During a wide-ranging discussion about the role of active defense in the private sector, several panelists expressed strong support for harnessing the Cyber Command's advanced capabilities to do more to protect the U.S. and the Internet at large from cyberattacks.
Panel moderator James Lewis, senior fellow and program director for the Center for Strategic and International Studies (CSIS), suggested the North American Aerospace Defense Command (NORAD) could serve as an operational model for the Cyber Command to proactively defend a specific region of cyberspace.
The mission statement of the Cyber Command is to protect the Department of Defense networks, and only conduct "full-spectrum military cyberspace operations" to prevent the imminent harm of the U.S. and its allies. The Cyber Command is technically part of the U.S. Strategic Command and is comprised of members of several branches of the Armed Forces, but operates out of Ft. George G. Meade Army installation in Maryland, also home of the NSA.
"This is a multi-billion-dollar investment that could serve a much broader population than it does today," said Lt. Gen. (Ret.) Ken Minihan, managing director of Paladin Capital Group and a former director of the NSA. "I'm not as patient because we've been at [cyberdefense] for two decades. We need to get this done."
However, Jim Dempsey, vice president for public policy for the Center for Democracy and Technology, voiced concern about reliance on the military, noting that the NORAD analogy is limited in many ways.
"Every single ICBM [intercontinental ballistic missile] entering the U.S. is a threat," Dempsey said. "Every single airplane not offering the proper identifier in North American airspace is a threat. Not every data packet entering the U.S. is a threat."
Given the challenges of enabling the Cyber Command to take on a larger Internet defense role, Dempsey indicated he would not be in favor of such a change, even if the Cyber Command weren't shrouded in the vail of secrecy cast by the NSA.
"There's an interesting question about how we got to this point in the history of the Internet, which is central to our global economy and society, where the best, strongest, most effective resource for securing it is in a beyond-top-secret military agency," Dempsey said. "It's not too late to reverse that."
Gen. (Ret.) Michael Hayden, principal with the Chertoff Group and also a former director of the NSA and CIA, hinted at the difficulty that would come with granting the Cyber Command broader authority to identify and stop cyberattacks, especially against private interests.
"To be successful, the NSA needs two things: It has to be secretive and it has to be powerful," Hayden said. "And it lives in a political culture that distrusts only two things: secrecy and power."
Another key stumbling block, Hayden said, is that unlike the Soviet microwave transmission-interception work the NSA conducted in decades past, today's reconnaissance landscape exists within the networks of telecommunications providers and is intermingled with private citizens' perfectly benign emails and telephone calls. The challenge, he added, is convincing lawmakers and the general public that the agency needs more autonomy to inspect private communications to proactively identify cyberthreats.
"This isn't new business. This is something that's been done out there for a long time," Hayden said. "And it's done quite carefully by the folks at Fort Meade."
Ron Deibert, director of the Canada Centre for Global Security Studies, said the business of striking down attackers is often more complicated than it seems. Referencing the conflict between the nation of Georgia and Russia in 2008, it was believed that a denial-of-service attack against Georgia had been conducted by Russia. However, he said, research later revealed several distributed botnets had conducted the attack, with the majority of the zombie machines located in the U.S.
"It's a very serious issue when you talk about counterstrikes. There's always a danger with attribution," Deibert said. "Someone who says, 'Strike down the attackers where they came from' would have been attacking PCs in their own country."
The panelists also advocated for more government information sharing to enable ongoing active defense, which Dempsey described as an effort to use real-time threat intelligence data to stop potential attacks before they reach their intended targets. Several experts, however, went to great pains to say active defense is about stopping attacks, not conducting counterattacks against known assailants.
This effort came to life last year with the Defense Industrial Base Cyber Pilot, or DIB Cyber Pilot, a pilot program in which the Department of Defense and Department of Homeland Security share classified information on threats and mitigation tactics with a limited number of private companies and ISPs.
While some panelists called for expanding the DIB and making participation mandatory, Dempsey said the incremental progress being made to foster public-private cooperation is better than no progress at all.
View all of our RSA 2012 Conference coverage.