Commentary

The Cybersecurity-Industrial Complex

The feds erect a bureaucracy to combat a questionable threat.

In the last two years, approximately 50 cybersecurity-related bills have been introduced in Congress. In May the White House released its own cybersecurity legislative proposal. The Federal Communications Commission and the Commerce Department have each proposed cybersecurity regulations of their own. Last year, Senate Armed Services Committee Chairman Carl Levin (D-Mich.) even declared that cyberattacks might approach “weapons of mass destruction in their effects.” A rough Beltway consensus has emerged that the United States is facing a grave and immediate threat that can only be addressed by more public spending and tighter controls on private network security practices.

But there is little clear, publicly verified evidence that cyber attacks are a serious threat. What we are witnessing may be a different sort of danger: the rise of a cybersecurity-industrial complex, much like the military-industrial complex of the Cold War, that not only produces expensive weapons to combat the alleged menace but whips up demand for its services by wildly exaggerating our vulnerability.

The Regulatory Urge

The proposals on the table run the gamut from simple requests for more research funding to serious interventions in the business practices of online infrastructure providers. The advocates of these plans rarely consider their costs or consequences.

At one end of the spectrum, there have been calls to scrap the Internet as we know it. In a 2010 Washington Post op-ed, Mike McConnell, former National Security Agency chief and current Booz Allen Hamilton vice president, suggested that “we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment-who did it, from where, why and what was the result-more manageable.” Former presidential cybersecurity adviser Richard Clarke has recommended the same. “Instead of spending money on security solutions,” he said at a London security conference last year, “maybe we need to seriously think of redesigning network architecture, giving money for research into the next protocols, maybe even think about another, more secure Internet.”

A re-engineered, more secure Internet is likely to be a very different Internet than the open, innovative network we know today. A government that controls information flows is a government that will attack anonymity and constrict free speech. After all, the ability to attribute malicious behavior to individuals would require users to identify themselves (or be identifiable to authorities) when logging on. And a capability to track and attribute malicious activities could just as easily be employed to track and control any other type of activity.

Many current and former officials, from Clarke to FBI Director Robert Mueller, have proposed requiring private networks to engage in deep packet inspection of Internet traffic, the online equivalent of screening passengers’ luggage, to filter out malicious data and flag suspicious activity. The federal government already engages in deep packet inspection on its own networks through the Department of Homeland Security’s “Einstein” program. Mandating the same type of monitoring by the Internet’s private backbone operators-essentially giving them not just a license but a directive to eavesdrop-would jeopardize user privacy.

There have also been proposals at the FCC and in Congress for the certification or licensing of network security professionals, as well as calls for mandating security standards. While certification may seem harmless, occupational licensing mandates should never be taken lightly; they routinely restrict entry, reduce competition, and hamper innovation. Politicians have also called for substantial new government subsidies, including the creation of regional cybersecurity centers across the country to help medium-sized businesses protect their networks.

Many of the bills would mandate a new cybersecurity bureaucracy within either the Department of Homeland Security or the Defense Department. Many would also create new reporting requirements. For example, the administration’s proposed legislation requires that private firms deemed by the head of Homeland Security to be “critical infrastructure” must develop cybersecurity plans and have those plans audited by federally accredited third parties.

With proposals as intrusive and expensive as these, you might think the case for federal intervention is overwhelming. But it isn’t. Again and again, the regulators’ argument boils down to “trust us.”

The CSIS Commission

One of the most widely cited arguments for more federal involvement in online security was made by the Commission on Cybersecurity for the 44th Presidency, which unveiled its report in December 2008. The commission, assembled by the Center for Strategic and International Studies (CSIS), a foreign policy think tank, in February 2008, served as a sort of cybersecurity transition team whoever the new president turned out to be. It was chaired by two members of Congress and composed of security consultants, academics, former government officials, and representatives of the information technology industry. Their report concluded that “cybersecurity is now a major national security problem for the United States” and urged the feds to “regulate cyberspace” by enforcing security standards for private networks.

Yet the commission offers little evidence to support those conclusions. There is a brief discussion of cyberespionage attacks on government computer systems, but the report does not explain how these particular breaches demonstrate a national security crisis, let alone one that “we are losing.”

The report notes, for example, that Defense Department computers are “probed hundreds of thousands of times each day.” Yet it fails to mention that probing and scanning networks are the digital equivalent of trying doorknobs to see if they are unlocked-a maneuver available to even the most unsophisticated would-be hackers. The number of times a computer network is probed is not evidence of a breach, an attack, or even a problem.

More ominously, the report warns: “Porous information systems have allowed opponents to map our vulnerabilities and plan their attacks. Depriving Americans of electricity, communications, and financial services may not be enough to provide the margin of victory in a conflict, but it could damage our ability to respond and our will to resist. We should expect that exploiting vulnerabilities in cyber infrastructure will be part of any future conflict.”

An enemy able to take down our electric, communications, and financial networks at will would indeed be a serious threat. And it may well be the case that the state of security in government and private networks is deplorable. But the CSIS report cites no reviewable evidence to substantiate this supposed danger. There is no support for the claim that opponents have “mapped vulnerabilities” and “planned attacks.” Neither the probing of Pentagon computers nor the cited cases of cyberespionage-for instance, the hacking of a secretary of defense’s unclassified email-have any bearing on the probability of a successful attack on the electrical grid.

Nevertheless, the commission concludes that tighter regulation is the only way toward greater security. It is “undeniable,” the report claims, that “market forces alone will never provide the level of security necessary to achieve national security objectives.” But without any verifiable evidence of a threat, how are we to know what exactly the “appropriate level of cybersecurity” is and whether market forces are providing it? With at least some security threats, such as industrial espionage and sabotage, private industry has a strong incentive to protect itself. If there is a market failure here, the burden of proof is on those who favor regulation. So far they have not delivered.

Although they never explicitly say so, the report’s authors imply that they are working from classified sources, which might explain the dearth of reviewable evidence. To its credit, the commission laments what it considers the “overclassification” of information related to cybersecurity. But this excessive secrecy should not serve as an excuse. If the buildup to the Iraq war teaches us anything, it is that we cannot accept the word of government officials with access to classified information as the sole evidence for the existence or scope of a threat.

Cyberwar: The Book

If the CSIS report is the document cyberhawks cite most, the most widely read brief for their perspective is the 2010 bestseller Cyber War, by Richard Clarke and Robert Knake, a cybersecurity specialist at the Council on Foreign Relations. This book makes the case that U.S. infrastructure is extremely vulnerable to cyber attack by enemy states. Recommendations include increased regulation of electrical utilities and Internet service providers.

“Obviously, we have not had a full-scale cyber war yet,” Clarke and Knake write, “but we have a good idea what it would look like if we were on the receiving end.” The picture they paint includes the collapse of the government’s classified and unclassified networks, the release of “lethal clouds of chlorine gas” from chemical plants, refinery fires and explosions across the country, midair collision of 737s, train derailments, the destruction of major financial computer networks, suburban gas pipeline explosions, a nationwide power blackout, and satellites in space spinning out of control. In this world, they warn, “Several thousand Americans have already died, multiples of that number are injured and trying to get to hospitals.…In the days ahead, cities will run out of food because of the train-system failures and the jumbling of data at trucking and distribution centers. Power will not come back up because nuclear plants have gone into secure lockdown and many conventional plants have had their generators permanently damaged. High-tension transmission lines on several key routes have caught fire and melted. Unable to get cash from ATMs or bank branches, some Americans will begin to loot stores.” All of which could be the result of an attack launched “in fifteen minutes, without a single terrorist or soldier appearing in this country.”

Clarke and Knake assure us that “these are not hypotheticals.” But the only verifiable evidence they present relates to several well-known distributed denial of service (DDOS) attacks. A DDOS attack works by flooding a server on the Internet with more requests than it can handle, thereby causing it to malfunction. A person carrying out a DDOS attack will almost certainly produce this flood of requests with a botnet-a network of computers that have been compromised without their users’ knowledge, usually through a virus. Vint Cerf, one of the fathers of the Internet and Google’s chief Net evangelist, has estimated that possibly a quarter of personal computers in use today are compromised and placed in unwilling service of a botnet.

Clarke and Knake cite several well-known DDOS attacks, such as the attacks on Estonia in 2007 and Georgia in 2008, both widely suspected to have been coordinated by Russia. They also mention an attack on U.S. and NATO websites in 1999 after American bombs fell on the Chinese embassy in Belgrade. And they cite a July 4, 2009, attack on American and South Korean websites, widely attributed to North Korea. These reputedly state-sponsored operations, along with the hundreds of thousands of other DDOS attacks each year by private vandals, are certainly a sign of how vulnerable publicly accessible servers can be. They are not, however, evidence of the capability necessary to derail trains, release chlorine gas, or bring down the power grid.

The authors admit that a DDOS attack is often little more than a nuisance. The 1999 attack saw websites temporarily taken down or defaced, but it “did little damage to U.S. military or government operations.” Similarly, the 2009 attacks against the United States and South Korea caused several government agency websites, as well as the websites of the NASDAQ Stock Market, the New York Stock Exchange, and The Washington Post, to be intermittently inaccessible for a few hours. But they did not threaten the integrity of those institutions. In fact, the White House’s servers were able to deflect the attack easily thanks to the simple technique of “edge caching,” which involves serving Web content from multiple sources, in many cases servers geographically close to users.

Without any formal regulation mandating that it be done, the affected agencies and businesses worked with Internet service providers to filter out the attacks. Once the attackers realized they were no longer having an effect, the vandalism stopped. Georgia, hardly the world’s richest or most technologically sophisticated country, similarly addressed attacks on its websites by moving them to more resilient servers hosted outside of its borders.

Clarke and Knake recognize that DDOS is a “primitive” form of attack that would not pose a major threat to national security. Yet DDOS attacks make up the bulk of the evidence for the dire threat they depict. If we have no verifiable evidence of the danger we’re in, they write, it is merely because the “attackers did not want to reveal their more sophisticated capabilities, yet.” With regard to the Georgian and Estonian episodes, they argue that the “Russians are probably saving their best cyber weapons for when they really need them, in a conflict in which NATO and the United States are involved.”

When Clarke and Knake venture beyond DDOS attacks, their examples are easily debunked. To show that the electrical grid is vulnerable, for example, they suggest that the Northeast power blackout of 2003 was caused in part by the “Slammer” worm, which had been spreading across the Internet around that time. But the 2004 final report of the joint U.S.-Canadian task force that investigated the blackout explained clearly that no virus, worm, or other malicious software contributed to the power failure. Clarke and Knake also point to a 2007 blackout in Brazil, which they believe was the result of criminal hacking of the power system. Yet separate investigations by the utility company involved, Brazil’s independent systems operator, and the energy regulator all concluded that the power failure was the result of soot and dust deposits on the high-voltage insulators on transmission lines.

Before we pursue the regulations that Clarke and Knake advocate, we should demand more precise evidence of the threat they portray and the probability that it will materialize. That will require declassification and a more candid, on-the-record discussion.

Media Panic

While Cyber War has been widely criticized in the security trade press, the popular media have tended to take the book at its word. Writing in The Wall Street Journal in December 2010, U.S. News & World Report Editor-in-Chief Mort Zuckerman warned that enemy hackers could easily “spill oil, vent gas, blow up generators, derail trains, crash airplanes, cause missiles to detonate, and wipe out reams of financial and supply-chain data.” The sole source for his column, and for his recommendation that the federal government establish a cybersecurity agency to regulate private networks, was Clarke and Knake’s “revealing” book. The New York Times also endorsed Cyber War, sweeping aside skepticism about the book’s doomsday scenarios by noting that Clarke, who had warned the Bush and Clinton administrations about the threat from Al Qaeda before 9/11, has been right in the past.

Then there was the front-page article that The Wall Street Journal published in April 2009 announcing that the U.S. power grid had been penetrated by Chinese and Russian hackers and laced with “logic bombs”-computer programs that can be triggered remotely to cause damage. As with Judith Miller’s notorious New York Times articles on Iraq’s alleged weapons of mass destruction, the only sources for the story’s claim that key infrastructure has been compromised were anonymous U.S. intelligence officials. With little specificity about the alleged infiltrations, readers were left with no way to verify the claims. The article did cite a public pronouncement by senior CIA official Tom Donahue that a cyber attack had caused a power blackout overseas. But Donahue’s pronouncement is what Clarke and Knake cite to support their claim that cyber attacks caused a blackout in Brazil, which we now know is untrue.

The author of the Journal article, Siobhan Gorman, contributed to another front-page cybersecurity scoop claiming that spies had infiltrated Pentagon computers and stolen terabytes of data related to the F-35 Joint Strike Fighter. The only sources for that April 2009 report were “current and former government officials familiar with the attacks.” Later reporting by the Associated Press, also citing anonymous officials, found that no classified information was compromised in the breach.

The Brazil blackout was also the subject of a 2009 60 Minutes exposé on cyberwar. To back up its claim that the blackouts were the result of cyber attacks, the show cited only anonymous “prominent intelligence sources.” The segment also featured an interview with Mike McConnell, who claimed that a blackout was within the reach of foreign hackers and that the United States was not prepared.

In February 2010, The Washington Post granted McConnell 1,400 words to make his case. He told readers: “If an enemy disrupted our financial and accounting transactions, our equities and bond markets or our retail commerce-or created confusion about the legitimacy of those transactions-chaos would result. Our power grids, air and ground transportation, telecommunications, and water-filtration systems are in jeopardy as well.” Rather than offering evidence to corroborate this fear, McConnell pointed to corporate espionage generally, and specifically to an incident in which Google’s Gmail service had been compromised-another instance of espionage attributed to China.

The Cybersecurity-Industrial Complex

Washington is filled with people who have a vested interest in conflating and inflating the threats to our digital security. In his famous farewell address to the nation in 1961, President Dwight Eisenhower warned against the dangers of what he called the “military-industrial complex”: a excessively close nexus between the Pentagon, defense contractors, and elected officials that could lead to unnecessary expansion of the armed forces, superfluous military spending, and a breakdown of checks and balances within the policy making process. Eisenhower’s speech proved prescient.

Cybersecurity is a big and booming industry. The U.S. government is expected to spend $10.5 billion a year on information security by 2015, and analysts have estimated the worldwide market to be as much as $140 billion a year. The Defense Department has said it is seeking more than $3.2 billion in cybersecurity funding for 2012.

Traditional defense contractors, both to hedge against hardware cutbacks and get in on the ground floor of a booming new sector, have been emphasizing cybersecurity in their competition for government business. Lockheed Martin, Boeing, L-3 Communications, SAIC, and BAE Systems have all launched cybersecurity divisions in recent years. Other defense contractors, such as Northrop Grumman, Raytheon, and ManTech International, have also invested in information security products and services.

Traditional I.T. firms such as McAfee and Symantec also see more opportunities to profit from cybersecurity business in both the public and private sectors. As one I.T. market analyst put it in a 2010 Bloomberg report: “It’s a cyber war and we’re fighting it. In order to fight it, you need to spend more money, and some of the core beneficiaries of that trend will be the security software companies.” I.T. lobbyists, too, have pushed hard for cybersecurity budget increases. Nir Zuk, chief technology officer at Palo Alto Networks, complained to The Register last year that “money gets spent on the vendors who spend millions lobbying Congress.”

Meanwhile, politicians have taken notice of the opportunity to bring more federal dollars to their states and districts. Recently, for example, the Air Force established Cyber Command, a new unit in charge of the military’s offensive and defensive cyber capabilities. Cyber Command allows the military to protect its critical networks and coordinate its cyber capabilities, an important function. But the pork feeding frenzy that it touched off offers a useful example of what could happen if legislators or regulators mandate similar buildups for private networks.

Beginning in early 2008, towns across the country sought to lure Cyber Command’s permanent headquarters. Authorities in Louisiana estimated that the facility would bring at least 10,000 direct and ancillary jobs, billions of dollars in contracts, and millions in local spending. Politicians naturally saw the command as an opportunity to boost local economies. Governors pitched their respective states to the secretary of the Air Force, a dozen congressional delegations lobbied for the command, and Louisiana Gov. Bobby Jindal even lobbied President George W. Bush during a meeting on Hurricane Katrina recovery. Many of the 18 states vying for the command offered gifts of land, infrastructure, and tax breaks.

The city of Bossier, Louisiana, proposed a $100 million “Cyber Innovation Center” office complex next to Barksdale Air Force Base and got things rolling by building an $11 million bomb-resistant “cyber fortress,” complete with a moat. Yuba City, California, touted its proximity to Silicon Valley. Colorado Springs pointed to the hardened location of Cheyenne Mountain, headquarters for NORAD. In Nebraska the Omaha Development Foundation purchased 136 acres of land just south of Offutt Air Force Base and offered it as a site.

The Air Force ultimately established Cyber Command HQ at Fort Meade, Maryland, integrated with HQ for the National Security Agency. In the run-up to the announcement, Sen. Barbara Mikulski (D-Md.) proclaimed, “We are at war, we are being attacked, and we are being hacked.”

Proposed cybersecurity legislation presents more opportunities for pork spending. The Cybersecurity Act of 2010, proposed by Sens. Jay Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine) called for the creation of regional cybersecurity centers across the country, a cyber scholarship-for-service program, and myriad cybersecurity research and development grants.

Sensible Steps

Before enacting sweeping changes to stop cybersecurity threats, policy makers should clear the air with some simpler steps.

First: Stop the apocalyptic rhetoric. The alarmist scenarios dominating policy discourse may be good for the cybersecurity-industrial complex, but they aren’t doing real security any favors.

Second: Declassify evidence relating to cyber threats. Overclassification is a widely acknowledged problem, as the CSIS report and Clarke and Knake’s book both acknowledge, and declassification would allow the public to verify the threats rather than blindly trusting self-interested officials.

Third: Disentangle the disparate dangers that have been lumped together under the “cybersecurity” label. This has to be done if anyone is to determine who is best suited to address which threats. In cases of cybercrime and cyberespionage, for instance, private network owners may be best suited and may have the best incentive to protect their own valuable data, information, and reputations.

Only after disentangling the alleged threats can policy makers assess whether a market failure or systemic problem exists in each case. They can then estimate the costs and benefits of regulation and other alternatives, and determine what if anything Washington must do to address the appropriate issues. Honestly sizing up the threat from cyberspace and crafting an appropriate response does not mean that we have to learn to stop worrying and love the cyber bomb.

Jerry Brito is a senior research fellow at the Mercatus Center at George Mason University and director of its Technology Policy Program. Tate Watkins is a research associate at the Mercatus Center. This column first appeared at Reason.com.