U.S. should aim for cyber resilience, former DOD official says

Offense now trumps defense in the emerging theater of cyberwar, and the United Sates should focus on making its critical infrastructure resilient enough to withstand and deter attacks, former Assistant Defense Secretary Franklin Kramer said Tuesday at the Black Hat Federal Briefings in Arlington, Va.

“The current system can be made much better, but is not fully fixable,” Kramer said in his opening keynote to an audience of federal and private sector security professionals. He warned against letting the perfect become the enemy of the good and said the goal of defending critical infrastructure should be resilience rather than invulnerability. “Good enough is not a bad goal.”

Kramer, a national security and international affairs expert who was assistant secretary of defense for international security affairs under President Clinton, said cyberdefense requires the cooperation of public and private sectors and suggested establishing a Skunk Works to advance the art.

Related stories:

FERC lacks the juice to enforce smart grid security, study finds

WikiWars: The face of future conflicts

Skunk Works, a name first applied to the Lockheed Martin Advanced Development Program for developing advanced aircraft, has come to be used for a program that can rapidly bring together technical expertise across a variety of fields with minimum bureaucracy and maximum autonomy.

“We have really only begun to think about cyber conflict,” Kramer said. He described it as a rapidly evolving area that will require a capacity for both offensive and defensive action, a fact that has been recognized in the establishment of the U.S. Cyber Command. But the boundaries cyber and kinetic warfare and the parameters of response are policy issues that still are being worked out.

“There has been a lot of discussion about whether we’re already in a cyberwar,” he said.

Incidents of the past two years illustrate that cyber conflict, if not full scale war, is here, he said. He cited the apparent use of cyber attacks by Russia during its 2008 war with Georgia, Chinese hacks against Google and other companies, the WikiLeaks exposure of classified U.S. documents and the emergence of Stuxnet as an apparent stealth weapon.

Kramer said that most cyber conflicts probably will fall into a gray area that characterizes much current military activity, “conflict but not war.”

The U.S. response to provocations and attacks in this area short of war include a full range of responses, including diplomatic and economic, as well as military measures. This will hold true in cyber conflicts as well, Kramer said. “This does not mean only cyber on cyber.” Response to a cyber attack also could include kinetic response from traditional weapons and still fall short of full scale war.

But there are some key differences in the cyber arena, Kramer said. The ease of entry by non-nation states and the ease of use of cyber weapons could make it easier for a cyber conflict to escalate and more difficult to contain. It also is uncertain whether the United States will be able to dominate a battlefield in cyberspace the way it can count on doing in traditional warfare.

These factors, along with the usual trend in technology for functionality to outrun security, give an advantage to offense and put a premium on beefing up defenses of our critical infrastructure. Kramer cited the current level of security in the nation’s electric grid as an example.

“It’s not enough, we need to do more,” he said.

A recent study by the Government Accountability Office found that although a framework of standards is emerging for securing an intelligent energy grid, federal overseers lack the authority to require industry compliance. The Energy Independence and Security Act of 2007 (EISA) directed the Federal Energy Regulatory Commission, the primary federal regulator of the electricity system, to adopt standards for smart grid security and interoperability.

“While EISA gives FERC authority to adopt smart grid standards, it does not provide FERC with specific enforcement authority,” the GAO report said.

Kramer said, “it is likely going to take legislation,” to bring better security to privately owned critical infrastructure. Not in the form of prescribed solutions, but by shaping the market to drive security, much like was done from the 1970s to the 1990s to improve environmental controls in the private sector.

This will not mean perfect security, however.

“It is inconceivable that the electric power industry can be immune from cyber attack,” Kramer said. The grid will have to concentrate on becoming resilient, not invulnerable.