How likely is cyberwar, and can public-private security collaboration actually help prevent it from happening?
In this video, Jim Lewis, Director and Senior Fellow in the Technology and Public Policy Program at the Center for Strategic and International Studies, discusses the probability of cyberwar and the necessity of secure infrastructure collaboration.
- Watch part two of this series: Cloud computing security issues
- Watch part three of this series: SCADA security threats and Stuxnet analysis
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact email@example.com.
Jim Lewis on cyberwarfare, secure infrastructure collaboration
Mike Mimoso: Hi, I'm Mike Mimoso and Jim Lewis is with me today. How are
you Jim? Thanks for joining us.
Jim Lewis: Great to be here.
Mike Mimoso: I want to talk a little bit about cyber war and federal
security with you. The first question is around the notion of
public/private cooperation and collaboration and information sharing. These
notions have always been such non-starters. Why is that?
Jim Lewis: The original theory was that if you told people how bad the
problem was, they would adjust to that and take actions they wouldn't
otherwise take. Like if we told you there was a one in ten chance that your
house would be hit by a meteorite you would go out and by meteorite
insurance. But there were two problems with that. First of all, people
didn't believe it. Second there were real issues in sharing information,
particularly classified information. When you can tell people what the
threat really is, and DOD has done this with defense contractors. Then they
might change their behavior, right? Even then, even if they do change their
behavior you still have to help them in figuring out what to do. That's
both a public and a private responsibility. But if you just give them the
normal stuff that everyone knows people are going to say, "I can handle
this risk. I'm not going to do anything different."
You know, I've been meaning to go back and ask the people who wrote the '98 PDD 63
why did they come up with public private partnership and information
sharing. Was it to avoid regulation? Was it that they believed all the
stuff about how the internet was new and wonderful. Why did they pick this?
Why they picked it is a legacy of the times right? It was 1998. Why we're
still mumbling this stuff 13 years later is the real problem.
Mike Mimoso: If you had a chance to revamp the 2003 National Strategy to
secure cyberspace, what would it look like? What should be in it?
Jim Lewis: There's a good approach to this which is that the problem is
now so big with so many parts that there's no longer a one-size-fits-all
solution. So, part of what you need is international engagement. You need to go
to other countries, talk to them about what cyber war would look like. It
hasn't happened yet, but it could happen. You need to talk about law
enforcement cooperation and how to deal with cyber crime. There's a little
bit of an overlap because two of the most active opponents use criminals as
proxy forces, as people who engage in the tax on the behest of the state,
and on their off days they're cyber criminals.
So we need to find international cooperation and strength in it.
Administration is starting to do that but it's just starting. We need to
think about critical infrastructure. Critical infrastructure is not going
to fix itself. Now there are some companies that do well, and there are
other companies that don't. And we just saw a process where NIST came up
with consensus standards on securing the smart grid. It was really quite
funny because they had, I think it was 475 companies participating in
their consensus process. You can imagine what came out and the
congressional research service said "yeah they came up with these consensus
standards but they don't do what we need to do." We're going to have to
bite the bullet on critical infrastructure and think about mandatory
actions. It's going to be hard, but this is national security. Our
opponents are not going to wait while we have some political debate.
There's a new issue that has come up, what is the role of
service providers. And as you move into the Cloud you can fine me later for
saying Cloud. But as you move into a place where people store or access
applications remotely, the responsibility for security is not going to fall
on them it will fall on that service provider. What do you want the ISP's,
the TELCO's, the big network operators? What do you want them to do? Some
problems Botnets are probably fixable, if you made it a responsibility in
some way, for the internet service providers to help their customers when
they were taken over and made part of a botnet.
Comcast has a very successful program I understand in Denver of
helping their customers. The Germans have begun a national program. The
Australians have begun a national program. The U.S. is the largest single
source of botnets in the world, or at least we're tied with China if we're
not number one and this is fixable if you make the service providers do a
little bit more. So that will be a big issue. So we've got international
cooperation, critical infrastructure legislation, service providers and we
need to think about supply chain. Supply chain is going to be difficult.
Because the easy answer is - let's do national standards and the short answer
to that is they won't work. They won't work for two reasons.
First, it's a global industry. Second, when we do something like that other
countries pick up on it and they say well I want my own national standards,
I want my own national inspection. And so you already have in China a
request to see source coding design information on U.S. products. Maybe in
a happier world we can trust the Chinese to handle that source code and
that design information safely. But there's this little tiny risk of
espionage. People are afraid. So we have to find some way to cooperate on
supply chain security. I'd say those would be a good start. International
cooperation including crime, military action, norms, critical
infrastructure protection including mandatory action, regulation, service
providers' greater responsibility, and then thinking about supply chain and
international cooperation again.