T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )
PROPOSITIONS: ASYMMETRIC RISKS TO THE NETWORKED INFORMATION ECONOMY (UNDERSTANDING THE CYBERSPACE THREAT ENVIRONMENT)
What follows are a series of propositions that, if true, or at least measurably describe the substance of what we presently understand concerning the reality of the cyberspace environment, can provide a framework for developing design standards that may be used to develop cyberspace threat deterrence measures. Thus, from a probabilistic risk assessment (PRA) perspective, each proposition has a ‘cost’ or economic ramification embedded in the logic (truth or falsity) of the statement: The advent of advanced computational resources, large-scale data storage, and cyber networks (collectively, “cyberspace”) and the networked information economy is the most significant economic change since the start of the industrial age. Cyberspace presently serves as the substrate for the evolution of the post-industrial economy of the twenty-first century in advanced countries of the world; Cyberspace is an human-engineered complex, dynamical system described most accurately as a system comprised of a large network of components operating with simple rules (programs and protocols) with no central control (i.e. the system is self-organizing) that results in sophisticated information processing (computational processes), adaptation, and complex collective behavior. Additionally, this complex, dynamical system is non-linear in its exhibition of emergent behavior (i.e. the behavior of the system cannot be fully predicted from a knowledge of all its parts) and probably exhibits features of a chaotic system (i.e. there is a sensitive dependence on initial conditions). 1 If cyberspace is the foundation for a large portion of the annual GDP growth of the national economy, it has taken on a mantle of ‘critical infrastructure’ with National Security implications; Cyberspace network resilience is lower than it should be given its National Security importance.2 For example, critical cyber network infrastructure is outdated, highly vulnerable to threats, inefficient, and unsuitable for sustained future economic growth. Using the Federal Interstate Highway System3 as an analogue, it is as though we have both high powered sports cars and model T Fords traveling down the road together for 8 hours a
LYLE A. BRECHT --- DRAFT 1.3--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- July 3, 2009
PAGE 1 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )
day every day, going not more than 30 MPH because the road is in such disrepair, and there are bandits all along the road who may hijack our car at any moment; As critical infrastructure, cyberspace has also become a potential environment for novel cyber warfare strategic initiatives and weapons development. Both cyber security4 and cyber warfare, 5 although interlinked and enmeshed, are proceeding apace rapidly and, for the most part, independently; What is different about cyber warfare is that the technologies underlying weapons of mass destruction (WMD) i.e. nuclear, biological, and chemical weapons require access to hard to acquire and often large scale, sophisticated weapons programs. However, cyber warfare weapons, along with other networked technologies such as genetics, nanotechnology, and robotics are widely within the reach of individuals or small groups; Cyber weapons are potentially so powerful that accidents, abuses, and deliberate malicious attacks are capable of producing circumstances whereby, for example, instead of global GDP going from $60 to $240 trillion (in $2005 purchasing power parity) by 2050, it declines to $6 trillion; 6 Thus, we now have the possibility of threats not just of weapons of mass destruction, but of knowledge-enabled mass destruction (KMD) weapons; KMD weapons will most likely use the power of self-replication to amplify their destructiveness by many orders of magnitude. Knowledge alone will enable the use of and destructiveness of these weapons;7 The estimated ongoing operating and maintenance (O&M) costs and repair and replacement (R&R) costs for the nation’s cyber infrastructure is $248 billion annually. 8 On an annual basis, the deferred O&M and R&R costs are approximately $126 billion; Annual network-dependent revenues from the various uses of the network amount to a significant portion of the annual GDP of the nation amounting to approximately, $5,000 billion.9 That is, if the network was crippled and disabled for an extended period of a year or more, the approximate opportunity cost for the nation’s economic output might amount to as much as $5,000 billon;
LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009
PAGE 2 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )
The size and ongoing nature of the deferred investments in adequate O&M and R&R for the nation’s network(s) result in a highly vulnerable system that is prone to compromise and partial system collapse; Probabilistic annualized threat estimates of network disruptions or collapse from system-related problems (e.g. cascading failures) due to lack of O&M and R&R = 40%;10 deliberate attack of the national network infrastructure exacerbated by insecure, outdated infrastructure = 30%; emergent causes (black swans) = 20%11 and faults due to natural causes = 10% (earthquakes, tornados, hurricanes, floods, asteroid collision with earth, etc.); Threats to the network follow a power distribution in number and severity of system related threats over time (i.e. only a few threats will be severe and large scale, but potentially catastrophic); Sources of threats to the national network(s) are local, regional, national and international and constitute a national security threat in their severity and cost to the national economy, when they occur at scale; Even with adequate O&M for some portions of the national cyber network, some portions of the network are so vulnerable due to lack of timely R&R, that adequate security of the national network cannot be assured. The fact that these outdated portions of the network connected to the national cyber network creates a situation of heightened vulnerability for all cyber network users; There is a statistically higher probability for catastrophic damage to sectors of the nation’s economy from cyber network failure/collapse due to inadvertent system failures than in deliberate malicious attacks against the national network infrastructure; The inherent vulnerabilities of the U.S. national cyber network to withstand powerful solar storms12 and EMP (electromagnetic pulse) attack13 disruption or shutdown due to inherent system design limitations, as well as from human error introduces another significant level of risk. 14 There is an economic cost ripple effect for inadequate O&M and R&R to the nation’s electricity grid. For example, the entire national cyber system infrastructure relies on clean, dependable electricity sources to function at all;
LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009
PAGE 3 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )
Practically speaking, the network’s vulnerability is often determined by the lowest common denominator of present technical capabilities. It is unlikely from a probabilistic perspective, and from a game theory perspective probably undoable, that the network can ever achieve 100% security. That is, there will always be some level of probabilistic risk in the system that is not able to be adequately ‘managed;’ Regularly upgrading network technology is one potential means for managing the risk assessment curve. That is, with each new successive introductions of network technology, there is a high probability that structural and functional security issues will have been addressed. Thus, only known operational security issues will remain until the flaws in the new network technologies become widely known; Normal new technology adoption cycles are typically 15-20 years. A great deal of additional security could be established if these technology adoption cycles were reduced to 7-10 years for system components of the national cyber infrastructure; The opportunity cost of not making the investment to re-engineer and improve the probabilistic forecasts for cyber infrastructure disruption or collapse may result in an Incremental Capital Output Ratio (ICOR) that equates to a loss of about $500 billion in GDP annually, on average. 15 A PROPOSAL FOR A COMMONS-BASED, SMART CYBER NETWORK
Below are a few potential programs/projects that fall out from the above propositions. At most, these program initiatives require further economic vetting, hopefully using PRA measures to prioritize timely work toward deterring the full range of cyberspace threats: A Smart Cyber Network Infrastructure includes two components: (1) a smart national electricity grid16 and (2) an updated national cyber network infrastructure. Potentially, the only reliable and safe means to costefficiently build these smart systems is to declare both the national electricity grid and the national cyber network infrastructure a commons; It is timely to introduce legislation similar to the Federal-Aid Highway Act of 1956 that created the vision and financing mechanism for building the federal interstate highway system. In this case, what the nation needs
LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009
PAGE 4 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )
now is a vision that charts out the development of critical national cyberspace infrastructure development over an extended multi-year period and the funding mechanism to accomplish this vision; For the national electricity grid, the federal government could arrange for the investment capital necessary to upgrade this grid to national security standards, and provide all O&M and R&R funds necessary to operate this grid on an ongoing basis until the grid is fully modernized to limit threats from cyber warfare, malicious attacks to the nation’s cyber infrastructure, and collapse due to lack of O&M and R&R. The anticipated initial capital allocated to upgrade the grid to national security standards is $400 to $500 billion over the next seven years to twelve years; For the national cyber infrastructure, the federal government could oversee a network connectivity regulatory program that creates market incentives for organizations/individuals to continually upgrade their cyber network components. The second step will be to create a registry of network ‘connectors’ so that we can assess annual feebates (fees/rebates) based on their timely implementation of cyber network upgrades. Cyberspace should be an environment where the military use of cyberspace is limited by nonproliferation agreements. You may have seen the NYT article on May 28th, “Pentagon Plans New Arm to Wage Wars in Cyberspace.”17 What caught my attention is the notion that cyberspace is considered just another war-fighting domain by the Pentagon: e.g. “We need to be able to operate within that domain just like on any battlefield, which includes protecting our freedom of movement and preserving our capability to perform in that environment.” While the blowback from such loose ‘calculated ambiguity’ talk may be unwanted (e.g. loss of credibility and needed cooperation with the private sector and another very expensive arms race, this time in cyberspace), there are two conceptual problems with this approach to cyber defense/warfare: With cyber weapons, there presently is no countervailing strategic ‘game’ doctrine for cyberspace, like MAD (mutual assured destruction), that has the potential to actually ‘deter’ First Use. The notion that the doctrine of nuclear deterrence can be retrofitted and used to deter cyber attacks is absurd.18 Because cyberspace threats can be initiated easily by privatized transnational groups, without the knowl-
LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009
PAGE 5 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )
edge of national governments by rogue elements within the state, and the originating location of the attack readily masked and even transposed to a predetermined DNS, the threat of nuclear armageddon in response appears both unwarranted and unproductive; The notion of attacks and counterattacks in the digital environment are not directly transferable from the analogue environment of conventional war fighting. For example, the development and deployment of offensive weapons in cyberspace have a higher probability of mimicking HIV i.e. the release into the environment a wild-strain retrovirus that cannot be effectively inoculated against than of deterring attacks or ‘punishing’ supposed attackers; NSA use of cyberspace should be limited by thoughtful legislation. A concern is the NSA move from passive listening to communication signals (analogue and digital) and data mining to an active gathering of data in cyberspace through the use of digital agents released into the wild. While I recommended the use of digital agents across the data sets owned by the intelligence community post 9/11 to address certain information pooling problems,19 there is a potential problem with the use of such digital agents to collect data across all of cyberspace. The potential for a serious problem is in the capture of the digital agent by a hostile force and the alteration of the code to infect NSA data stores, as well as other government or private sector data stores. With the potential for selfreplication, and modification of basic code sets, once these sophisticated agents are released in the wild, it may not either be affordable or feasible to turn them off easily; A clearly articulated process to develop capital budgets for protecting cyberspace should be developed ASAP. Presently, the process whereby budgets are decided and funds employed to implement policy across multiple, often competing jurisdictional boundaries is not well thought out. One option is to employ a PRA (probability risk assessment) methodology applied across the cyberspace domain that helps to establish high level policy discourse to set budget priorities analytically. 20 The use of PRA across the entire cyberspace domain will highlight private sector capital investment requirements and spur federal policy that supports making these investments in a timely fashion. 21 Otherwise, the policy coordinating function may have difficulty against agency budgeting by the
LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009
PAGE 6 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )
politically powerful for ideas that are topical (or popular), the private sector will be left to their own devices, and we will be in reactive mode as crises (real or perceived) materialize. If a PRA was performed for the cyberspace domain, we may discover that: ~90% of cybersecurity resides in the private sector and the task will be to establish polices that promote rapid technology adoption and capital investment at scale; more than 80% of the annual $20 billion military budget for cyber warfare might be best allocated toward defensive cyber weapons and much of that should be allocated to infrastructure upgrades and end user training. Thus, much of the cyber warfare outsourcing work by the Pentagon may not be well formulated nor money well-spent; the greatest achilles heel to cyberspace may be the current design and physical shape of the national electricity grid, problems that will not be solved by Band-Aids, and that the grid’s digital switches need to be secured not only from anomalies, but also from solar storm spikes and EMP in order to be secure; we probably do not yet have our arms around the full range of large scale structural risks of cyberspace.22 Essentially, its like 1980 and the USEPA has noticed that enforcement of NPDES permits for point source pollution is not producing clean water. The bigger problem than the 40,000 point source attacks in cyberspace, is non-point pollution-like potential for system collapse from Black Swan-like sources, an emergent problem based on that we are dealing with a complex system whose behavior and expression of full properties over time are non-linear. Thus, many of the policy frameworks, policy coordination, and cyberspace protective initiatives presently identified or proposed do not go far enough to address the threats to cyberspace that may/will be encountered over time.
ENDNOTES The “presence of chaos in a system implies that perfect prediction... is impossible not only in practice but in principle.” See Melanie Mitchell, Complexity: A Guided Tour (Oxford & New York: Oxford University Press, 2009), 13, 15, 20, 23, 33. 1
LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009
PAGE 7 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )
Resilience is understood here as the “ability of networks to maintain short average path lengths in spite of the failure of random nodes” (Mitchell, 257). 2
Developed as a national critical infrastructure initiative in 1956 during the Dwight D. Eisenhower administration. 3
“In January 2008, President George Bush signed National Security Presidential Directive 54/ Homeland Security Presidential Directive 23 — more commonly known as the Comprehensive National Cybersecurity Initiative (CNCI). The CNCI recognizes that cyber security must be elevated to a level of importance on par with an organization’s core functions and missions. It emphasizes that cyber security is a leadership responsibility, not just a function of the Chief Information Officer and information technology staff. And it acknowledges that effective cyber security is multidimensional, multifaceted, and actively involves the entire organization.” 4
Either force or counter-force measures applied with the frame that cyberspace is just another ‘war-fighting environment.’ The subtext typically assumes that ‘National Defense’ means force projection and is based on Deterrence Doctrine, which today relies on fundamentally on U.S. Nuclear Posture. 5
6
Global GDP estimate is from U.S. Central Intelligence Agency.
Bill Joy, “Why the future doesn't need us,” Wired (June 2008) at http://www.wired .com/wired/archive/8.04/joy_pr.html. 7
All numbers in this draft are placeholders, requiring additional analytical work for accuracy. 8
This amount is the estimated network dependent productivity of the national economy out of $14.29 trillion total 2008 GDP for the U.S. 9
10Although
there has been undue focus on malicious threats to the nation’s cyberspace, what may be a more serious and likely reason for LOSE (Loss of Service Event) and LODE (Loss of Data Event) incidents are risks from cascading failures where the failure of one node causes the failure of other nodes (Mitchell, 257). 11Emergent
behavior is difficult to predict from an analysis of the system and its components. 12The
consequences of a future solar storm like the Carrington Event of AugustSeptember 1859 are extensive and involve a range of potential economic impacts not unlike a major Force 5 hurricane or tsunami that could cripple the present national electricity grid for an extended period. See National Research Council, “Severe Space Weather Events--Understanding Societal and Economic Impacts Workshop Report” (NASA, 2008). 13See
Dr. William R. Graham, et. al., “Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack, Volume 1: Executive Report (2004).”
LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009
PAGE 8 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )
The national electricity grid, 164,000 miles of high-voltage transmission lines and 5,000 local distribution networks is outdated, highly vulnerable, inefficient, and unsuitable for fluctuating renewable power sources. 14
A metric that measures the marginal amount of investment capital necessary for an improvement in the national economy’s level of production efficiency. 15
From an overall systems perspective, the #1 ‘threat’ I determined was with the electricity grid itself. There is no way I could make the national cyber defense secure, over time, with the present national electricity grid. 16
17http://www.nytimes.com/2009/05/29/us/politics/29cyber.html?
_r=1&th&emc=th Gen. Kevin Chilton, the head of U.S. Strategic Command, said “I think you don’t take any response options off the table from an attack on the United States of America,” Chilton said. “Why would we constrain ourselves on how we respond?.... “I think that’s been our policy on any attack on the United States of America.... “And I don’t see any reason to treat cyber any differently.” (“U.S. General Reserves Right to Use Force, Even Nuclear, in Response to Cyber Attack,” Global Security Newswire May 12, 2009). 18
19http://www.pdfcoke.com/doc/9862402/Homeland-Security-Data-System-
Schematic-August-2002 Probabilistic Risk Assessment (PRA) is an analytical process that begins with two system design counterfactuals: (1) the magnitude (severity) of the potential adverse consequences of system failures; and (2) the likelihood (probability) of the occurrence of each potential consequence. The objective is not as a predictive exercise, but as a disciplined descriptive process that may identify and highlight budget requirements for a secure national cyberspace environment. 20
My thought is that strategic policy analysts such as at BAH and SCIC might be able to perform this work. 21
A recent example of not addressing structural risk is the use of CDO (collateralized debt obligations) financial instruments by Wall Street. These instruments’ individual risk was hedged via complex. financially engineered derivatives, but the structural risk to the entire CDO market was not managed. Thus, the Federal government has pledged, lent, provided guarantees, and provided tax relief to the tune of $11,000 billion since 2008, and the collapse of the CDO market has produced $50,000 loss of value in financial assets worldwide to date. 22
LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009
PAGE 9 OF 9