear and not inspiration.
Do not get me wrong, I am not claiming we should ignore cyber security. Nor am I stating that cyber attacks against critical infrastructure are to be dismissed as fantasy. Rather, it is my feeling that our cyber security programs should be based on more than desperation and fear. For example, rather than respond with frantic patching and other point defensive measures, it would make more sense to use the threat to critical infrastructure as a tool to sponsor and encourage more secure coding initiatives. As my friend Ed Skoudis points out, software engineers in the United States are not required to study secure programming in order to earn a computer science degree. It would seem that the Federal Government would be smart to invest more of its $30 billion allocated to CNCI towards sponsoring education programs designed to foster secure software design.

As my colleague Dave Sulek likes to say, policy responses based solely on desperation without any hope or inspiration are destined to fail. In order to properly address the cyber security problem, we must seek to adopt policy prescriptions that are equal part inspiration and desperation.


Chris Ensey said...

Great perspective! Proactive security process, education and policy investment over the defacto "spray and pray" / reactive methodology that we currently have in place.

Ned Moran said...


Thanks for the kind words. Im glad you found the piece useful.

Jane said...

I completely agree that there are measures that the Federal Government can take before resulting to rash decisions and expensive actions (ie: utilizing the SDI). Thus, education is pivotal in transforming views on cypersecurity and ensuring more comprehensive and effective protection for it. I also believe the public would more readily support spending $30 billion on cybersecurity education, as it would be more justified as a long term initiative. However, the main factor that is preventing such an approach towards cypersecurity is public opinion itself.
In Robert O'Harrow's No Place to Hide, the class learned that an increasingly "cyber society" (as I will call it) generates certain mistrust of the government and companies. Although O'Harrow's "data-driven surveillance society" deals more specifically with companies and the increasing loss of security for the online consumer, No Place to Hide is a useful lesson in considering the attitudes of the public when creating a cybersecurity platform--if the public is not even protected from identity theft, how can any intuitive proclaim to protect the public from full blown cyperwarfare? I personally believe cyberwar is the future, and is even occurring right now, but I still need to be convinced that the Federal Government is justified in protecting us against something many citizens do not believe is occurring. Ultimately, pretending that we are safe because we've spent millions of dollars on something that will ease our cybersecurity worries is not the same as knowing that there are people are capable of defending our infrastructure.

Carolina P said...

While reading this blog-post, I was shocked to learn that software engineers are not required to take a class in secure programming in their completion of a computer science degree. To me this makes no sense at all, doesn’t our society, and more obviously those involved with computer programming understand what a huge issue cybersecurity is?
I agree with you Ned, instead of waiting for a potential threat to arise and then retaliating with an emotionally-driven response of fear, it makes much more sense to deal with the problem earlier by creating a strong foundation of knowledgeable people who will have experience in how to proceed in the case of a serious threat. As is mentioned in the “hacker camp” article, numerous countries have already begun to recruit kids with the computer skills through hacking challenges, eventually creating a web of people capable of protecting their countries’ from foreign hackers. The United States cannot afford to be left behind as other countries forge ahead, leaving the US more vulnerable and ultimately more likely to respond to an attack in a less deliberated and more emotionally impulsive manner. The Federal Government absolutely has to start investing in the implementation of secure programming education among the youth of today.

Grace said...

I thought this post gave a very interesting perspective into the somewhat bureaucratic nature of the surety world. In agreement with the other posts, it doesn’t make sense to use only fearful tactics, especially when other countries are taking a more educational perspective. Once again we find the United States being out competed by other countries in terms of science and technological advancement. We are leaving the US vulnerable for attack when we let other countries pass us in any field; we are leaving ourselves especially vulnerable when we passively although other countries, and worse, ill-intentioned groups, like terrorists to advance beyond us.
This post made me think of two outside-class analogies. One regards International Relations theory about offensive and defensive balancing. The theory explains that some actors put resources in protecting what is already had; other actors attempt to attack preemptively or, in general, have a much more offensive attitude. The defensive, protective, actions have frequently proven more affective in attaining and maintaining power. In addition, this article reminded me somewhat of the healthcare debate we are having in this country. Currently, we spend much more money in the treatment of disease rather than the prevention of disease. We frequently hear rhetoric from President Obama about how if we spent more money on the prevention of disease we could save money in the long run, and improve the quality of the end of life for many people.
In the same way—if we improve our technologies early, like other countries are beginning to do, we would be taking preventive measures against cyber attack –rooted in inspiration rather than fear.