Cybersecurity and Cyberwar (30 page)

While the Cold War is by far the most frequent analogy used in policy discussions of cybersecurity, this historic parallel is actually not so apt. The Cold War was a competition between two superpowers with political leadership and decision-making clearly located in Washington and Moscow, each hubbing a network of allied treaties and client states and competing over the so-called Third World. By contrast, the Internet isn't a network of governments but
the digital activities of billions of public and private users, traveling across an infrastructure that is in the hands of
some 5,000-plus
Internet service providers (ISP) and carrier networks owned by an array of businesses. The Cold War was also a war of ideas between two competing political ideologies. The ideas at play on the Internet sometimes touch on serious ideology, including free speech and human rights, but they also include the 800,000 hours of videos of keyboard-playing cats and pop song parodies uploaded onto YouTube each day.

It is this diversity that leads many experts to argue that agencies like the CDC are a more apt comparison for the needed future of cybersecurity. It's not just that there are many similarities between the spread of malware and the spread of communicable disease (even the terminology is the same—“viruses,” “infection,” etc.). It's that the broader public health approach might be a useful guide to how cyber policy overall could be
more effectively reimagined
.

Organizations like the CDC play a key role in public health by serving as research organizations, trying to understand emerging threats, as well as trusted clearing houses, transparently sharing information to anyone and everyone who needs it. The CDC's success has made it a one-stop shop for reliable reporting on everything from how to protect yourself from the common cold to the latest genetic analysis of bird flu.

Given the similar problem with information that clouds effective responses to cyberthreats, there may now be the need for an equivalent “Cyber CDC.” The concept is to form an agency much like the CDC, linked to a relevant department like Homeland Security, but independent enough to focus on its core mission of research and information sharing, which also differentiates it from both organizations like CYBERCOM and private firms with their own profit interests. Indeed, cybersecurity research firms' incentives to hoard information parallel the incentives of drug companies, which, while not happy to see diseases break out, do prefer to be the one with the patent on the cure.

As one study explained, the cyber CDC equivalent's “functions might include threat and incident watch, data dissemination, threat analysis, intervention recommendations, and
coordination
of
preventive actions.” It would be structured in a similar way, with leadership appointed by the government but with staff recruited across a wide range of specialties. Just as the CDC now has offices beyond Atlanta to allow it to research and track disease outbreaks of various types and locales across the nation (hence the name “Centers”), so too would the Cyber CDC equivalent distribute itself physically and virtually in order to cast a wider net around emergent threats on the World Wide Web. It would also be able to navigate privacy concerns in much the same way that CDC research on disease outbreaks focuses on trends rather than individual case identities. As one blog joked, “Essentially, take everything the CDC already does and
slap a cyber in front of it
.”

One of the pillars of modern public health is the sharing of responsibility for action across the system. Thus, the cyber version of the CDC would not stand alone but simply serve as a hub for cooperation with all the various other state and international agencies as well as nonstate actors that matter in cyberspace, just as the CDC works collectively with groups like the World Health Organization (WHO) all the way down to local
hospitals, universities, and research centers
. (There is an argument to be made for a WHO equivalent at the international level for cyber, but that level of international cooperation may be a bridge too far at this time).

Framing cybersecurity as like a public health problem may not just be more effective, but also have huge policy and political implications. Importantly, while the rethinking still allows for the problem of deliberate attacks (public health must defend against biological weapons attacks, for instance), it shifts the focus away from a meme of just cyberattack-counterattack and toward the needed goal of cooperation, among individuals, companies, states, and nations. As opposed to the current trend of leaders calling for a “cyber Manhattan Project to build weapons,” looking at the matter through a health lens would aid coalitions of governments and network organizers to collaborate around solutions and go after many of the core,
shared problems of cybersecurity
. Indeed, by even just focusing on research and information, such an agency might serve as a key intermediary in heated political environments, just as the health version of the CDC does. (The international battle to stop smallpox was actually first introduced by a Soviet deputy health
minister, allowing the CDC to serve as an alternative track of cooperation between Cold War enemies.)

Like the eradication of most diseases, the cyber equivalent to public health would be to focus both on the causal factors and vectors of spread. For instance, botnets create a huge amount of infection across the Internet by spewing out spam, but they also make it hard to track down the more directed, malicious actors conducting more advanced cyberattacks. In much the same way that the CDC targeted malaria, dedicated efforts could be made to “drain the Internet swamp” of botnets through efforts to take infected computers offline, to collect and share information about which ISPs (and which owners of IP addresses) are the originators or relay points for the most malicious traffic, and to improve cooperation across network providers by developing “white lists” of firms that follow best practices. (One survey found that 27 percent of network providers “do not attempt to detect outbound or cross-bound attacks, and of those that do, nearly half take no actions to
mitigate such attacks
.”)

As in public health, this kind of cooperation would ideally extend all the way to the individual level. For instance, the CDC has led efforts to bolster the average American citizen's awareness and education on basic steps to take to keep themselves safe, as well as prevent dangerous diseases from spreading. The underlying concept to emerge from the CDC's research is that Ben Franklin's saying, “An ounce of prevention is worth a pound of cure,” really is true. In studies of everything from malaria to HIV, the CDC found that disease prevention was the best pathway to control and, in turn, that effective prevention required building an ethic of individual responsibility. We see the fruits of this work woven into our daily lives, from workplace reminders on how washing your hands can prevent the spread of the seasonal flu to TV and web advertisements on how abstinence and the use of condoms can prevent the spread of sexually communicable diseases.

The same kind of “cyber hygiene” and “cyber safe” ethics might be bolstered through similar efforts to convince users of cyberspace of their own responsibilities to help prevent the spread of threats and malware. As Scott Charney, Vice President of Trustworthy Computing at Microsoft explains, “Just as when an individual who is not vaccinated puts others' health at risk, computers that are not
protected or have been compromised with a bot put others at risk and pose a
greater threat to society
.”

In 1522, three Spanish galleons left Havana, Cuba, on their way to Seville, Spain. Loaded onto the ships were literally tons of gold, emeralds, jade, and pearls, all the riches of the Aztec empire gathered into one massive shipment. Hernando Cortés has just conquered Mexico and was sending its treasure as a tribute back to his king, Charles V. But once the fleet set out on its long journey, five more ships appeared on the horizon. The lumbering treasure-laden ships couldn't escape. A short fight ensued, and the Spanish lost to a squadron led by a French captain named Jean Fleury. By stealing the Aztec gold, Fleury had pulled the ultimate score. The episode would inspire generations to come and launch what is known as the “Golden Age of Piracy,” a period romanticized in books like
Treasure Island
and movies like
Pirates of the Caribbean
.

In centuries past, the sea was a primary domain of commerce and communication over which no one actor could claim complete control, much like the Internet today. While most just used the sea for normal commerce and communication, there were also those who engaged in bad deeds, again much like the Internet today. They varied widely, from individual pirates to state militaries with a global presence. In between were state-sanctioned pirates, known as privateers. Parallel to today's “patriotic hackers” (or the private contractors working for government agencies like the NSA or Cyber Command), privateers were not formally part of the state but licensed to act on its behalf. They were used both to augment traditional military forces and to add challenges of identification (attribution in cyber parlance) for those defending far-flung maritime assets.

These pirates and privateers would engage in various activities with cyber equivalents, from theft and hijacking, to blockades of trade (akin to a “denial of service”), to actual assaults on economic infrastructure and military assets. During the War of 1812, for example, the American privateer fleet numbered more than 517 ships—compared to the US Navy's 23. Even though the British conquered and burned the American capital city, the private American
fleet caused such damage to the British economy that
they compelled negotiations
. As in cyberspace today, one of the biggest challenges for major powers was that an attacker could quickly shift identity and locale, changing its flags and often taking advantage of third-party harbors with loose local laws.

Maritime piracy is still with us, but it's confined off the shores of failed states like Somalia and occurs on a miniscule scale compared to its golden age (only 0.01 percent of global shipping is taken by modern-day pirates). Privateering, the parallel to the most egregious attacks we have seen in the cyber realm, is completely taboo. Privateers may have helped the US against the British in the War of 1812, but by the time the American Civil War started in 1861 President Lincoln not only refused to recruit plunderers-for-hire, but
also blasted the Confederates
as immoral for opting to employ them.

The way this change came about provides an instructive parallel to explore for cybersecurity today. Much like the sea, cyberspace can be thought of as an ecosystem of actors with specific interests and capacities. Responsibility and accountability are not natural market outcomes, but incentives and frameworks can be created either to enable bad behavior or to support the greater public order.

To clamp down on piracy and privateering at sea, it took a two-pronged approach that went beyond just shoring up defenses or threatening massive attack (which are too often talked about in cybersecurity as the only options, again making false comparisons to the worst thinking of the Cold War). The first strategy was to go after the underlying havens, markets, and structures that put the profits into the practice and greased the wheels of bad behavior. Major markets for trading pirate booty were disrupted and shut down; pirate-friendly cities like Port Royal, Jamaica, were brought under heel, and blockades were launched on the potentates that harbored the corsairs of the southern Mediterranean and Southeast Asia.

Today, there are modern cyber equivalents to these pirate havens and markets. And much like the pirate friendly harbors of old, a substantial portion of those companies and states that give cybercrime a legal free pass are known. These range from known malware and other cyber black marketplaces to the
fifty Internet service providers
that account for around half of all infected machines worldwide. Without the support of these havens and networks, online criminal enterprises would find it harder to practice their illegal action,
which not only would clean the cyber seas, but also make it easier to identify and defend against the more serious attacks on infrastructure and the like.

Melissa Hathaway, who led the White House's policy team on cyberspace issues, has talked about this as a strategy to “ ‘
drain the swamp
' of malicious cyber activity and tilt the playing field [back] in our favour.” Much as with piracy at sea, some of the efforts might be taken as part of a cooperative global effort, while other actions could be taken on a unilateral basis, such as operations to disrupt or destroy the markets where hacker tools are traded, and tracking and targeting the assets of attackers themselves.

This links to the second strategy, the building of a network of treaties and norms, something explored in a following section. Fleury's attack launched a golden age of piracy that was great for the pirates but not everyone else, including the governments of the time. Pirates, who had been tolerated at the individual level, began to be seen as general threats to economic prosperity. In turn, privateers, who had been viewed as useful tools, turned into the bureaucratic rivals of the formal navies being built up in these states (here again, akin to how patriotic hackers lose their shine when states build out more of their own formal cyber military units). As Janice Thompson recounts in her seminal study of why the pirate trade ended,
Mercenaries, Pirates, and Sovereigns
, maritime hijackers (and their state-approved counterparts) became marginalized as nations' values changed and they saw the need to assert
greater power and control
.

Soon a webwork of agreements was established that set a general principle of open trade across the high seas. The agreements, some bilateral and others multilateral, also asserted that maritime sovereignty would only be respected when a nation took responsibility for any attacks that emanated from within its borders. Slowly, but surely, they paved the way toward a global code of conduct. By 1856, forty-two nations agreed to the Declaration of Paris, which abolished privateering and formally turned pirates from accepted actors into international pariahs to be pursued by all the world's major powers.