Comment: US cybersecurity posture is not purely defensive

NSA headquartersBy JOSEPH FITSANAKIS | |
In recent years, news coverage of cyberespionage and cybersecurity has increased several times over; both subjects have escaped the narrow confines of technical literature and have entered the broad expanses of popular news media. This blog is no exception; since 2008, we have covered both cybersecurity and cyberespionage at length. In looking back at our coverage, it takes but a cursory glance to conclude that most of our reports feature the names of two countries: China and –to a far lesser extent– Russia. Moreover, the vast majority of our cybersecurity and cyberespionage coverage portrays the United States as a defensive actor, trying desperately to protect the integrity of its networks from foreign hackers. But is this accurate? How realistic is it to assume that the US, the world’s leading military power, abstains from offensive cyberespionage as a matter of strategy? The most likely answer is: not very. The problem is that much of the reporting on cybersecurity is based on national allegiances. Many American media pundits thus tend to forget that Washington, too, conducts cyberespionage.

IntelNews readers will recall that, in September of 2008, the Russian delegation at the 63rd United Nations Assembly initiated a formal resolution on international cybersecurity. The resolution was unanimously approved by Assembly members, with one exception: the United States. In reporting this in 2008, I wondered whether “the US, which has been building its own advanced cyber-attack arsenal since the mid-1990s, has more to gain from international cyber insecurity than do its adversaries”. I repeated this question in January of 2009, when The New York Times published a front-page exposé of an ongoing CIA operation to sabotage Iranian nuclear laboratories and installations, which included sabotage of “computer systems and other networks on which Iran relies”.

Last week, US Secretary of State Hillary Clinton, who in 2010 said that “countries or individuals that engage in cyberattacks should face consequences and international condemnation”, admitted that her own State Department launched just such an attack. She told journalists that the cyberattack was directed “by State Department specialists” against websites based in Yemen. The websites were allegedly defaced to change pro-al-Qaeda propaganda about killing Americans into messages that highlighted the civilian death toll of al-Qaeda’s attacks in Yemen.

While few netizens should shed tears over the defacement of pro-al-Qaeda websites, it must be recognized that such incidents –which most likely include Stuxnet, a computer virus that most experts believe was launched against Iran by the US or its allies– do not promote America’s image as simply a passive deflector of foreign cyberattacks. The Associated Press, which aired the story about the State Department’s recent cyberattack on Yemeni websites, called Secretary Clinton’s announcement “a rare public admission of the ongoing covert cyberwar against extremists”. But there is no reason to assume that the rarity of such public admissions reflects an equal rarity of US cyberattacks against foreign targets. On the contrary, it would be logical to assume that America engages in cyberattacks with the same frequency and intensity as its geopolitical adversaries.

Even if it doesn’t, there are signs that it wants to. A recent report by the Reuters news agency admitted that the National Security Agency (NSA), America’s prime cyberintelligence agency, is busily recruiting US academic institutions to help it “expand US cyber expertise needed for secret intelligence operations against adversaries on computer networks”. Part of this is undoubtedly defensive; the NSA is tasked with protecting America’s communications networks. But not all of it; the NSA is also, as the Reuters article correctly states, meant “to collect foreign intelligence through electronic means”. Therefore, the comment in the Reuters article by Neal Ziring, technical director at the NSA’s Information Assurance Directorate, that NSA employees will “have to know some of the things that hackers know”, must be interpreted both offensively and defensively. The article also quotes former NSA official Dickie George, who says: “Right now you hear a lot of talk about foreign countries, China in particular, coming into our networks […]. Why wouldn’t we want to do the same thing? It’s not a one-way game”.

George is right, of course. By definition, cyberespionage is not a one-way game. But if this is so, we should be told. There’s no need for media pundits to keep pretending that some nations are online aggressors, while others have a purely defensive interest in cybersecurity.

3 Responses to Comment: US cybersecurity posture is not purely defensive

  1. Ove Larsen says:

    Comment: As WikiLeaks has shown, there is a darker world than the official CyberSecurity / Cyperwar ‘players’. Contractors. A lot of money is around for cybersecurity / cyberwar purpose and therefor a lot of contractors try to get a piece of that cake. Maybe that is the reason the world see so much baseless fearmongering about cybersecurity. The contractors seems to think that if they have a old Cold War perspective on cybersecurity they can get a piece of the cake. We have only seen the top of the iceberg with HBGary and Stratfor, published by WikiLeaks, and those two didn’t know anything about there own cybersecutiry but wanted to get a piece of the cybersecurity / cyberwar cake.

    And about Stuxnet. It has shown that the ‘players’ (official or contractors) don’t care how much collateral damage they do to business computer systems along the way in there cyberwar. As long as cyberwar is done by military organizations it will be done with war mentality. The latest estimates I have seen is that more than 1000 commercial computer systems around the world was affected by Stuxnet and the cost to those businesses has been huge.

    (sorry for my English, it’s not my first language)

  2. intelNews says:

    @Ove Larsen: I personally would like to echo your concerns. Recent information shows that nearly 50% of the US Intelligence Community’s (IC) budget ends up in the pockets of private contractors. Ironically, the trend began in the mid-1990s, under the Clinton Administration’s “reinventing government” initiative. The numbers of private contractors went through the roof after 9/11. There are many aspects of this that concern me, and I know that many in the IC are not happy about it either. Thanks for your comment. [JF]

  3. says:

    It is truly shameful that such precautionary measures needs to be taken, but what is more necessary, to be proactive or reactive? Now the scuttlebutt is that San Onofre (sic) nuclear reactor having been the victim of cyber attack!

We welcome informed comments and corrections. Comments attacking or deriding the author(s), instead of addressing the content of articles, will NOT be approved for publication.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: