Editor’s Note: On November, 12, 2013 Ian Wallace spoke on
“The Military Role in National Cybersecurity Governance” at the Seoul Defense Dialogue
in South Korea. This presentation began one of five panel discussions at the Dialogue, featuring civilian defense experts and senior officials from 24 countries around the Asia-Pacific region and beyond. This is an edited version of the paper written for the Dialogue program book.
Cybersecurity – A New Challenge for Governments
The emergence of sophisticated information systems has transformed the world. But it has also created a major new challenge for governments. Cyber threats do not fit easily into the traditional security framework that now exists in most modern states. Under that model, law enforcement has evolved to protect us from threats within our society, while militaries have evolved primarily to protect from external threats (accepting that the extent to which the military is involved in domestic affairs varies from state to state). However, cyber threats often come from overseas, making it difficult for law enforcement to deter or punish them. Yet, as argued below, such threats rarely rise to the level that would warrant a military response. New approaches are required, and none of them are straightforward. Yet, how governments respond to those challenges will have international as well as domestic implications. The appropriate role of the military is central to this.
Understanding The Threat
The first challenge is to understand the nature of the threat. This includes acknowledging that there is a major difference of perspective within the international community between those states that prefer to talk about “information security,” including protecting citizens from what they consider harmful content, and others states that focus on “cybersecurity,” a narrower subset of information security. That is the security of electronic systems that carry the information. This paper focuses on cybersecurity, which is of course relevant to all.
Appreciation of the fact that not all “cyberattacks” are similarly motivated is essential to thinking about how government might address those threats. Different scholars use different taxonomies to describe the range of threats, but I prefer to use one adapted from the work of King’s College, London’s Dr. Thomas Rid. This breaks down the threat to “espionage,” “subversion,” and “sabotage,” as well as “cybercrime” and – only in very limited circumstances – “cyberwar.” I do not completely accept Rid’s argument that cyber war “will not take place,” but in any case this way of thinking about the issue points to the undoubted fact that the vast majority of cybersecurity breaches fall below the threshold that in the physical world we would call an “act of war.” The difference between these categories can be minimal – once inside a system, the difference between espionage and sabotage can be as little as a few keystrokes – but the difference is important, both legally (as described in the recently published Tallinn Manual) and politically. In other words, a military response is often not the best, or even a legal, response to a cyberattack.
Use of the Military for Cybersecurity: Pros and Cons
This does not mean that cyber threats below the level of “war” should not be taken seriously. But it also raises the question of the appropriateness of using the military to address such threats as sabotage, subversion, and especially espionage and crime.
Former Brookings Expert
Senior Fellow and Co-Director, Cybersecurity Initiative - New America
There are undoubted attractions to using the military in such a role. Most serious militaries have some cyber capability (or aspire to develop one), both to support the fighting on the battlefield and to defend their own systems during peacetime. Very often militaries provide nations’ national signal intelligence, and as such, the information that underpins the most sophisticated cyber operations. More generally, militaries are mission-oriented: they are often better resourced than other arms of government; and they are structured to develop the personnel required – all exactly what you would want for an effective cyber defense force.
Nevertheless, overuse of the military presents challenges, too, for at least two reasons. The first is the practical risk of creating a “crowding-out” effect. Cyber threats are not going away. On the contrary, they are proliferating at a dramatic rate, in part because we are making more and more use of information systems. For that reason, cybersecurity will need to be a discipline that everyone in a country takes seriously, not just something that citizens and private companies can expect to outsource to the military. Any country that depends too heavily on the military for cybersecurity will likely find itself reducing the incentives for the private sector to develop longer-term solutions.
Second, but of no less concern, is the risk of militarizing a major new aspect of domestic security, which in many countries would be considered a very bad thing. In order to achieve truly effective cybersecurity it is necessary to be permanently operating on the defended systems. Few private sector companies are likely to welcome such hands-on assistance from the military, not least because they may well feel that they are better placed to defend their own networks.
Central to the question of the role of the military in “defending the nation” against cyber threats is what else governments can do. Traditionally, the other institution that provides security is law enforcement. Police and other law enforcement agencies are often constrained by the laws under which they operate and the challenges of developing cases that lead to successful prosecutions. However, in recent years innovative agreements such as the European Council’s 2001 Convention on Cybercrime (now with 50 signatories across every continent) have made it harder for cyber criminals to avoid justice by basing themselves outside the country they are stealing from. Meanwhile, law enforcement like the U.S.’s Federal Bureau of Investigation are working with international colleagues and major companies like Microsoft to disrupt the very worst criminals (such as the takedown earlier this year of the Citadel network botnet used to steal over $500 million from bank accounts).
Another potential approach for the government is to support the private sector in providing its own security. This can be as simple as creating an appropriate incentives structure for information-sharing between companies or raising basic cybersecurity standards (sometimes through government regulation). This might also involve more practical help, like sharing secret intelligence with private sector companies, to improve their defenses and allow Internet Service Providers to screen out known malware.
It could also involve licensing the private sector to respond to intrusions themselves, so-called “hacking back.” Currently the law in many countries does not permit hacking-back and for good reason, namely the risk of inadvertently putting their own countries on an unwanted and escalatory path towards conflict. But such approaches have strong advocates and may gain traction in future. More positively, government might support the establishment of additional Computer Emergency Readiness Teams (CERTs) to coordinate incident response by the private sector.
Cyber National Security Threats Short of War
In practice, therefore, the appropriate level of military involvement needs to be informed by both the dangers to national security and the alternatives available (including the risk of misemploying the military). Each nation will face different considerations. The result, however, might look something like this:
- The theft of information from government and defense contractors probably ranks as the most serious threats to national security, and as such, would almost certainly justify some government action. There are various possible motivations for such intrusions, including a commercial one, but they also represent a compromise of future military effectiveness (especially if the intruder is a potential adversary or is willing to give/sell their information to one).
- The potential for a devastating attack critical on national infrastructure (including the finance, energy, transportation, communications and other economic sectors vital the life of a nation) is another grave concern, although arguably less immediate a threat than the theft of national security secrets. While the military might be expected to be ready to support a response to an attack, in most countries some proportion of critical infrastructure is in private hands making military approaches less practical or acceptable. This is an area where the government’s best approach might be use of economic incentives, including regulation to improve security levels.
- Commercial espionage, either of intellectual property or sensitive business information, is another area where military approaches might not be appropriate. However, given the potential economic impact, especially when state-backed Advanced Persistent Threat techniques are used, this type of activity has the potential to significantly destablize international relationships. Governments could then resort to sanctions or, if under pressure, to licensed private responses.
- Fourth, there is the threat of cybercrime. Although not a direct threat, it could develop into one if left unchecked because of the potential for terrorists or states to leverage criminal networks. This is generally not a role for the military but rather for law enforcement. Their challenge is deciding whether to disrupt the criminal or to seek prosecutions.
Cyber Issues for Governments to Consider
What this all means, of course, is that governments all over the world face major decisions about how they use their military in the course of building their national cybersecurity strategies. Considerations will need to include:
- Given all the variables, how involved should the military be in national cybersecurity?
- Given the factors in play, how should governments balance their cybersecurity investments across the military, law enforcement and the private sector?
- How, if at all, should the military be used to support the private sector?
- What can be done to facilitate international cooperation by non-military parts of the government?
- How can diplomatic initiatives reduce the need for the military to be used in domestic cybersecurity?
- How can government act to avoid international disputes over cyber issues (e.g. responses to Edward Snowden’s revelations about the activities of the U.S. National Security Agency) that undermine cooperation on cybersecurity?