Comment: US cybersecurity posture is not purely defensive
May 28, 2012 3 Comments
By JOSEPH FITSANAKIS | intelNews.org |
In recent years, news coverage of cyberespionage and cybersecurity has increased several times over; both subjects have escaped the narrow confines of technical literature and have entered the broad expanses of popular news media. This blog is no exception; since 2008, we have covered both cybersecurity and cyberespionage at length. In looking back at our coverage, it takes but a cursory glance to conclude that most of our reports feature the names of two countries: China and –to a far lesser extent– Russia. Moreover, the vast majority of our cybersecurity and cyberespionage coverage portrays the United States as a defensive actor, trying desperately to protect the integrity of its networks from foreign hackers. But is this accurate? How realistic is it to assume that the US, the world’s leading military power, abstains from offensive cyberespionage as a matter of strategy? The most likely answer is: not very. The problem is that much of the reporting on cybersecurity is based on national allegiances. Many American media pundits thus tend to forget that Washington, too, conducts cyberespionage.
IntelNews readers will recall that, in September of 2008, the Russian delegation at the 63rd United Nations Assembly initiated a formal resolution on international cybersecurity. The resolution was unanimously approved by Assembly members, with one exception: the United States. In reporting this in 2008, I wondered whether “the US, which has been building its own advanced cyber-attack arsenal since the mid-1990s, has more to gain from international cyber insecurity than do its adversaries”. I repeated this question in January of 2009, when The New York Times published a front-page exposé of an ongoing CIA operation to sabotage Iranian nuclear laboratories and installations, which included sabotage of “computer systems and other networks on which Iran relies”.
Last week, US Secretary of State Hillary Clinton, who in 2010 said that “countries or individuals that engage in cyberattacks should face consequences and international condemnation”, admitted that her own State Department launched just such an attack. She told journalists that the cyberattack was directed “by State Department specialists” against websites based in Yemen. The websites were allegedly defaced to change pro-al-Qaeda propaganda about killing Americans into messages that highlighted the civilian death toll of al-Qaeda’s attacks in Yemen.
While few netizens should shed tears over the defacement of pro-al-Qaeda websites, it must be recognized that such incidents –which most likely include Stuxnet, a computer virus that most experts believe was launched against Iran by the US or its allies– do not promote America’s image as simply a passive deflector of foreign cyberattacks. The Associated Press, which aired the story about the State Department’s recent cyberattack on Yemeni websites, called Secretary Clinton’s announcement “a rare public admission of the ongoing covert cyberwar against extremists”. But there is no reason to assume that the rarity of such public admissions reflects an equal rarity of US cyberattacks against foreign targets. On the contrary, it would be logical to assume that America engages in cyberattacks with the same frequency and intensity as its geopolitical adversaries.
Even if it doesn’t, there are signs that it wants to. A recent report by the Reuters news agency admitted that the National Security Agency (NSA), America’s prime cyberintelligence agency, is busily recruiting US academic institutions to help it “expand US cyber expertise needed for secret intelligence operations against adversaries on computer networks”. Part of this is undoubtedly defensive; the NSA is tasked with protecting America’s communications networks. But not all of it; the NSA is also, as the Reuters article correctly states, meant “to collect foreign intelligence through electronic means”. Therefore, the comment in the Reuters article by Neal Ziring, technical director at the NSA’s Information Assurance Directorate, that NSA employees will “have to know some of the things that hackers know”, must be interpreted both offensively and defensively. The article also quotes former NSA official Dickie George, who says: “Right now you hear a lot of talk about foreign countries, China in particular, coming into our networks […]. Why wouldn’t we want to do the same thing? It’s not a one-way game”.
George is right, of course. By definition, cyberespionage is not a one-way game. But if this is so, we should be told. There’s no need for media pundits to keep pretending that some nations are online aggressors, while others have a purely defensive interest in cybersecurity.