National Security

Ready Player One

Did the Pentagon just take over America's cybersecurity?

It was bound to happen. The Senate fumbles and the House proffers only magical solutions for cybersecurity. The task of improving cybersecurity reverts to the executive branch, but the Department of Homeland Security does not inspire confidence. So the Department of Defense (DOD) is given a larger role in protecting cyberspace -- a responsibility that Defense Secretary Leon Panetta finally claimed in an important speech he delivered Oct. 11, "Defending the Nation from Cyber Attack." Panetta may have said that the Pentagon will only play a "supporting role," but make no mistake: When it comes to cybersecurity, the center of action just shifted.

Given the feeble state of U.S. cyberdefenses, an astute antagonist could use cyberattacks to disrupt critical services and information. This is a standard military doctrine for America's likely opponents. An expanded role for the DOD makes sense when the United States is so vulnerable -- not only from sophisticated opponents but, surprisingly, from less advanced countries that may be more aggressive and less able to calculate risk.

The driver for immediate action is Iran. "Iran has also undertaken a concerted effort to use cyberspace to its advantage," Panetta said. His speech laid the dots alongside each other without connecting them, but many sources in and out of government suggest that Iran was likely responsible for the disruptive attacks on Aramco and RasGas that the secretary mentioned. Iran may also have been behind recent denial-of-service attacks against U.S. banks. Iran has discovered a new way to harass much sooner than expected, and the United States is ill-prepared to deal with it.

The specifics of Iranian involvement are murky, but there is a general consensus that Tehran was either witting or supportive of the attacks. Iran has been working to acquire cyberattack capabilities for years -- well before Stuxnet -- and those who believe that the allegations of Iranian involvement are true do not believe the recent attacks were in retaliation for that piece of malware, which disrupted Iran's centrifuges. If anything, some speculate they were a reaction to the new U.S. sanctions. A more active Iran creates a new layer of problems in cyberspace that the United States cannot wait for Congress to address. An initial problem is how to credibly signal to Iran to refrain from further attacks. Panetta's speech was an attempt to do so. There is a message for Iran that, while indirect, is unlikely to miss.

This is not "cyberdeterrence," a term that makes little sense. The United States has one of the world's most powerful cyberforces, and it did not deter Iran, nor can it deter espionage and crime. Deterrence doesn't work because the United States can't make a credible threat. Against Iran, what would it be? More sanctions? A naval blockade? An airstrike? Even if the United States made these threats, Iran would be unlikely to assess them as credible. The Iranians know U.S. cybercapabilities better perhaps than any other country, and the threat of cyber-retaliation appears not to have frightened them. What Panetta is offering is not deterrence but prevention and preemption.

Panetta laid out a number of steps to harden defenses. Investing in new technology is a traditional American solution to defense problems. The secretary's most significant remark about new technology is that "we're seeing the returns on that investment" in the form of better attribution. Anonymity will offer less protection to attackers and may make some reconsider an attack. If nothing else, better attribution offers improved targeting.

More importantly, Panetta defined an active role for the DOD in cyberdefense, something that has been under discussion since 2009. An early question asked was, if NORAD can defend U.S. airspace, why can't Cyber Command defend cyberspace. The answer is to use the National Security Agency's unparalleled signals-intelligence capabilities and relationships to intercept incoming malicious traffic and define when and where it is legal for the agency to do so. The National Security Agency (NSA), with the right authorities, could block many future attacks.

A greater defensive role for the DOD is a good idea and a key element of any cybersecurity strategy, but there are obvious problems. Say "NSA" to privacy advocates, and they scream. To intercept malicious traffic from Iran or other opponents, you need to monitor all incoming traffic. Remember that we are ultimately talking about streams of ones and zeros, the code transferred among machines and only translated into human languages at the end. It is possible to screen these ones and zeros to look for patterns that indicate an attack without ever looking at content, but some doubt the NSA would be able to resist temptation. An expanded role for the DOD also requires expanded privacy protections.

The DOD's new role also requires defining the space for action. Forget the dot-com mythology about cyberspace having no borders. Cyberspace depends on a physical infrastructure of computers and fiber, and this physical infrastructure is located on national territory or subject to national jurisdiction. Cyberspace is a hierarchy of networks, at the top of which a small number of companies carry the bulk of global traffic over the Internet "backbone." International traffic, including attacks, enters the United States over this "backbone." The backbone is a choke point, relatively easy to defend, and something that the NSA is already intimately familiar with (as are the other major powers that engage in signals intelligence). Sit at the boundary of the backbone and U.S. jurisdiction, monitor and intercept malware, and attacks can be blocked. An analogy is that the Navy defends the ocean approaches (pace forward deployment) but not the inland waterways.

But how far down the Internet's spine should the DOD go? Should it also monitor the networks of large corporations or Internet service providers? Should it be able to go onto consumer devices when they are infected? The precedent in the United States is for military or intelligence agencies to perform domestic security functions only in a crisis, not on a routine basis. Panetta makes clear that the DOD does not envision playing this role.

What he does envision is something that might be called preemption, using new rules of engagement for Cyber Command. He says, "We won't succeed in preventing a cyberattack through improved defenses alone. If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us to defend this nation when directed by the president." The United States, using national technical means, often has advance knowledge of an opponent's plans, intentions, and capabilities for cyberattack. Panetta seems to be saying that when an attack appears imminent, the president can direct the DOD to strike first. If it were a precise attack that avoided collateral damage, the political risk of striking another country could be manageable. There would still be risk of creating a wider conflict, and this, as the speech makes clear, is a decision only the president should make.

An active defensive role for the military is one of the three key elements needed for effective cybersecurity. The second is better protection for consumers. Last summer, the Federal Communications Commission began a program with major service providers to block or clean malware from their customers' computers. The third missing piece in a comprehensive defense is protection of critical infrastructure. Panetta says members of Barack Obama's administration "are considering" an executive order on cybersecurity. The drafts of this order are not public, but would likely take much of Section 104 of the bill put forward by Sen. Joseph Lieberman and Sen. Susan Collins -- which failed to pass this summer but which would have implemented protections for critical infrastructure -- and instead implement it under existing authorities.

The defense secretary said that there is no substitute for legislation and that Congress has a responsibility to act, but few expect to see this anytime soon. With a dysfunctional Congress unable to provide authorities for better cybersecurity, an executive order that mandates security at selected critical infrastructure may be the best the country can do. There are tensions within the Obama administration over Internet orthodoxies, but if the White House can manage to issue a credible order on critical infrastructure (not voluntary, and not dependent on imaginary incentives) to complement protections from Internet service providers and a larger role for the Pentagon, it will have done much of what needs to be done to begin building an adequate cyberdefense.

Justin Sullivan/Getty Images


The Quiet Man of Chinese Letters

Should we condemn Mo Yan for failing to speak out?

Mo Yan, the first non-imprisoned, non-émigré Chinese to win a Nobel Prize, straddles the line between critical and Communist Party success. His books are brilliant; his prose trembles with vivacity and his characters are astonishingly self-aware as they wallow in their own excess. A Ph.D. student in liquor studies falls in love with his mother-in-law. Cadres braise human babies and eat them at banquets. A peasant rapes a woman, marries her, and then improves her liquor distillery by pissing into the batch. Existentially stressed, they eat, drink, and screw, as the politics that shapes their lives lurks in the background.

China's Nobel laureate selected Mo Yan as a pen name; it literally means "Don't Speak." He doesn't. Like the characters he depicts in his novels, Mo does not resist the Communist Party's control over his public life. He is vice-chairman of the government-run Chinese Writers Association; in the Frankfurt Book Fair in 2009, Mo joined the official delegation in boycotting events in which dissident writers appeared. ("I had no choice," he later said in an interview.) This year, he participated in a book project in which he hand-copied a speech Mao Zedong gave decreeing that writing must serve the Communist Party.

Some Chinese liberals and dissidents criticized the selection; one prominent writer and democracy activist, called Mo a man with "no principles." In a news conference after winning the prize, Mo said he hoped Liu Xiaobo, the 2010 Nobel Peace Prize laureate currently imprisoned in China, "can regain his freedom very soon" but added that if freed "he can study his politics and his social system," seemingly asking dissident Liu to rejoin the fold.

Should we condemn Mo for failing to speak out for injustice? Maybe. Liu Xiaobo's limitations as a writer didn't detract from his peace prize; do Mo's politics disqualify his works of literature? Mo's characters, perhaps modeled after himself, are unable to speak out: They are too distracted, too manic -- often either famished or bursting, liquor-starved or raucously drunk. In his novel Big Breasts and Wide Hips, a nurse survives the famine of the Great Leap Forward by trading sex for steamed buns. We see light haloing her face, puffy from starvation, "as if coating it with the blood of a dog." Mo appears as a character in The Republic of Wine as a feckless author who "can't believe" he drank himself to death. The book's drunken anti-hero Ding Gou'er can't keep his appetites in check enough solve the corruption case he's ordered to investigate. He may have munched on a cooked baby at a banquet, and he sees a group of children and thinks of them as "just like a skewer of roast lamb, basted and seasoned."

Mo knows the excess and depravation that instability brings. Born in 1955, he was a child at the start of the Great Leap Forward, one of the darkest chapters of China's history. In a 1997 autobiographical essay entitled "I Can't Forget About Eating," Mo recalls, in almost jocular manner, the famine that swept China from 1959-1961, in which tens of millions of people starved to death. "The best thing to do when someone died was to drag him out and let the dogs first eat him ... this was a golden age for dogs." Mo was one of the children foraging for insects to eat, with "swollen bellies and legs like sticks, and their brains were enlarged with queer ideas."

Mo's characters are still stuck in this oral stage: Their lives revolve around food, liquor, violence, and sex. In Garlic Ballads, peasants makes love in the garlic fields and sing songs in praising garlic; even a lightbulb is described as "shaped like a head of garlic." In Republic of Wine, one character states that "people who are strangers to liquor are incapable of talking about literature." In Big Breasts and Wide Hips, the narrator, even as a teenager, receives his sustenance from breast milk and cannot move beyond the body. Sex-starved, he ends up imprisoned for screwing a corpse.

Mo's fiction is rich because it subtly captures the compromises and monstrosities of Communist China. And perhaps Mo, in his silence, fears what happened to Ding, who suffers a very MoYanian ending: After finally deciding to really investigate what's happening around him, he gets drunk and confusedly shoots two people. Stumbling around, he spots a ship on which he sees a group of officials about to feast on a human baby. "I protest!" Ding screams. He rushes towards the boat, only to stumble into an open-air toilet, whose refuse he compares to "warm, vile porridge." As he sinks, "the sacred panoply of ideals, justice, respect, honor, and love" accompanies Ding to the bottom.