US vs The World – The Cyber Monroe Doctrine

On December 2nd in 1823, the US introduced the Monroe Doctrine. This article declared that the US would view further European interference in the Americas (the Western Hemisphere) as acts of aggression and reserved the right to an armed response. On march 10th, 2009 it was argued in front of a Homeland Security Subcommittee on “Emerging Threats, Cybersecurity and Science and Technology” by Mary Ann Davidson that this same piece of US doctrine would be a suitable candidate for application in cyberspace. You can find more information at Whitehouse.gov about this testimony, from where it has recently resurfaced on various discussion boards such as the Dutch Cyber Warfare Community group on LinkedIn (thank you Matthijs).

Not unlike other testimonies on the subject of Cyber Warfare and Cyber Doctrine coming from the US, we see a very ‘red-blooded American’ attitude seeping through, and quite frankly that’s not helping matters. Im generally a big fan of ‘re-using’ existing laws and policies when they apply well enough to Cyber, but Davidson demonstrates a lack of true understanding of the situation. It is possible that her testimony was misunderstood or misquoted by the person who wrote the testimony excerpt, but nevertheless I would like to address a few key issues I have with the testimony.

“We are in a conflict – some would say a war. Let’s call it what it is.”
In the very first segment of the testimony, Davidson asserts a number of things that are simply incorrect. The title of the paragraph is a clear giveaway, and sets the tone for the rest of the testimony. Davidson observes that the US is under constant attack in cyberspace, and that this amounts to war. What she does here is lump together all the cyber attacks that are recorded, and make it seem like this is all part of one big cyber war. But this is not the case. I would argue that 80% (if not more) of these attacks are merely ill-advised scriptkiddie attacks, maybe not even really aimed at government resources specifically. This is so common that many security people have come to call these attacks ‘internet white noise’. The remainder of the attacks might be more targetted, but their origins are at least as diverse as of the earlier 80%. They are perpetrated by cyber criminals, stalkers, curious college students putting their class material into practice, security pentesters who overstep their bounds, bored high school drop-outs, disgruntled administrators and many more potential attackers. You just don’t know. You can’t know. There are just too many attacks from too many sources to make it feasible to chase every one of them to find out. To lump all these attacks together and paint them as a constant barrage by one enemy is not just incorrect, its also dangerous and foolish. If anything, you’re not in one conflict, you’re in thousands.

Even if you consider all these attacks by all these different enemies conflicts, which implicates that there is some underlying plan or strategy to said attacks, its still a big leap in logic to call it a War. America’s habit of declaring war on abstract notions (the War on Drugs, War on Terror et cetera) may sometimes be necessary to get people to act, but in case of Cyberspace it just doesn’t work. Internet is everywhere and, considering the earlier clarification on the attacks, you’re attacked by thousands of enemies. What are they going to call it? “The War Against Everyone”? Actually, given the tone of the testimony I should probably refrain from giving Davidson any ideas. It is exactly this attitude that gives credence to people who claim that the war drums are being beaten unnecessarily to militarize the Internet and to reduce the rights and freedoms of netizens.  Language matters. Talk of war incites thoughts of war, and it should be used sparingly.

 Given the diversity of potentially hostile entities building cadres of cyberwarriors, probing our systems including our defense systems for weaknesses, infiltrating U.S. government networks and making similar attempts against American businesses and critical industries, is there any other conclusion to be reached? Whatever term we use, there are three obvious outgrowths from the above statement. One is that you do can’t win a “conflict” – or war if you don’t admit you are in one. The second is that nobody wins on defense. And the third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the offline world.

Emphasis is mine. As previously stated, there are a multitude of conclusions you could draw from what is happening on your networks. The three points mentioned thereafter make even less sense, because she speaks about ‘winning’  the ‘war’. But what does that mean? The Monroe Doctrine referred to Military/Political consequences to Military/Political interference by foreign nations on US soil. Or rather the entire Western Hemisphere but I digress. I mention this with emphasis because the Internet and/or Cyberspace is a different animal altogether. The majority of the cyber equivalent of ‘US soil’ isn’t actually ‘US soil’, but is actually owned and operated completely and totally by third parties. To further complicate matters, a large portion of that is owned and operated by third parties who are distinctly not American such as foreign-owned corporations. Imposing a Cyber Monroe Doctrine would effectively militarize the entire US portion of cyberspace. That is, if they can ever decide on what parts of that cyberspace they could and could not call American. Davidson acknowledges this problem with the use of the term ‘turf’ but fails to grasp the severity of the problems it causes with her theory.

So that covers the underlying theory by Mary Ann Davidson, but the three ‘outgrowths’ don’t even make sense on their own. “You can’t win a war if you don’t admit that you’re in one.” Aside from the whole War statement…I mean…Really? This is a complete non-sequitur if you ask me. You could argue the exact reverse and it would be equally true (or untrue, of course). I might be piling on here, but someone should probably have told the US Senate this before the Vietnam war, which the US never formally admitted as being a War. Had they used Davidson’s logic, they would have known this was a war they could not win.

The second is that nobody wins on defense.” This is another argument that doesn’t stand up to closer scrutiny. The Monroe Doctrine revolved mostly around defense. It was enacted to work as a deterrent to protect (not project) US interests in the Western Hemisphere. So what does Davidson envision with this statement? It seems to me that she’s calling for offensive cyber operations, which is something that isn’t covered by the Monroe Doctrine. Monroe wanted to defend his Home, while Davidson seems to want to cross the pond and kick some butt. She’s calling for a Sword to match the Shield, but doesn’t take into account that they are two entirely separate entities with entirely different properties, capabilities and logistics.

And the third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the offline world.” So if I read this correctly, Davidson argues the US needs a doctrine because….well, because! This last argument isn’t actually an argument. Its a possible answer to her first two statements and probably only included because she needed a third argument. Three arguments makes it sound nice and official. And why would the US need one doctrine to cover everything? It has been my understanding that the US Government has published various doctrinal documents that cover a variety of issues, such as the International Strategy for Cyberspace. The US Department of Defense has also published a number of documents on Cyberspace over the last few years, and these map to a number of existing legal and societal principles in the offline world. These can be easily found online.

So is Mary Ann Davidson correct in her assertion that the Monroe Doctrine would be a handy fit in Cyberspace? To be honest, I don’t know. Im not a politician and im not a military strategist. But her arguments are flawed and they didn’t sway me. Im usually a big fan of a common-sense approach to Cyber-anything, and in most cases we can apply existing legal and societal frameworks just fine. But in this particular case we simply cannot forget that the US already has an potentially undue influence over the proper functioning of the Internet, and any kind of overly agressive stance will foster more animosity between the US and the rest of the world. The Internet is, and should remain, an active demonstration of global cooperation. We would all be better off if we strived to make things safer for everyone.

The Alan Paller Testimony

A while ago the U.S. Senate Committee on Homeland Security and Governmental Affairs held a hearing on protecting Cyberspace as a national asset. To this end they introduced a Senate Bill (S 3480) and they asked various people to share their opinions. Among others they asked Alan Paller, Director of Research at the SANS institute and overseer of the Internet Storm Center (ISC), for his opinion on the Bill. He responded on June 15th with a written testimony. This testimony is available online here:

http://www.sans.org/security-resources/alan-paller-testimony.pdf

Or if you prefer video, you can also see the full senate hearing here:

http://www.senate.gov/fplayers/I2009/urlPlayer.cfm?fn=govtaff061510p&st=795&dur=8580

I believe he has made some very good points. He sums up why the US is in trouble right now, referring to various past events and quotes several high-ranking US officials. More importantly he makes a strong case for modification that will make the Bill more effective and these will probably be well-received by the industry.

Many industry experts have pointed out that the old FISMA bill, by making NIST standards and guidance mandatory, has become a huge administrative beast producing only useless reports that contain mostly outdated information. In fact, this burden has become so great that it has become an industry on its own. Many companies and departments are spending a large portion of their security budget hiring contractors writing the reports just to stay compliant. All this budget and effort is spent there instead of resolving the actual problems. Mr. Paller goes on to point out how this new Bill does fix those issues, but makes four suggestions to further improve it.

He also warns against pandering to highly paid antibodies in Washington that are doing their best to stymie government oversight and regulation because they claim the government lacks the expertise to do so properly. His best point, in my opinion, is that if Government oversight and regulation is so bad, why did Google turn to the government for help when they were being attacked with the now well-known Aurora attacks? Surely if the government lacked the expertise, what good would that do?

In all, Alan Paller’s testimony is levelheaded, fair and insightful. I appreciated that he didn’t paint doom scenarios like some others seem to do, and I respected his remarks about the Washington lobbyists that are doing everything to keep the government from creating proper regulations and oversight. His testimony is an easy read and I advise anyone with a few spare minutes to read it.