Voice

How to Protect Yourself from the Online Axis of Evil

What has happened to the notion of cyberdefense?

North Korea and Iran are viewed as threats to the world because of their potential to field weapons of mass destruction, but they are far more likely to focus their malfeasance on "mass disruption" via cyber attacks. Should either state ever step out of nuclear line, overwhelming retaliation would follow. But in cyberspace, both Tehran and Pyongyang are credible powers capable of and apparently quite willing to make considerable mischief. Iran appears to have mounted a serious attack on the Saudi oil industry recently, wiping out critical data on tens of thousands of machines with the so-called Shamoon virus. North Korea is thought to have just attacked its southern neighbor's banking sector -- the latest in a steady stream of cyber strikes spanning several years.

Yet there has been no response-in-kind, which suggests that cyber attackers will press on with a growing sense of impunity, making the task of deterring them quite difficult. Indeed, instead of posing retaliatory threats -- the key to successful deterrence during the Cold War -- there appears to be a willingness to live under cyber siege, relying instead on improving defenses. Over the past few days, while all eyes have been riveted on the Snowden leaks, word has also gotten out, more quietly, about ongoing American efforts to craft cyber defensive coalitions with countries in the Persian Gulf region and in Northeast Asia. Information about these alliances remains proprietary, but it would be hard to think of them arising in the absence of Saudi Arabia and Qatar in response to the perceived threat from Iran, or without Japan and Taiwan when it comes to dealing with North Korea.

It is a very good thing that these alliances are forming. That they may rely on American cybersecurity strategies is a bit more problematic. The United States rates quite low in terms of its defensive capabilities. Last summer at the Aspen Security Forum, General Keith Alexander, head of both Cyber Command and the National Security Agency, publicly rated American cybersecurity a "3" on a scale of 1-10. Former government cyber czar Richard Clarke was a tougher grader, giving Washington a "1." The point is, it is one thing to build cyber defensive alliances, quite another to actually mount robust defenses. And ambiguous American threats either to "pre-empt" imminent cyber attacks or to respond with physical force are simply not very credible. It is extremely difficult to catch enemy electrons while they are massing -- or whatever they do before being launched -- and highly unlikely that the U.S. military will be authorized to go off and break things, and possibly kill people, in response to even costly cyber disruptions.

So the defensive alliances forming up should perhaps start, not so much by taking American direction as by opening up a spirited discourse on alternative cybersecurity paradigms. This would be good both for them and for the United States, as it is clear that American reliance on anti-virals and firewalls will not get the job done. One master hacker of my acquaintance likes to put it this way: "There are no firewalls, because they only recognize what they already know." This does not mean throwing these defenses out completely, as they do have some value. But it does mean shifting emphasis to more effective means.

For reasons that still baffle me, the ubiquitous use of very strong encryption has been neglected, sometimes resisted. Indeed, under American law there was a time not too long ago when it was illegal for the average citizen to have and use the strongest code-making capabilities. This silliness stopped some years ago yet, with our first cyber president in office -- he is very attached to his personal information technology suite -- but his bully pulpit is hardly being used to tell Americans to encrypt, encrypt, encrypt.

There are additional strategies that the emerging cyber defensive alliances should consider, perhaps the best among them being the resort to concealment in "the Cloud," an airy place in cyberspace outside one's own system where information can be encrypted, broken into several pieces, stored with much improved security, and called back home with a click. A place closer in, the area of unused capacity in a friendly network called "the fog," for example, is another way to move information around and keep it concealed. Both these approaches deal with another of the problems that my hacker friend describes: "If data just sits in your system, someone will get at it. Data at rest is data at risk. Keep it moving."

Not only will consideration of these alternative strategies improve security against the threats posed by Iran and North Korea, but adopting them would go a long way toward dealing with the nettlesome intrusions that are believed to emanate from China. President Obama has made very little progress with President Xi on cyber matters; in addition to jawboning Beijing, Washington should develop a sense of urgency about getting better at cyberdefense. After all, when the head of Cyber Command and a long-time senior official with a cyber portfolio both give failing marks to our cyberdefenses, it is high time to do something in addition to talking. If there is ever to be an effective behavior-based agreement to refrain from cyber attacks on, say, civilian infrastructure, I guarantee it will only happen when all parties have strong defenses in place as well.

So let me suggest that, for all the attention that will no doubt be devoted to the PRISM debate -- so relevant to the matter of dealing with terrorist networks -- equal time should be given to the matter of developing defenses as strong as the alliances that are being forged against the looming threat of cyberspace-based weapons of mass disruption. For it is possible, in the course of what may become a protracted, divisive domestic debate about big-data intelligence gathering methods, that the crucial need to improve our and our allies' cyberdefenses will be neglected. The anguish over possibly undue intrusions into our privacy will pale in comparison to the economic, social, and strategic costs that will be inflicted on the world -- not just the United States -- if we fail to act now to improve cyberdefenses.

PO1 Joshua Wahl/DVIDS

National Security

In Defense of PRISM

How else can we smoke terrorists out of their hidey holes?

PRISM has just provided a glimpse through the looking glass. Revelations about this monitoring system suggest that living in and moving through the world, even for the most private among us, can be observed closely and for protracted periods by the cold, shy minds of the intelligence community. The reason for this sustained, widespread scrutiny is that, in the long fight against terrorist networks, this is one of the ways in which their cells can sometimes be caught while communicating, their plans disrupted, and, on occasion, their locations determined.

The price of the increment of security so provided is the loss of a bit of privacy, despite best efforts of intelligence overseers to make sure that the focus is on "metadata" like the time, date, and originating and terminating points of communications -- rather than on specific content. The belief, and the hope, of both the operators of the system and their supervisors -- including watchdogs maintaining oversight from their perches in Congress -- is that some loss of individual privacy will make for significant gains in national security. As an observer and sometime participant in efforts to ferret out the intentions and locations of the terrorists over more than a decade, I believe that the benefits of this endeavor have clearly outweighed the costs and risks.

My timeframe for making this judgment goes back well before the reported start of the PRISM program seven years ago. Indeed, it was just a few months after 9/11 that Adm. John Poindexter, then at the Defense Advanced Research Projects Agency (DARPA), proposed a "total information awareness" initiative that was to use some of the methods now being reported. But TIA, as it was called, had a vaguely Orwellian cast, and Adm. Poindexter's past role in the dark dealings of the Iran-Contra affair didn't help -- he had been Ronald Reagan's national security advisor when the secret arms swap caper came to light. Very soon, the "T" was changed from "Total" to "Terrorism," but the re-branding didn't help and Congress defunded the initiative. Still, parts of it lived on -- with congressional oversight -- under new code names like "Genoa" and "TopSail." These should be seen as some of the antecedents of PRISM, helping to hone the methods that have now become the principal "mining tools" of the big data offensive mounted against the globally dispersed cells of terrorist networks.

Prior to TIA, and well before 9/11, there were other ancestors of our current big data efforts. At the National Security Agency, and in other parts of the extensive American intelligence community, search systems known by such evocative names as "Echelon" and "Semantic Forests," among others, were in use, striving relentlessly to detect patterns of communication that might open up golden seams of information from the most secret caches of the world's various malefactors. Often enough, these and other tracking tools did distinguish the pattern from the noise, and national security was well served.

And in the early days of the war against al Qaeda, the enemy was still using means of communication that American intelligence had the ability to monitor -- including satellite phones and such -- leading to several counterterror coups and high-level captures. But the network learned quickly and adjusted, becoming far more elusive, more dispersed, its cells increasingly attuned to operating independently, its nodes and links ever less visible. It was against this shift that something like PRISM had to be mobilized to improve our ability to find the foe whose best, and only real defense against us is his capacity for concealment.

Thus, the tantalizing prospect of PRISM, and of the whole "finding effort," is to deny the terrorists the virtual haven that they enjoy throughout the world's telecommunications spaces -- indeed, throughout the whole of the "infosphere," which includes cyberspace. The piercing of this veil would mark a true turning point in the war on terror, for al Qaeda and other networks simply cannot function with any kind of cohesion, or at any sort of reasonable operational tempo if their communications become insecure. Cells and nodes would be ripped up, operatives killed or captured, and each loss would no doubt yield information that imperiled the network further. Even if al Qaeda resorted to the drastic measure of moving messages, training, and financial information by courier, operations would be so slowed as to cripple the organization. And even couriers can be flagged on "no fly" lists or caught boarding tramp steamers and such.

So for all the furor caused by the PRISM revelations, my simple recommendation is to take a deep breath before crying out in protest. Think first about how the hider/finder dynamic in the war on terror has driven those responsible for our security to bring to bear the big guns of big data on the problem at hand. Think also about whether a willingness to allow some incursions into our privacy might lead to an improved ability to provide for our security, and where that equilibrium point between privacy and security might be. And last, think about the world as it might be without such a sustained effort to find the hidden -- to detect, track, and disrupt the terrorists. That would be a world in which they stay on their feet and fighting, and in which they remain secure enough, for long enough, to acquire true weapons of mass destruction. Those of us in the national security business, who know that networks so armed will be far harder to deter than nations ever were, believe that big data approaches like PRISM and its forebears, have been and remain essential elements in the unrelenting and increasingly urgent effort to find the hidden.

Carl Court/AFP/Getty Images