As though we don't have enough to be afraid of already, what with armed lunatics mowing down military recruiters and doctors, the H1N1 flu virus, the collapse of bee populations, rising sea levels, failed and flailing states, North Korea being North Korea, al-Qaeda wannabes in New York State with terrorist aspirations, and who knows what else -- now cyberjihadis are evidently poised to steal our online identities, hack into our banks, take over our Flickr and Facebook acccounts, and create havoc on the World Wide Web.
Late last year, in a 96-page report, Securing Cyberspace for the 44th Presidency, the Center for Strategic and International Studies (CSIS) warned that "America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration." In a similar fashion, Dr. Dorothy Denning, a cybersecurity expert at the Naval Postgraduate School, has just described the Internet as a "powerful tool in the hands of criminals and terrorists." And they're hardly alone.
To this fear chorus, our thoughtful, slow-to-histrionics President added his voice in a May 29th East Room address:
"In today's world, acts of terror could come not only from a few extremists in suicide vests but from a few key strokes on a computer -- a weapon of mass disruption... This cyberthreat is one of the most serious economic and national security challenges we face as a nation."
Uh-oh, and as we know, cybercrime is already on the rise. According to the president, the U.S. experienced 37,000 cyberattacks in 2007, an 800% increase from 2005. He referenced a study estimating that cybercrime has cost Americans $8 billion in the last two years. A trillion dollars worth of business information has reportedly been stolen from the corporate world.
For Barack Obama, cybercrime is personal. During his bid for the presidency, someone hacked into his campaign's secure network and gained access to sensitive strategy documents and calendars.
Last year, a malicious computer virus hit the U.S. military, infecting thousands of computers and forcing soldiers to give up their thumb drives, changing the way they share information among computers. The Pentagon claims it fended off some 360 million attempts -- yes, you read that right! -- to break into its networks last year alone, a monumental leap from a "mere" 6 million tries in 2006.
In one such attempt, cyberspies hacked into the F-35 Joint Strike Fighter project, the Air Force's most advanced and, at $300 billion, most expensive jet fighter under production. According to the Wall Street Journal, they "compromised the system responsible for diagnosing a plane's maintenance problems during flight." In April, Defense Secretary Robert Gates told 60 Minutes' Katie Couric that the U.S. is "under cyberattack virtually all the time, every day." The Pentagon recently admitted that it spent $100 million in the past six months repairing damage caused by cyberonslaughts.
Cyberczar to the Rescue
In his speech, President Obama also insisted that help was on the way as he announced the establishment of a new Cybersecurity Office within the White House. It was, he assured Americans, meant to coordinate all government activities to protect U.S. computer networks, while promoting collaboration among a confusing landscape of federal cybergroups with "overlapping missions." Our digital infrastructure, he said, was the "backbone that underpins a prosperous economy and a strong military and an open and efficient government." As such, he proclaimed it "a strategic national asset," which meant that "protecting it is a national security priority."
All will be better, promised the Blackberry President, once his cyberczar, or "cybersecurity coordinator" is selected. "I will personally select this official," he pledged. "I'll depend on this official in all matters related to cybersecurity and this official will have my full support and regular access to me as we confront these challenges."
Keep in mind that the president is more than a little czar crazy, perhaps because the vague post of czar (of whatever) turns out not to require confirmation from a somewhat slow and balky Senate, even as it brings instant attention to some new aspect of his mega-agenda. He has already picked his Border Czar, Drug Czar, Counterterrorism Czar, Urban Affairs Czar, and Climate Czar, just to name a few. Foreign Policy counts a staggering 18 Obama czars in all. His still unnamed cyberczar will report to the National Security Council and the National Economic Council.
Many of these new czars have offices within the White House from which they can (theoretically) oversee policy, coordinate among agencies, streamline decision-making, and give a particular issue or area added weight and prominence. In reality, such appointments historically tend to put yet another cook in a chaotic kitchen, while adding a new layer of bureaucracy to already jumbled layers of the same. As Paul Light, a government professor at New York University, told the Wall Street Journal, "There've been so many czars over the last 50 years, and they've all been failures. Nobody takes them seriously anymore."
I feel better already! Except I do have a small question: How did the word "czar" morph from the title of a discredited autocrat half a world away to the description of a supposedly influential White House official? And why are all these czars jostling for power and order in a democratic government?
That aside, web-surf is up! And here's the good news: the United States is not just playing cyberdefense. Admittedly, the administration's plan for cyberoffense -- you know, to hack into networks not our own -- did not get as much news buzz as the cyberczar, but don't be fooled: the military is already on the job, mounting an invasion of a whole new territory, cyberspace!
The New Nightmare: Preparing for Cyberwar
Yes, the Pentagon sees cyberspace -- that expansive online constellation of worlds that never sleeps even when our computers are off -- as another battlefield terrain no different from the mountains of Afghanistan or the cities of Iraq (except that maybe on virtual battlefields we can actually win).
In an exhaustive 350-page look at U.S. cyberattack capabilities put out in April 2009, the National Research Council's Committee on Offensive Information Warfare concluded that "enduring unilateral dominance in cyberspace is neither realistic nor achievable by the United States." Despite that cautionary word, this very month the Pentagon has moved to establish a new Cybercommand that won't shy away from either the word "unilateral" or "dominance." CyCom, as it's already known, will "develop cyberweapons for use in responding to attacks from foreign adversaries" under the direction of Lieutenant General Keith B. Alexander, who will add another star to his three in the move from the National Security Agency to his new command.
In pursuit of the elusive, impossible dream of unilateral dominance in cyberspace, Defense Secretary Gates is looking to more than quadruple the number of cyberofficers by 2011; and though he didn't put a dollar figure on it, as the military services all rush to add "cyber" to their portfolio, the monies are going to add up fast. How much? Kevin Coleman, a consultant to the U.S. Strategic Command, which will house CyCom, estimates between $50 billion and $70 billion a year for cyberactivities in future Pentagon budgets.
Sounds good! But here's what I want to know: Can my avatar have long black hair, knee-high boots, and the pass codes to access some of those billions?
As it happens, cyberwar was a Washington preoccupation under President George W. Bush, too. Last year, his Director of National Intelligence Mike McConnell warned that a cyberattack on a U.S. bank "would have an order of magnitude greater impact on the global economy" than September 11, 2001, and he compared the potential ability of cybercriminals to threaten the U.S. money supply to a nuclear weapon. How do you fact-check such scare chatter, especially now that the global economy has proved itself quite capable of imploding with devastating impact without a cyberattack in sight?
No matter. Rest assured of one thing: even before the first bot is shot, a down-and-dirty, low-intensity conflict is already well underway. Think of it as a turf war with a twist.
At the moment, cybersecurity activities and responsibilities are spread across the Department of Defense, the Department of Homeland Security, the Office of Management and Budget, and an alphabet soup of intelligence agencies, all claiming cyberspace -- with its secret codes and captured data -- as their own. And then there are the uniformed military services: the Navy, Air Force, and Army, all worried about the budgetary future, are desperately interested in securing a large slice of the cyberpie.
When you survey the cyberlandscape, maybe President Obama is right. It could take a veritable Peter the Great of czars to impose a workable structure on the existing labyrinth of competing and proliferating cyberbureaucracies.
Among them all, the Air Force has been the most proactive and aggressive. They just established the 24th Air Force, a new numbered wing, just for the cyberwarfare mission. It will be based in San Antonio, Texas, thanks to Republican Senator Kay Hutchinson, who aggressively courted the Air Force with Texan hospitality. In a press release celebrating her acquisition, Hutchinson bragged that the move will make "San Antonio a key component of our national strategy to defeat the cyber threat."
In mid-May, Major General William Lord, the provisional head of AFCyber, played host to military-industrial representatives, telling them that the "cyber arena is filled with new business opportunities." Cyberspace is, he suggested, new territory and he called on Lockheed Martin, Raytheon, and other high-tech military firms to seize the day. ("We can't do this without you.")
He needn't have said a word. Like the proliferation of competing agencies, the formation of a cybermilitary-industrial complex (made up mainly of the giant corporations already in the non-cyber version of the same) is quite predictable. In fact, it's already starting to happen. After all, the new cyberspace mission promises more than just Top Gun excitement; it will be worth billions of dollars in a quickly shifting security environment.
As early as 2005, the Air Force saw the light on this one, and losing ground to the Army, Navy, and Marines in the boom-times of the Global War on Terror, began moving into cyberspace. It's never stopped. As Lewis Page, a defense correspondent for the Register, a British online tech magazine, points out: "The Air Force's traditional business of operating expensive manned aircraft has been somewhat undercut of late by the proliferation of much cheaper flying robots often operated by the Army, Navy or Marines."
In the fight for the future cyberbudget, then, the Air Force's enemies "are not so much terrorists or sinister foreign powers as the other U.S. Armed Services," writes Page. With new relevance, of course, come new funds. As a start, when the Air Force sent its $143.8 billion budget request for fiscal year 2009 to Congress, it tacked on a list of as yet unfunded budget requirements, including nearly $400 million for cyber-related equipment and activities.
The Navy is now in on the game, too. It naturally established a Naval Cyber Forces Command because, as it likes to say, "cyberspace has become the global battlespace." According to Government Executive, the Navy plans to appoint a three-star Vice Admiral to head its new cybercommand, outranking the Air Force's top cyber flyboy.
Not to be outdone, the Army has set up its own cyberoutpost: the Network Warfare Battalion. Its 2009 Posture Statement asserts that its troops are "executing cyberspace operations" against "a significant and growing cyberthreat" and concludes that, in order to "maintain our dominance in cyberspace, the Army will continue to grow our abilities to better defend our own networks and have capabilities in place to conduct network warfare against adversary networks."
The initial loser in the great cyberbattle appears to be the Department of Homeland Security, that bureaucracy for our old fears. Established in the wake of September 11, 2001, it quickly became a Frankenstein-like mess of more than 22 agencies, on which the Bush administration also downloaded responsibility for cyberoperations. Now, however, it is getting consistently low marks for cybersecurity from places like CSIS and the Government Accountability Office. "Oversight for cybersecurity must move elsewhere," is what James Lewis, senior fellow at CSIS, told Congress.
Industry Logs On
The true beneficiaries of the military's cyberturf war are sure to be the major Pentagon contractors that have been positioning themselves to absorb Washington's new cyberdollars just as they have absorbed war dollars, terror dollars, and homeland-security dollars. Lockheed Martin, Northrop Grumman, and General Dynamics have already launched a frenzy of buying in the area, gobbling up smaller tech companies and courting cyberinnovators. In 2007, for instance, Northrop Grumman purchased the Essex Corporation, a cybertech company, which CEO Ronald Sugar says has "grown significantly" since then.
Military contractors have also been taking on hordes of "cyberninjas" to learn more about hackers. These young laborers have landed in one of the few sectors of the economy hiring these days. A recent New York Times description of their work environment should be enough to set screenwriters' pens twitching.
"At a Raytheon facility here south of the Kennedy Space Center, a hub of innovation in an earlier era, rock music blares and empty cans of Mountain Dew pile up as engineers create tools to protect the Pentagon's computers and crack into the networks of countries that could become adversaries. Prizes like cappuccino machines and stacks of cash spur them on, and a gong heralds each major breakthrough."
The Only Thing We Have to Fear Is [Fill in the Blank]
Is the United States really in a hypercrisis that warrants putting the word cyber in front of everything and multibillions more in the pockets of military-industrial corporations?
If you listen to official Washington today, the answer is a resounding yes. But is the real threat any more insidious than malware and botnets? Is it really life and system threatening? Is it where we really want to invest our money?
Without a doubt, cybercrime -- and even cyberterrorism -- pose actual dangers. But listening to all the scare-talk about cyberwar, we tend to forget that the most gruesome wars today are being fought with machetes, AK-47s, and crude improvised explosive devices fashioned out of repurposed walkie-talkies. The fact is that some of the most devastating wars of the future will be fought over food, water, and land, not to speak of religion, and those engaged in their brutal, messy battles will probably never log on to a computer or download a file.
Certainly, cyberterrorism is a novel and sexy label, grist for next year's high-budget movies and summer pulp fiction. But in Washington it's likely to turn out to be little more than a new catchword in a predictable drama of contracts, turf, and corporations, of agencies and military services intent on capturing taxpayer dollars and winning or losing intra-bureaucratic wars.
The story of how politicians, the Pentagon, and contractors conspire to inflame our fears with well-hyped threats of future cataclysm and then offer high-tech, highly bureaucratic, unbelievably expensive solutions that result in lots of weapons contracts, lots of corporate/military conferences, a few blue-ribbon studies, but no significant threat reduction is really the story of our time.
And when this threat wanes, or simply starts to look more real and a lot less cataclysmic, it's time, of course, to bring out the next boogeyman.