Sunday, March 7, 2010

Fear, Uncertainty, and Doubt

Flipping through my Google Reader this morning I noticed this gem of a quote from Michael Chertoff, former head of the Department of Homeland Security. Chertoff was speaking on a panel at the RSA conference about the need for improving cyber attack attribution capabilities. According to a Computer World article Chertoff noted that "the difficult task of identifying the true sources of cyber attacks remains one of the biggest challenges in the development of a national cybersecurity strategy." Further Chertoff also observed that "by comparison, physical attacks are relatively easy to track down and respond to." Specifically, Chertoff said, "In the Cold War we could attribute an attack. It was clear where it came from and we could respond," he said.

Umm, correct me if im wrong but the FBI closed the case on the 2001 Anthrax attacks in February 2010 after formally charging Bruce Ivins in 2008. I submit that assigning attribution in this attack was not relatively easy.

The problem with Chertoff's, and many policy makers, thinking is a Cold War mindset. In the post Cold War/Globalized/GWOT/Whatever you want to call it attacks can be carried out by anyone, anywhere, at anytime. This makes attribution hard in any form of attack - physical or digital.

1 comment:

Unknown said...

Throughout history, and particularly during the Cold War, we relied on identifying our enemy and being able to accurately identify attacks coming from the enemy in order to craft our deterrence strategies—we first identified our enemy, and then communicated to him that if he attacked us, we would know it was him, and we would punish him.

But today, attacks can come from anywhere— from both state and non-state actors all over the world. Where we had one enemy during the Cold War, we now have literally limitless potential threats. And not only can attacks come from anywhere, but attribution is much more difficult than it was during the Cold War. We can no longer count on identifying the enemy and being able to quickly and accurately identify the source of attacks as a prerequisite for deterrence.

Therefore, instead of trying to identify all of our potential enemies and attribute attacks to their source in order to achieve deterrence, we need to adopt a new deterrence strategy. We need to look to the root of deterrence— the cost/benefit equation whereby a rational actor will only attack an enemy if the benefits outweigh the costs. The old Cold War deterrence relied on direct communication with our enemy to convince him that our punishment would outweigh any potential benefit of attacking us, but today we need to use this cost/benefit equation in a different way. Instead of communicating directly and specifically with a known enemy, we need to increase security and go on the offense so that we make it so difficult to attack the U.S. that the costs of trying will outweigh any benefit that might be gained. In short, we need to raise the costs—both intellectual and material— that it takes to wage either a cyber or a physical attack on the U.S. so that would-be attackers will decide it’s just not worth it to try. This is probably our only bet for achieving deterrence in the post-Cold War world. If we get hung up on attribution and the problem of identifying the enemy, we’re just not going to get anywhere.