First, here’s the unclassified Official Cyber Strategy of the USA, signed by Defense Secretary Ash Carter. Initial take: the guy really is an empty suit, stuffed with Beltway entitlement, and serving various constituencies, with the national defense of the USA not as prime as it probably ought to be here.
Here’s how Carter (and his underlings, more Beltway homesteaders without a real-world accomplishment to their names) define the cyber threat on p. 9 of the document:
From 2013-2015, the Director of National Intelligence named the cyber threat as the number one strategic threat to the United States, placing it ahead of terrorism for the first time since the attacks of September 11, 2001. Potential state and non-state adversaries conduct malicious cyber activities against U.S. interests globally and in a manner intended to test the limits of what the United States and the international community will tolerate. Actors may penetrate U.S. networks and systems for a variety of reasons, such as to steal intellectual property, disrupt an organization’s operations for activist purposes, or to conduct disruptive and destructive attacks to achieve military objectives.
So what’s wrong with this? Here’s one: defining the military cyber threat to include commercial hackers and disruption of non-government “organizations.” No one who’s au courant with the cyber threat thinks that DOD has its own networks under control, so this attempt to subordinate DOD’s cyber defense activities to big and inept corporations like Sony, not incidentally among
the owners ofthe donors to Carter’s political sovereigns, turns defense resources to private profit and distracts them from national defense. No, defending Sony is not an American defense interest. Hell, it’s not even a US corporation; why should we give
Oh, we forgot. Sony
bought and paid formade substantial donations to the President and the other officeholders to whom Carter really holds his fealty, rather than to the quaint old Constitution to which he swore an insincere oath.
Let’s continue with Carter, and see if he gets any better:
Potential adversaries have invested significantly in cyber as it provides them with a viable, plausibly deniable capability to target the U.S. homeland and damage U.S. interests. Russia and China have developed advanced cyber capabilities and strategies. Russian actors are stealthy in their cyber tradecraft and their intentions are sometimes difficult to discern. China steals intellectual property (IP) from global businesses to benefit Chinese companies and undercut U.S. competitiveness. While Iran and North Korea have less developed cyber capabilities, they have displayed an overt level of hostile intent towards the United States and U.S. interests in cyberspace.
The first sentence is one key to cyber: it’s a plausibly-deniable act of war, which is why all major powers (Russia, China, and not incidentally the USA) maintain an advanced persistent threat capability. This administration in particular is in love with the concepts of deniable, technical, literally “dehumanized” as in humans-out-of-the-loop and not at risk, technical war. It’s reminiscent of the disastrous Stansfield Turner days at CIA, when Turner played to the agency’s Polyphemos. “Noman has blinded me!” cries the agency at the inevitable “intelligence failure” result, in Turner’s case including the Russian invasion of Afghanistan and the Iranian revolution. Although he seems intent on recreating the bleak Cy Vance/Stan Turner days of his namesake President, this Secretary of Defense is unrelated to Jimmy Carter in anything.
Well, except in ineptitude. If there is a brotherhood of bozos, maybe with a secret handshake or password/countersign (“Are you a turdle?”), these guys are both life members.
Again, that the Chinese state steals IP is not exactly novel, and the Chinese are not alone; some of our allies do the exact same thing (cough, France, Israel, cough). The US, for that matter, does steal foreign technical data, the difference is, we don’t steal for order for private industry.
It is a defense matter when foreign nations steal defense material from the military or defense contractors. We’re not big on defining things as crimes rather than acts of war or terrorism, but stealing from Sony, for example, or General Electric, is not an act of war, no matter how much money those corporations sluice to Carter’s
owners and overseerssuperiors.
In addition to state-based threats, non-state actors like the Islamic State in Iraq and the Levant (ISIL) use cyberspace to recruit fighters and disseminate propaganda and have declared their intent to acquire disruptive and destructive cyber capabilities. Criminal actors pose a considerable threat in cyberspace, particularly to financial institutions, and ideological groups often use hackers to further their political objectives. State and non-state threats often also blend together; patriotic entities often act as cyber surrogates for states, and non-state entities can provide cover for state-based operators. This behavior can make attribution more difficult and increases the chance of miscalculation
Well, it’s nice to see some awareness of ISIL penetrating the thick skulls of the E-Ring, but what they’re calling a cyber threat is simply an information operations (IO) effort that is superior to that of the United States. And as long as we have IO run by giggling PR dollies, and counter ISIL guns and swords with feeble hashtags, we’re #screwed.
You could fisk the whole thing like this. Its full of yes-hope-is-a-method naïveté, like considering the Chinese threat badly punished because we indicted five PLA members for stealing IP. (We’re sure they’re shaking in their shoes. Either that or the new guys have redoubled their efforts because an indictment is the new most-coveted achievement in Chinese cyber — more likely). It’s also full of carefully-staged “college pamphlet” or “annual report” photos of perfectly-diverse cybernauts — selected for just the “right” mix of joint-service uniforms, DOD civilians, and skin-tone diversity. In other words, it’s all full of that which proceeds from the north end of a south-facing male bovine.
Naturally, there’s a new bureaucracy to be built, under a towering buzzword, the National Initiative for Cybersecurity Education, and more SES and political appointee jobs, like the Office of the Principle Cyber Advisor to the SecDef, which will oversee the Cyber Investment and Management Board, which will operate a senior executive forum and coordinate for something called the Deputy’s Management Action Group. It’s all process, with all these Beltway drones memo-ing one another.
Wait. We said, “Two takes”, in the title. What’s the other take on cybersecurity?
Well, here’s the NATO cyber team.
The whole team. (Well, actually there are six men, so they can field two of these three-man teams. Feel better?).
That sound you hear is chortling in Chinese.