Friday, August 11, 2017

A Vulnerable Castle in Cyberspace

uncaptioned image from article

America needs to embrace the 'information warfare' mindset.
By Phillip Lohaus | Opinion Contributor
Aug. 11, 2017, at 2:00 p.m.
The topic of cybersecurity seems to affect just about everything these days. From ensuring the security of online shopping to preventing unauthorized access to your devices from outside intruders, cybersecurity underwrites our society's increased reliance upon electronics for everything from transportation to communication. We are assured by information technology professionals that if we consistently install security patches, run the latest antivirus software and create passwords with an ever-growing number of required "special characters," we will reduce our vulnerability.
In a technical sense, this is true. Passwords prevent intrusion, antivirus software sequesters malicious strings of code and security patches shield vulnerabilities from exploitation by hackers. Like lords protecting medieval fortresses, we've become quite adept at preventing unwanted barbarians from breaching the castle walls.
But just as clever adversaries in the Middle Ages exploited overlooked weaknesses to obviate the need to enter the front door, modern rivals have developed other ways to infiltrate our defenses.
The castle analogy only goes so far. The dynamic and fluid environment of cyberspace is more akin to water or air than it is to a physical structure. When viewed this way, the quality and nature of the content flowing throughout the internet becomes as important as pesky enemy soldiers and threatening foreign weaponry. Physical barriers no longer matter as much. If the air is poisoned, the lives of everyone in the castle are placed at risk.
This analogy illustrates the way that many of America's adversaries perceive "cybersecurity." Just like the United States, many of them possess sophisticated conventional weaponry and some have developed sophisticated cyberdefenses. But America has yet to adapt to an environment where information is itself as much of a weapon as a tank, a plane or a carrier battle group. Our adversaries, however, have adapted faster.Take China. Beginning in the 1990s, the People's Liberation Army recognized that information was fast becoming the most decisive factor in warfare. By 2003, it developed a concept to dominate the information space through waging psychological warfare, legal warfare, and media and public opinion warfare.
The use of these "three warfares" has created additional space for China's strategic maneuvering. China justifies island building in the South China Sea through convenient interpretations of international law; it has made incursions into the territorial waters of neighboring countries so regular that they no longer trigger significant alarm; and it levies economic penalties on weaker countries when they undermine Beijing's aims. Cyberattacks are just part of a much larger strategy in which China has molded the information space to garner strategic advantages at the expense of its enemies.


Respond to Russia's Information Warfare

The United States needs a new strategy.

Or take Russia. In addition to allegations of interfering with America's most recent election, Russia has integrated its disinformation campaigns with other efforts to influence the politics, economics and social institutions of countries along its European periphery. Nowhere is this more apparent than in Ukraine. Though the annexation of Crimea and the ongoing military campaign in the Donbass garner most international headlines, such efforts are only the latest iteration of a much longer influence campaign waged against Kiev by Moscow. The combination of frequent cyberattacks on critical infrastructureelection meddlingdisinformation and military interference has eroded the confidence of Ukrainians in the competence of their government and worn down their willingness to resist Russia's aims.
Or take Iran. Recognizing the increased importance of the information space to national security, Ayatollah Ali Khamenei called for Iran to increase its ability to defend against and wage what he called "soft war." Through a central office, the Islamic Republic coordinates a web of organizations involved in cyberattacks and information campaigns. Goals include the promulgation of Shi'a Islam and narratives about current events that suit Tehran's perspective.
The centralization of these efforts into one office under the supreme leader facilitates coordination with other instruments of national power, and allows for adaptable and nimble responses. Indeed, Iran's "soft war" activities have only increased in the wake of the Stuxnet attack on its nuclear facilities.
Iran claims that its "soft war" is in fact a reaction to one that is waged against it by the West. Russia and China similarly built their information warfare campaigns off of reactions to Western behaviors. But whereas they have recognized and developed mechanisms to leverage the convergence of information warfare and cybersecurity, America still tends to think of these activities as distinct and separate behaviors. We tend to think of our cyberdefenses as physical barricades, barring access from would-be perpetrators, and of information campaigns as retrograde and ineffective. In other words, we continue to focus on the walls of the castle, while our enemies are devising methods to poison the air.
Fortunately, our leaders are beginning to recognize the need to incorporate information warfare into our broader cybersecurity plan. But concepts at the core of our society, such as democracy, transparency and a balance of powers between branches of government, rightly prevent us from organizing our efforts in the same way as our adversaries. The government cannot simply order a media outlet to report a specific story any more than it can instruct individual citizens to enlist in a "cyber army," as China has done.
But that doesn't mean there's no hope. The U.S. has outmaneuvered authoritarian regimes in the past, and our "soft power" remains the envy of the world. Rather than viewing foreign engagement as a waste of resources, we should champion our diplomatic corps; public diplomacy is a particularly potent tool at dispelling false narratives. Further, we can shore up our defenses by expanding the role of oversight bodies that keep an eye on foreign investments in U.S. critical infrastructure. Lastly, the government should leverage the capabilities and resources of the private sector, including cybersecurity firms and purveyors of cultural content.
The success of these efforts will hinge on a national strategy that can tie together America's efforts in the information space and align them with national security priorities. To come back to the castle and air analogy, a strategy informs which defenses to bolster and how air should be purified. America has the know-how to move from a mindset of "cybersecurity" to one of "information warfare." We just need to devise an effective approach.

Phillip Lohaus, a former Department of Defense analyst, is currently a research fellow with the Marilyn Ware [sic - JB] Center for Security Studies at the American Enterprise Institute.

No comments: