- The Washington Times - Thursday, April 20, 2000

It is time for the Department of Defense to expand its area of cyber responsibility to include the nation that it is sworn to protect. Recent calls for more public-private cooperation in the wake of recent computer-security mishaps are laudable, but inadequate. They fail to address a more fundamental issue that the United States cannot currently differentiate mischievous hacking from the strategic threat of coordinated state-sponsored or terrorist attack. Today, the United States depends on the FBI to defend the national information infrastructure from hackers, terrorists and states alike. While this might be sufficient for catching the individual criminal, the risk of cyber warfare demands that we call upon the resources, capabilities and experience of the DoD.

The cyber threat is real. The CIA identifies China, Russia and India as among those states that possess strategic information warfare (IW) capabilities. Last November, for example, the Chinese army newspaper "Jiefangjun Bao" revealed China's estimation that an Internet force is very likely to become another military branch following the army, air force and navy. What are the risks of cyber attack? A well-trained Internet force could, for example, plant a logic bomb in the traffic control network, misrouting commuter trains and causing them to collide. A virus could be planted in the nation's primary funds transfer system, periodically changing the routing codes on checks, causing the system to shut down and consumer confidence to crash. Localized power outages could be followed by a rash of automatic bank -teller crashes, as occurred in Taiwan last July.

As isolated events, the U.S. certainly could cope with these consequences. But the FBI is unlikely to recognize the difference between a series of separate cyber events and a long-term strategy by another nation to undermine American confidence in its national electronic infrastructure. As a law-enforcement agency, the FBI possesses a different mindset from that of DoD. The job of law enforcement is to track down and prosecute the perpetrator of each distinct crime. The events might never be associated with one another. For this reason, among others, a 1996 RAND report on Strategic Information Warfare characterized IW as a new face of war. In particular, RAND warned that there is currently no adequate tactical warning system for distinguishing between strategic IW attacks and other kinds of cyberspace activities, including espionage or accidents. There wasn't then, and despite our growing reliance on the Internet, there isn't now.

The White House's solution to this problem of cyber security is to give every federal agency responsibility for protecting itself. That leaves the DoD responsible only for the protection of its own infrastructure, not for the rest of the nation. The private sector is supposed to build information sharing and analysis centers where they will voluntarily report intrusions to the FBI and receive warning and investigation in return. But there is no direct liaison between the private sector and DoD and there is minimal information sharing between the FBI and DoD. In order for the Department of Defense to identify seemingly random events as a coordinated, strategic cyber attack, a formal relationship needs to be established directly between DoD and the private sector. In addition, DoD would need to be given, and accept, responsibility for defending the nation from coordinated, strategic cyber attack.

In contrast to the FBI, DoD views cyber attacks not just as crimes, but as potential opening acts in a strategic cyber war against the United States. Significantly, the mission of computer network defense was recently assigned to a war-fighting command, U.S. Space Command. DoD deals with hundreds of cyber attacks every day, including the most coordinated and highly organized break-in to date, called Moonlight Maze, that was eventually traced back to Russia. DoD has the strategic mindset and the strategic response capabilities required to identify and link a succession of cyber events. During the war in Yugoslavia, DoD rapidly identified the foreign perpetrators of the cyber attacks on NATO networks. That is their job.

The president's December 1999 National Security Strategy identified critical infrastructure attacks as one of the major threats to the American homeland. He was not referring to hackers or criminals, but to other governments and terrorist groups. It is precisely this kind of threat for which we are unprepared. The FBI has enough work to do keeping pace with exponentially rising computer crime. It is time to put DoD in charge of defending the nation from strategic cyber attack.

Darcy Noricks is a senior analyst at DFI International. She recently completed a project for the strategy office in the Office of the Secretary of Defense to evaluate DoD's roles and requirements in defending the nation from transnational threats.



Click to Read More

Click to Hide