Back to the Future

The thing that puzzled me about Sean Joyce’s Washington Post op-ed on cybersecurity:

We need a different approach to protecting our way of life. We need an approach within the government — specifically, one organization, headed by the new national cyber director, with three separate units: one focused on strengthening public-private partnerships, one focused on offensive and defensive operations, and one focused on intelligence-collection, analysis and sharing.

Currently, private firms often do not know whom or where to call inside the government. Sometimes, companies reach out to the FBI, sometimes to the Secret Service, sometimes to the National Security Agency and sometimes to CISA. This causes confusion and inefficiencies. A centralized partnerships unit, which is led by the CISA director and coordinates cyber efforts on behalf of the government with the private sector, could streamline these efforts.

Second, we need to ensure that official responses to attacks are handled in a centralized, coordinated manner by a unit solely focused on offensive and defensive operations. For example, the recent SolarWinds attack by Russia targeting a ubiquitous software application would be handled by this unit. The operations unit would be led by the FBI and NSA (agencies with primary jurisdiction in national security matters) with participation from the Secret Service, Homeland Security Investigations and other relevant agencies.

Third, we need to create an intelligence capability with the private sector. The government has struggled at sharing real-time intelligence; the private sector, made up of innumerable companies, has too. The intelligence and analysis unit would be led by the CIA and FBI to ensure that all intelligence is gathered, analyzed and disseminated appropriately throughout the intelligence community and private sector.

is why he thinks that’s a “modern approach”? Quite to the contrary I think the bureaucratic strategy he proposes is very much what would have been done had we faced cybersecurity threats in 1990, in 1970, or in 1950. Would it be an improvement over what we’re doing now? I have no idea but I think it would fail for the same reason that maneuver warfare is not a good approach for coping with terrorists.

Meanwhile in an op-ed in the Wall Street Journal Thomas Ayres proposes we do almost the opposite—go really old school and issue letters of marque:

Today’s pirates sail the cyber seas searching for loot, by ransom or theft. Like their 19th-century maritime counterparts, they respect no sovereignty and disrupt commerce and daily life. This weekend’s Colonial Pipeline hack and the recent SolarWinds attack demonstrate the growing danger and sophistication of such assaults. Like the Barbary pirates, hackers frequently receive haven or direct support from hostile states like Russia or China.

Hackers routinely exploit private corporations as an entry point to lucrative private assets or national-security vulnerabilities. The SolarWinds hackers launched attacks from systems run by Microsoft and Amazon. The National Security Agency, which has primary responsibility for protecting cyberspace, is legally barred from monitoring and collecting intelligence from U.S. entities. Tom Burt, Microsoft’s vice president for security, told the Journal in March: “This is a sophisticated actor that apparently took time to research legal authority. It knew that by operating from servers in the United States, it could evade some of the U.S. government’s best threat hunters.”

Corporate threat hunters could fill the gap, acting as cyber scouts in support of the government’s efforts. But that comes with risk: Equifax, Home Depot and Uber have each paid more than $100 million in fines and settlements due to hacker-breached customer data. Numerous lawsuits remain unresolved; in a typical case, Walmart faced a suit alleging a breach of the California Consumer Privacy Act because hackers illegally harvested private consumer data. The judge ruled in the company’s favor, but only because the hack predated the law.

Corporations have financial incentives to protect their data; what they lack is incentives to cooperate with the NSA and to report data breaches to the government in a timely manner. Security journalist Dan Swinhoe reports that hacking has cost companies nearly $1.3 billion. Cognizant of dangers to their bottom line, corporations hire cyber defense specialists. But when their measures prove insufficient against ever more skilled and avaricious hackers, companies freeze. Fearful of litigation, bad publicity and punitive regulation, they delay reporting until they know the extent of the problem. That reduces the company’s risk of exposure at the cost of exacerbating the national-security threat.

When a kidnapper makes a ransom demand, the best approach is to notify law enforcement quickly. Similarly, the best way to limit the damage of hacker breaches is for the target to share information quickly with the government—in this case, the NSA. That’s where letters of marque come in.

Historically, such letters provided financial incentives to overcome fear and inaction in the face of dangerous outcomes and national need. On the high seas, they assured standing and rights in admiralty courts that awarded “prize money” when pirate ships were sunk or captured.

Cyber letters of marque could establish incentives for timely information sharing and ensure that companies have the freedom to defend themselves. A company targeted by hackers would apply to Congress, which would grant a letter of marque providing limited immunity from regulatory action when breaches and activities are spotted early and shared expeditiously with U.S. agencies. And while corporations should take all measures necessary to make consumers whole when they are breached, Congress could also provide limited protection against punitive lawsuits against companies that meet accepted standards of cyber defense, provide early reporting, and take robust defensive measures against their hackers.

We haven’t had a cyber Pearl Harbor, but today’s threat from hackers could become as dangerous as enemy submarines. Congress should rally behind a nonpartisan initiative and begin issuing letters of marque now. Enlist private corporations to serve as our cyber scouts just as the Resolute searched for hidden dangers in an earlier time of global upheaval and uncertainty.

I have two points of disagreement with that. First, I don’t think it’s true that

Corporations have financial incentives to protect their data; what they lack is incentives to cooperate with the NSA and to report data breaches to the government in a timely manner.

or, at least I don’t believe their financial incentives are sufficient for them to do what they’d need to do to defend themselves from attack. I have an idea for remedying that which I feel sure would work but am equally sure that companies would hate like poison: strict liability. That would certainly increase their incentives.

My other point of disagreement is this:

We haven’t had a cyber Pearl Harbor

I think we have a cyber Pearl Harbor just about every day but it’s not concentrated against just one target but launched against thousands or tens of thousands of sites, generally by bots. It’s cost is already orders of magnitude beyond the actual cost in dollars of Pearl Harbor. It’s just not as dramatic and there’s little direct loss of life.

I think his suggestion has merit but doesn’t go far enough. The public sector is just not agile enough to deal with cyber-terrorism. Sufficient rewards could induce whole industries to spring up to bring these criminals to justice.