Fighting an Asymmetrical Cyber War– Why We Need to Take A Different Approach




The current issue of Foreign Affairs features an important essay by Wesley Clark and Peter Levin (see bios below), Securing the Information Highway- How to Enhance the United States’ Electronic Defenses.  General Clark and Mr. Levin not only succinctly summarize the fact that America remains “an easy target”, especially for “electronically advanced adversaries”, they spend a considerable amount of time on the topic of supply chain assurance and the massive challenges associated with securing computer chips– the true guts of our nation’s IT hardware critical infrastructure.

cybercrime

At the outset, the authors affirm a stark reality:

“There is no form of military combat more irregular than an electronic attack: it is extremely cheap, is very fast, can be carried out anonymously, and can disrupt or deny critical services precisely at the moment of maximum peril. Everything about the subtlety, complexity, and effectiveness of the assaults already inflicted on the United States’ electronic defenses indicates that other nations have thought carefully about this form of combat. Disturbingly, they seem to understand the vulnerabilities of the United States’ network infrastructure better than many Americans do.”

The most challenging part of the cybersecurity assurance equation from their perspective, with which I agree, is verification at the integrated circuity (IC) level:

“At the rate of one transistor per second, it would take one person 75 years to inspect the transistors on just two devices. . . . finding a few tainted transistors among so many is an exceedingly tedious, difficult, and error-prone task, and in principle an entire electronic system of many chips can be undermined by just a few rogue transistors. … An apparently perfect device can provide a safe harbor for numerous threats– in the form of old and vulnerable chip designs, Trojan horses, or kill switches– that are difficult or impossible to detect.”

Turning to solutions, the authors make a compelling case for an open-source approach to creating an immunization system for U.S. networks, an approach that is very different from the current path that the U.S. is following.  They also point to the fact that a significant tactical advantage enjoyed by adversaries planning cyberattacks on the U.S. is due to two factors, principally  “Americans’ false sense of security: the self-delusion that since nothing terrible has happened to the country’s IT infrastructure, nothing will.”  Second only to this, they point out that “the passage of time will allow adversaries and cybercriminals to optimize the stealth and destructiveness of their weapons; the longer the U.S. government waits, the more devastating the eventual assault is likely to be.”

I strongly support their assertion that “in addition to building diverse, resilient IT infrastructure, it is crucial to secure the supply chain for hardware.”  They make the very important point that “it makes sense now– just as it made sense during the Clinton years– to purchase components, even those made offshore.  The problem is not foreign sourcing; it is ensuring that foreign-made products are authentic and secure.”

CAPPHOTO-Cybersecurity

While they do not mention it explicitly, the authors clearly are calling attention to the flawed logic behind the United States’ Trusted Foundry program, which is based on the assumption that only IC’s fabricated on U.S. soil can provide 100% assurance.  The U.S.  ceded the center of gravity in the semiconductor fabrication industry to Asia many years ago.  With 17% or less of the global semiconductor fabrication infrastructure physically in the U.S., and with inherent cost disadvantages relative to international competition in the pricing of IC’s, hardware assurance for critical infrastructure in the U.S. can only be achieved through innovative and collaborative efforts that are  international in scope.

The authors conclude, and I agree, with the following:

“Unfortunately, much of the relevant information, such as DARPA’s TRUST in Integrated Circuits program– is classified. Confidentiality will not necessarily help ensure that the nation’s information assets are well protected or that its cyberdefense resources are well deployed. In fact, because many of the best-trained and most creative experts work in the private sector, blanket secrecy will limit the government’s ability to attract new innovations that could serve the public interest.  Washington would be better off following a more ‘open-source’ approach to information sharing. “

WESLEY K. CLARK, a retired four-star General, was Supreme Commander of NATO from 1997 to 2000, led the alliance of military forces in the 1999 Kosovo War, and is a Senior Fellow at the Ron Burkle Center for International Relations at UCLA. PETER L. LEVIN was the founding CEO of the cybersecurity company DAFCA and is now Chief Technology Officer and Senior Adviser to the Secretary at the Department of Veterans Affairs. The views expressed in this article do not necessarily represent the views of the U.S. government.

Be Sociable, Share!

Leave a Reply

You must be logged in to post a comment.