President Barack Obama ran on “change we can believe in”–and he and the media will take the opportunity in this week’s State of the Union address to assess his response to the global economic crisis and rebuilding America’s health insurance system. But there’s a quiet change happening in his role as Commander-in-Chief, too–one you won’t likely hear much about in Tuesday evening’s address. Slowly, with very few observers noting it, Obama has become our first cyber-war president.

advertisement

advertisement

As popularly described in media and politics, “cyber war” includes discreet information gathering, prolonged economic sabotage, and pinpoint attacks against the infrastructure of rival states–through the Internet and allied technologies such as USB stick-sharing. It would be more accurate to call it the widespread-eavesdropping-surveillance-and-infrastructure-disruption-conducted-through-radically-time-and-money-saving-tools war. So … “cyber war” it is. Related:

Cyber Wartime President Obama’s Executive Order Enlists Private Businesses Although limited incidents of cyber war took place during the George W. Bush and even the Bill Clinton years, the past five years have seen an exponential growth in cyber warfare. Since at least 2009, American businesses and the government, to a degree, have been dealing with sustained electronic threats and deploying Internet weaponry against enemies abroad. U.S. Cyber Command (CYBERCOM), the military command responsible for the bulk of America’s defensive and offensive cyberwar efforts, is receiving a 500% manpower increase. Between 2014 and 2016, the Pentagon expects to add thousands of new billets–the exact number is still unknown–to the 900 service members currently assigned to CYBERCOM. CYBERCOM is tasked with a staggering array of tasks designed to secure America’s online infrastructure; this ranges in real life from detecting and patching security holes in critical infrastructure such as banking and utilities to creating new network defenses for the military’s sprawling computer systems. Troops at CYBERCOM also engage in offensive warfare and reportedly work on both worms and cyber attacks that can be combined with traditional airstrikes or special operations missions. The hiring increase at CYBERCOM indicates military concern over infrastructure weaknesses, outside observers say. Siobhan MacDermott, Chief Policy Officer at Czech security firm AVG, tells Fast Company that the reconfiguring was primarily defense-oriented. “We are probably talking about beefing up CYBERCOM’s defensive capability rather than offensive capability. The latter has long been the emphasis of DoD cyberwarfare planning. I’m not sure that this signals a shift in doctrine, but it may suggest an appropriately urgent awareness of vulnerability,” MacDermott says. The CIA maintains a venture capital arm, In-Q-Tel, which invests in startup companies that serve the short-term needs of the U.S. intelligence community. But neither government nor the president will win the cyber war without help from beyond its borders or the private sector. Government as an institution is often too slow, too risk-averse (and thus not innovative enough), and too responsible to its public to match tactics of attackers who often swear no official national allegiance and don’t play by any rules of engagement. Foreign intelligence agencies and militaries also allegedly have less nervousness recruiting foreign cyber criminals to their side than the United States. Both Russia and China outsource cyber attacks to their own criminal undergrounds. In addition, Russia and China (along with Israel and Iran) have been willing to recruit former black hat hackers to their own intelligence and military services. By comparison, the United States has been far less willing to bring criminal hackers into the fold. The military is aware their cyber-war recruitment efforts have been hampered by mandatory background checks, but institutional culture at the military is unlikely to change. During the Obama administration, the United States constructed a robust information assurance recruitment scheme that funnels talented information assurance wizzes straight to the NSA after university. The NSA has even created YouTube promotional videos to steer security whizzes to Fort Meade instead of higher-paying and less bureaucratic private sector jobs.

advertisement

Still, Howard Schmidt, President Obama’s former Cyber-Security Coordinator, told an audience of information security professionals and journalists at a Kaspersky Labs New York conference in January that the line between cyber war and cyber crime is blurred (as the National Intelligence Estimate seems to indicate), making U.S. government response tricky. Schmidt also claimed that unnamed foreign governments take kickbacks from the earnings of local cybercriminals targeting American corporations in a sort of quid-pro-pro for letting them operate. While Schmidt dislikes the use of the term cyber warfare–in a panel conversation with CEO Eugene Kaspersky he claimed the term is misleading–he also warned that malware is easy to militarize. Kaspersky, meanwhile, was accused of ties to the Russian government by Wired‘s Noah Schachtman in 2012. The accusations were denied, however, in a long blog post by Kaspersky. In an October speech, outgoing Defense Secretary Leon Panetta warned of a “cyber-Pearl Harbor.” Panetta claims America’s electronic infrastructure is poorly protected and includes gaping security holes throughout the electric grid, the transportation system, financial networks, and in the federal government’s own computer networks. Although rarely publicized, cyberattacks against critical American assets–especially those in the banking sector–are commonplace. The newly released 2013 National Intelligence Estimate claims that China in particular is engaged in mass-scale cyberattacks against American interests for economic purposes, but that Russia, Israel, and France engage in hacking attacks against American corporations in much smaller amounts. At an October 2012 presentation organized by security trade publication SC Magazine, former NSA Deputy Training Director Col. Cedric Leighton told the assembled crowd that businesses needed to treat cyber attacks as a serious threat, and to be aware of developments in cyber warfare against government, military, and intelligence entities. “Awareness about what is going on around you in the IT world is critical,” Leighton said. So if big government can’t win the win the cyber war, who can? Private companies, some of whom are funded by government capital. America’s information assurance industry is booming, with jobs available domestically at nearly every major corporation, many smaller companies dealing with sensitive industries, and at a host of contractors and consulting services. While American companies are mum talking about it, cyber espionage, Internet-enabled theft, and snooping are a fact of life. As attacks such as the recent anti-bank Thor malware become more commonplace, the cost of cyberattacks will be passed on to customers just like Walmart and Target already factor in the cost of shoplifting. In the looming cyber war, the definition of contractors could take on a completely different connotation from the one left with the public by private security forces Academi, Xe, and Blackwater in Mideast conflicts. The new digital security forces are on the front lines of the cyber war, both through their protection of critical private American infrastructure and through their ties to government agencies. Security outfit Mandiant recently made news for helping the New York Times repel systematic attacks by Chinese hackers, and mysterious new outfit Cylance, which launched last year, recently hired four well-known experts in power plant and energy infrastructure security. Other new firms, such as TaaSera, specialize in protecting the financial sector. In short, the need for information assurance and robust anti-hacker defenses is a growth industry spurring a ton of startups. It’s also a growth industry which is protecting America’s critical infrastructure from a staggering array of digital attacks.

advertisement