National Security

The Willie Suttons of the Cyberage

Can we stop bad guys from getting into U.S. networks?

Criminal mastermind Willie Sutton famously quipped that he robbed banks because "that's where the money is." Modern-day cyber-Suttons follow the same basic logic; the problem is that the "money" is everywhere. The Internet that we rely on to casually IM, order books, and video-chat is the same one that synchronizes power generation, enables collaborative design of fighter jets, and transmits electronic medical records. And while consumer banks have evolved to limit their exposure to gun-wielding bandits, there are billions of highly valuable and highly vulnerable nodes on the Internet that are not yet adapted to the new cyber-realities. 

In the real world, federal authorities are massively outnumbered by professional hackers -- both freelance and state-sponsored -- who have the time and skill to penetrate our electronic perimeter. Meanwhile, the high-speed optical lines that carry data under seas and across continents allow adversaries to virtually stand on -- or in -- their targets long enough to find digital cracks and exploit them. In a cat-and-mouse game like this, patience is richly rewarded, and America's enemies can easily afford to wait.

Cybercriminals also enjoy three other advantages. First, they operate outside the jurisdiction of U.S. courts, making it virtually impossible for federal authorities to prosecute aggressors. Even if they can sometimes pinpoint the source of cyberattacks amidst the storm of digital data, there are few legal options available. As a result, America's best hope for protection is from the inside out, not the outside in: ferociously guard data and be more operationally tolerant of intruders in our midst. Indeed, we should assume that they are there already.

Second, the tools hackers use to find holes in U.S. networks are now automated. The days of pocket-protected nerds breaking into high security networks for kicks or glory are over. Today, highly trained professionals, sometimes employed by nation-states, work nine-to-five jobs to infiltrate networks -- both governmental and corporate -- and exfiltrate plans, intellectual property, and data. The United States needs a coherent program that attracts the best minds to guard the country's digital secrets; America's adversaries do a much better job of recruiting and training their human resources than the United States does at the moment.

Third, cyberattacks can be many orders of magnitude more profitable than robbing a bank. Launching them is essentially free, and the rewards in terms of cash and disruption can be astronomical.  Just three months ago, a man working alone with a laptop and ordinary network access nearly brought down the global Internet with a so-called "distributed denial of service" attack on the web filtering service Spamhaus.  Meanwhile, the average "zero day" attack -- a breach that occurs from a previously unknown vulnerability -- is embedded for 300 days prior to detection, according to a recent research report by the network security company Symantec. Latent infections and undetected holes can result in sensational escapades like the diversion in the year 2000 of 800,000 liters of raw sewage into a public park in Australia, and wickedly clever intrusions that siphon off credit card numbers from banks and clearinghouses, as has happened on numerous occasions.

According to Dan Geer of In-Q-Tel, a non-profit that invests on behalf of the intelligence community, the basic problem is that "detection alone is insufficient unless you have total surveillance of your network, which in reality no one does." That's correct, but we could have "total surveillance" of the software that runs at the network's endpoints. But better visibility would require a policy change, because both the public and private sectors are widely dependent on closed, proprietary, monolithic software systems that make true endpoint surveillance impossible. The federal government is especially stuck in this strategic trap, in part because the incumbent merchants and system integrators play off the fears of procurement officers about the make-believe risks and inflated transition costs of modernizing their enterprise systems. 

But such fears are unfounded. Many federal systems -- and practically all new ones -- could easily migrate to open source and standards-based software that is license free and costs about the same to configure, install, and operate. In addition to the cost advantages and performance benefits associated with open source software, it is also measurably -- even if counterintuitively -- more secure. Entrenched bureaucracies and heavily lobbied staffers are often confused about open source or open standard solutions, hindering progress toward their adoption and implementation. But it's not just a question of money anymore; the United States is compromised by customized and proprietary electronic infrastructure for the simple reason that closed solutions are closed to inspection. Open solutions, in contrast, attract constructive critiques and faster fixes.

The United States also needs to devote more resources to protecting assets that are irreplaceable if breached and irretrievable if stolen: data and personal identity. Inside-out approaches to cybersecurity -- driven simultaneously by advances in cloud computing and strict European privacy regulations -- are emerging with advances that enable service delivery without exposing data, even to the service provider. The government should accelerate this approach by re-allocating investments into technical solutions that "harden" the data core, making it much less vulnerable to infiltration, exfiltration, and eavesdropping. This, coupled to policy-driven mandates for openly architected, standards-based systems that are more resistant to breach and less expensive to maintain would transform America's cybersecurity posture from defensive and reactive to stable and confident.  

Cyberthreats are real and growing. While we can't stop the bad guys from getting into U.S. networks, we can prevent them from being able to steal, corrupt, or destroy what matters most. The U.S. government -- and its partners around the world -- can and should incentivize nascent efforts to better protect data and personal identity from the inside out. Until it does, the litany of recent sensational cyberattacks -- from the infiltration of the New York Times' networks, to the breach of renowned security company RSA, to a growing list of compromised federal websites -- will grow more serious, and U.S. national security more vulnerable.

Sean Gallup/Getty Images

National Security

Reboot

Why the Army's plan to cut 80,000 troops doesn't go nearly far enough.

On Tuesday, the Army announced its plans to hit the reset button on its force structure, cutting its head count by 80,000 soldiers from 570,000 to 490,000, effectively taking the force back down to pre-9/11 levels. As Sydney Freedberg correctly points out, the Army will do this by reshuffling its deck of battalions and making cuts to certain manpower pools where it has parked troops who are wounded or in transit. If these cuts are fully implemented, the Army of 2019 will look a lot like the Army of 1999, with about 10 divisions composed of 33 (or so) combat brigades.

That's a technique, to use an old Army expression of skepticism. Unfortunately, these cuts do not go far enough to insulate the Army from the dawning age of fiscal austerity, and even deeper cuts in the future. And, by embracing such modest cuts now, the Army is missing a huge chance to leverage this crisis moment to embrace more fundamental change. This is the moment for the Army to fix its anachronistic business model, including its obsolete system of pay and benefits, and trim its bloated network of bases. The Army should also re-examine its mix of active and reserve forces to better leverage its part-time soldiers. And as the largest service, it must also invest more heavily in unmanned systems to break the link between cost and manpower that shackles the force. Troop cuts are but one part of the equation; they are necessary but not sufficient.

As it exits the Iraq and Afghanistan wars, the Army retains roughly the same basic operating model it had before 9/11. The service recruits, trains, equips, and maintains large land formations of soldiers with lots of heavy equipment. When called upon, this force deploys overseas to fight or do things other than fighting, like peacekeeping or humanitarian assistance. The Army lives on bases around the world, although this footprint has increasingly domesticized over the past 10 years, with many troops relocating from Europe and Asia to stateside bases. And the Army does its job with a mixture of full-time active troops and part-time reserve troops, the latter divided between the federal Army Reserve and the state National Guard.

Consequently, the Army now finds itself between the pincers of two harmful trends: The defense budget is declining at the same time that the internal costs of the Army's obsolete business model are escalating beyond control. Over time, these trends will gradually squeeze the Army to the point where it cannot afford to recruit, train, pay, or equip the force at anything approaching the levels to which the force has become accustomed -- let alone actually conduct costly operations abroad. The Army surely needs to cut troops -- but it's not clear why the Army settled on 80,000 as the final number. It may need to cut significantly more in order to make ends meet. And, in addition to troop cuts, the Army must now also embrace fundamental change in four areas: compensation, the active and reserve force mix, bases, and increased use of unmanned systems.

Since 9/11, as our colleagues wrote in a recent report titled "The Seven Deadly Sins of Defense Spending," military compensation has grown by 52 percent, more than double the pace of income growth in the private sector. Likewise, the costs of the military retirement system have ballooned as well because of an antiquated model in which the Army and other services pay people for 60 years (or more) to work for 20 years, and provide generous health-care and commissary benefits that far exceed anything in the civilian world. If the Army wants to avoid becoming a benefits company that occasionally kills a terrorist, to use Arnold Punaro's memorable phrase, it must slow the rate of growth of military cash compensation and rely on targeted pay increases or bonuses when necessary to support recruiting and retention. The force must also increase cost sharing for its vaunted Tri-Care insurance program and leverage the Affordable Care Act to further share the burden of treating military families and retirees. The Army cannot change this system alone, but as the largest service, it can and should lead the way to a more sustainable manpower model for the U.S. military.

And if the goal is to save money, then in addition to troop cuts, the Army should also lead the services in finding more and better ways to leverage its reserves. One recent Pentagon report pegged the cost of a reservist at less than one-third of an active service member. Nearly 900,000 reservists have been mobilized since 9/11, mostly in support of the Iraq and Afghanistan wars, with reservists at one point making up nearly half of the force deployed to Iraq. The reserves have matured during the past 12 years of war into a much more capable and resilient force, albeit one with great strain (especially in the area of employer relations, as illustrated by the thousands of complaints filed with the Labor and Justice departments by reservists regarding alleged violations of the law protecting mobilized reservists). Given the reserves' performance in Iraq and Afghanistan, and the enormous cost disparity between active and reserve forces, the Army should look for ways to increase its reliance on the reserves. In addition to operational and cost benefits, such a move could bring civil-military relations benefits as well because of the extent to which the reserves are better integrated into American communities than the active force.

The current fiscal crisis also offers an opportunity for the Army to downsize its incredibly inefficient basing structure. Although the Pentagon -- with President Barack Obama's support -- asked Congress for one or two more Base Realignment and Closure (BRAC) Commission cycles, the historical mechanism used to close bases, Congress demurred for political reasons. The Army should ask again and make the only argument that can break the current political logjam in Congress over basing: that basing inefficiencies will cost the Army valuable training dollars that could save lives in future wars.

Finally, and recognizing the enormous costs associated with the manpower-centric Army of today, the Army must now invest more heavily in unmanned systems and concepts that will produce the Army of tomorrow. Over the past 100 years, the "American way of war" has evolved to increasingly substitute technology for labor, to send a machine instead of a man. The technology exists today to field unmanned tanks, artillery batteries, and logistics convoys, to name just a few. Today's Army leadership should embrace these new technologies and find ways to better incorporate them into the force. This might start with a grand challenge to design and build unmanned tanks, or a large-scale simulation at the National Training Center which pits a manned tank formation against an unmanned one. The time to invest in these technologies and concepts is now, not immediately before or during the next war. The current fiscal crisis may provide a window of opportunity to do so because of the enormous potential that unmanned systems offer to reduce manpower costs.

It's possible (but unlikely) these troop cuts are a bluff, a gambit that Congress will react negatively to the threat of furloughing troops and closing bases, and respond instead with more military funding. It's also possible (and more likely) the proposed cuts are merely an opening round of negotiations with Congress -- and that the final troop count will settle somewhere between the Army's current strength and its proposed slimmer self. If so, either proposition carries enormous risk. In this fiscal environment, Congress may well call the service's bluff -- or take these voluntary cuts as a sign the Army has enough fat that it can cut even more.

Historically, changes like those described above have not happened without military leaders standing up and stepping forward, because of the enormous political influence they wield by virtue of their positions and the extreme deference on Capitol Hill to the uniformed military leadership. Gen. Raymond Odierno, the Army chief of staff, and his colleague Gen. Martin Dempsey, the chairman of the Joint Chiefs, must seize this opportunity to do more than reshuffle their battalions. The Army of the future will bear as much resemblance to today's force as today's force bears to the Army that fought the Vietnam War. But the nation's oldest service will not get there from here if it continues to embrace such incremental change.

Photo by Sgt. Peter Berardi/DVIDS