We’re only Human: Addressing the Cyber Threat Origin
Private entities are pouring money and manpower into creating the best technologies to help mitigate a host of threats in the cyber realm. The US federal government is increasingly following this strategy. Yet, even cutting edge technology cannot determine one of the most critical and elusive intelligence questions: motivation. What drives the adversary? What does he plan to do and why? Technology explains the how, but behind every modus operandi is an operator. The human element cannot be subtracted from emerging threats in the cyber realm. Blocking persistent threats and discovering critical indicators only strengthens defensive measures. A proper understanding of the reasons behind an attack will help bolster proactive countermeasures. Human motivations like greed, desperation, malice, fear, religious extremism, and nationalism will always remain the ultimate threat, regardless of the tools used.
Some have labeled the rush to obtain cyber capabilities as the “new arms race.” This analogy is apt, but it should remind our policy makers that a key aspect of winning the Cold War – and avoiding nuclear devastation – was diplomacy and strategic human relationships. Although many factors contributed to the downfall of the Soviet Union, wise policies like détente helped to prolong peace and deter physical conflict. Connections to Russian leadership (and extensive human intelligence operations), not a superior nuclear arsenal, provided insight into the capabilities, intentions, and motivations of the Soviet Union. Now, our attempts to construct a viable national cyber security policy must consider the importance of understanding and engaging the threat origin – the human actor – and not merely focus on developing the best possible technical capabilities.
The “cyber threat” to American interests, public and private, is essentially three-fold. Cybercrime, cyber espionage, and cyber activism are the central categories comprising the cyber threat; each segment presents unique technical challenges, attack methods, and human motivations. An “offensive” or proactive approach to these threats should focus on engaging the human element behind each of these categories through robust legal and diplomatic policies that clearly define the US’ position and appropriately respond to criminal activity.
The US Justice Department must begin to clearly outline a legal framework for the prosecution of illicit cyber activity. Federal and state-level policies often rely on outdated regulations that fail to adequately address crimes by underestimating their severity or grossly overstating their significance with heavy-handed sentencing. Several recent high-profile cases have highlighted these shortcomings, Aaron Swartz and Ryan Cleary to name a few. Illegal cyber activities can cause significant damage and demand a clear, well-proportioned prosecutorial response. This response will assist the expediency and clarity of sentencing and earn public favor with accurate, timely, and consistent verdicts. Engaging the human operator with proper legal standards is essential for any successful cyber security policy.
President Obama has recently emphasized the importance of cyber security in several speeches, and current allegations of privacy invasion have reanimated this already vibrant issue. The President has begun conversations with some of our most important trade partners and significant cyber contenders. These conversations are critical for addressing threats to national security like cyber espionage. Establishing relationships is paramount to understanding the motivations behind aggression and ending the finger-pointing charade that has primarily defined our national response thus far. While increasing awareness of the threat is essential to a better public understanding of the issues, tattling on infiltrators is not the most effective way for any nation to counter a serious espionage issue. The periodic revelation that “peeping Toms” want to see our secrets exposed will not produce amicable international partnerships and will lose its shock value on the public when regularity breeds callousness. Our diplomatic posture on cyber security should be firm but approachable, and perhaps most importantly, clear. Although agreements may be violated, we must at least establish standards and procedures to outline appropriate countermeasures and dictate responses to offensive actions, especially in the international realm.
Correcting our muddled, reactionary attitude toward cyber security will allow us to leverage our already powerful technical capabilities beyond defensive measures and into a strong bargaining position. To recall the Soviet analogy, a primary benefit of our nuclear strength was its bolstering of our diplomatic stance. Amidst the clamor to become bigger, faster, and stronger, we should use our advanced capabilities as a vehicle for using intelligence mechanisms (including human operations) and diplomatic strength to engage and understand the single constant threat, human actors.
Our national cyber security strategy must acknowledge that old-fashioned diplomacy, strategic human relationships, and a thorough legal framework can help eliminate threats in the often faceless and inscrutable binary battlefield of the cyber realm.