Features

March 13, 2014  

Cyberspace: What is it, where is it and who cares?

Signal and military intelligence NCOs watch for network attacks at the Army's Cyber Operations Center at Fort Gordon, Ga. (Army/Michael L. Lewis)

By Brett Williams

Assured access to cyberspace is a key enabler of national security, so the answer to the question in the title is: we should all care. Two of the defining characteristics of a strong, modern, industrial nation are economic prosperity and a credible defense. The ability to use cyberspace has become indispensable to achieving both of these objectives.

Business and finance executives, as well as senior defense leaders, rely on cyberspace for exactly the same thing—to get information, move information and use information to make better decisions faster than the competition. Despite the importance of cyberspace, there continue to be senior leaders in both the private and public sectors who find themselves ill-equipped to deal with critical cyberspace issues. It is not uncommon to find that these leaders are comfortable providing strategic guidance regarding operations, resource allocation and personnel management across all of their areas of responsibility with the exception of cyberspace. There tends to be a lack of shared understanding between senior personnel who know they need cyberspace to be successful and the technical staffs charged with securing the networks, services and applications that make the organization run. The danger with this dynamic is the potential for de facto delegation of critical decisions to technical experts who do not have the education, training or experience to serve as senior leaders.

Cyberspace is complex, hard to visualize and — to many people — an esoteric concept that they do not need to comprehend. The best way to approach cyberspace at the executive level is to understand that cyberspace adds a new dimension to both economic competition and politically driven conflict, but the existence of cyberspace does not require a fundamental change in our strategic approach to either. This is a difficult premise to accept because “experts” have done a great job of advocating that cyberspace can only be understood by the most technically advanced among us. Becoming overly focused on the technical dimension, however, creates strategic inversion where the most senior leaders become inappropriately engaged with the tactical and technical details to the detriment of effective decision-making. Our senior executives and leaders do need to get a lot smarter about cyberspace, but they do not personally need the skills to configure a router or break an encrypted password. This article provides an executive overview of five cyberspace topics that may be useful to stimulate further exploration by those charged with providing and sustaining economic prosperity and national defense.

What is it?

Words matter. Routine misuse of the word “cyber” is one reason we do not have a common framework for discussing cyberspace. Cyber should not be used as a verb nor should it be used as a noun that can stand on its own. Saying “cyber” should not automatically connote a cyberspace attack nor should it drive one immediately to assume that cyberspace activity is all about spying, espionage, crime or challenging our right to privacy. The term cyber is most useful as part of the compound word cyberspace and cyberspace is simply the man-made domain created when we connect all of the computers, switches, routers, fiber optic cables, wireless devices, satellites and other components that allow us to move large amounts of data at very fast speeds. As with the physical domains—land, maritime, air, space—we conduct a variety of activities in cyberspace to benefit individuals, commercial entities and governments. The key difference between cyberspace and the physical domains is that cyberspace is man-made and constantly changing. That characteristic offers both opportunities and risk.

Part of the global commons

Cyberspace should be classified as a dimension of the global commons. Viewing cyberspace as part of the global commons sets the stage for a number of useful analogies that facilitate the development of policy, domestic and international law, safe operating procedures, individual rights, commercial use, national interests and myriad other issues that we have worked through for the maritime and air domains. Establishing and enforcing accepted norms for operating on the high seas and in domestic and international airspace is a process that never ends. Technology changes, political interests evolve and competition for resources is continuous. Territorial rights in the South China Sea and debate on the use of remotely piloted aircraft for personal, commercial and government use are examples of how governance of the “legacy” global commons requires constant attention. Cyberspace requires an analogous governance mechanism to define and protect individual, business and nation-state’s rights. Some of the challenges to creating an accepted governance structure are the ubiquitous nature of cyberspace, the fact that access to cyberspace for good or evil can be cheap and non-attributable and, as opposed to the static nature of water and air, the cyberspace domain itself is in a perpetual state of change. We do not need to start from scratch with this work. In the maritime and air domains we have defined roles and responsibilities for all of the users and at times they intersect. Countering piracy is a good example. Individual boat owners and commercial shipping companies require the freedom to operate on the high seas. They are expected to take prudent measures to protect themselves, but at some point the threat exceeded the capability of the private sector and national naval forces stepped in to curb piracy off the African coast. There are clear analogies to the piracy problem when we define roles and responsibilities in cyberspace for individuals, private entities and states. Arguably, current concerns over government dominance of cyberspace are overblown. The fact is no single entity can control what goes on in cyberspace and we need both law enforcement agencies and military organizations to have access to cyberspace in order to protect and enable the free, legitimate use of the domain.

The threat

The opportunity for cheap, anonymous access to cyberspace creates an inviting environment for a broad spectrum of malicious activity. The threat commonly manifests itself in the form of cybercrime where individuals or specific companies suffer financial loss. More concerning is the opportunity to create a widespread effect that undermines faith and confidence across financial markets. An example of this occurred in April 2013 when a hacked Twitter newsfeed propagated a false report of an explosion at the White House. Within minutes, the U.S. stock market plunged, reflecting a “loss” of over $130 billion. While the index recovered rapidly, this incident provided a clear warning of our vulnerability to malicious cyberspace activity given the hyper-connected, information-driven nature of the business environment. What would happen if instead of a hacked Twitter account, a major business or financial firm found themselves the object of a destructive cyberspace attack that rendered thousands of computers inoperative?

There is a tendency to look at networks, systems, data and operators simply as revenue generators or costs that must be controlled. It is important to understand that there are actors who instead see all of these components as targets. First are the cyber criminals who are just after the money. Second are competitors who seek critical information or intellectual property that may give them an advantage. This threat is equally concerning to both the defense and non-defense sectors. Third is the insider threat; no matter how well you think you know your team, you must be vigilant. The fourth adversary is the one with the greatest potential to affect national security. This is the state-sponsored adversary who seeks to weaken a government strategically by attacking critical infrastructure or essential components of the national economic system. The state-sponsored attacker may have access to resources that can overwhelm almost any private or government sponsored defense capability. Cyberspace attack is appealing to this fourth class of adversary because it provides an asymmetric, low-visibility avenue of approach and many of the targets are likely unprepared since they do not even consider themselves targets. The threat is real, growing and in many cases underestimated or not even observed. Raising the level of threat awareness without succumbing to the hype of a “cyber holocaust” is a balance that senior leaders must strike.

Ensuring freedom of access for legitimate use

Effective cybersecurity is hard, expensive and we don’t do it very well. Our approach to cybersecurity should start with the assumption that legitimate use of the domain will always be challenged and there are defined responsibilities for individuals, corporations and the state. In the physical world we expect people to lock their doors at night, be wary of their surroundings and know who it is they are trusting to safeguard things that are important to them. Businesses are expected to expend resources to protect things like your money or your personal records. And the state is expected to direct law enforcement and defense activities to ensure the health and safety of its citizens. All of these concepts apply to cyberspace. We are currently challenged to execute this interdependent defense concept in cyberspace due to a variety of technical, policy and privacy issues all of which we will eventually resolve. Something we can and should do now is establish is a three-component security approach.

The first component consists of the usual safeguards like anti-virus, firewalls, data encryption and user training and compliance. We  put a lot of effort into these programs and yet we are still attacked. The reason is there will always be breakdowns in network security implementation, users who click on malicious links, insider threats and determined high-end adversaries who can overcome the best defenses. The fact is the attacker has the advantage in cyberspace. The second component can be referred to as active defense. Active defense consists of “hunting” in your networks for threats that have gotten past the baseline security measures. Active defense is used solely on essential networks, data and systems and only works if cued by intelligence information that allows the hunt teams to focus on specific adversaries that have the capability and intent go after the vulnerabilities most important to you. Hunting uses heuristics and big data analytics to identify anomalous behavior that may indicate an adversary is in the network. The third component of cybersecurity is closely controlled and authorized, at least in the U.S. It consists of operations throughout cyberspace using either law enforcement or military authorities to seek out malicious actors, warn the potential victims and provide the option to take proactive actions to stop the attack. It is important to note that neutralizing an attack does not and should not be limited to cyberspace alone. The government has a wide variety of diplomatic, information, military, economic and legal tools to coerce the attacker and it needs to use all of them. Additionally, there are commercial and private sector entities that have used a variety of legal mechanisms to deter or stop attacks before they affect critical systems.

This third component of cybersecurity raises a number of challenging policy issues both domestically and internationally, but if one considers the advantage the attacker has over the defender in cyberspace it becomes quickly apparent that building higher castle walls is not going to stop all the arrows. We have to be willing to go after the archers. Doing so sets the stage for deterrence. The principles of deterrence for cyberspace are no different than those outlined by Brodie, Schelling and others 50 years ago. We have to define red lines and be willing to enforce them. We must be resilient enough to survive the first salvo. Most importantly, our adversaries must know that we can impose unacceptable costs in a variety of ways and that, if our core interests are threatened, we are willing to do so.

Senior leadership for cyberspace

Expanding the portfolio of our senior leaders so they can provide effective strategic direction regarding cyberspace operations is an immediate imperative. The most successful senior leaders have the ability to deal with complex problems that have no single, simple solution. These leaders are successful not because they know how to do everyone’s job. They are successful because they know their people, they understand what each part of the organization does to generate success and they have sufficient understanding of all component functions to know when something needs their detailed attention. When it is necessary to “deep dive” on a problem, good leaders have the ability to interact with the experts and make a decision. These tenets of successful executive leadership apply to cyberspace as well. One of the goals of this essay was to generate interest in developing appropriate executive-level cyberspace expertise.

Cyberspace is everywhere and even though we cannot see it or touch it, it is fundamentally important to all of us. No matter what your role in society, the ability to use cyberspace provides incredible opportunities along with risks. Hopefully, this article has provided some additional perspective and offered encouragement for informed debate and dialogue on an increasingly important aspect of national security.

Maj. Gen. Brett Williams is the Director of Operations, J3, U.S. Cyber Command. The opinions expressed here are solely those of the author and do not reflect the position or opinions of the Department of Defense.

6 comments
Knut Storvik
Knut Storvik

continued from last comment:

It seems that both the U.S. and my own country, Norway need a Military Service to be the stakeholder who drives doctrine. We have for all practical purposes got the service, but we have had lots of setbacks in the domain definition and doctrine field.


The U.S., as I see it, has got a lot of doctrine, you have not yet got the definition of the domain correct and you have an excellent Sub-Unified Combatant Command that soon I hope will be elevated to full Unified Combatant Command of a SOCOM-type.

But I think the U.S. also needs a Military Department/Service for the Cyber Force, in the same way as you established the U.S. Air Force in 1947.
Wouldn’t it be a great thing to establish the U.S. Department of the Cyber Force and the U.S. Cyber Force in 2017? Celebrating the 70th anniversary of the Air Force!

The opinions expressed here are solely those of the author and do not reflect the position or opinions of the Norwegian Armed Forces or the Royal Norwegian Ministry of Defence.

Knut Storvik
Knut Storvik

continued from last comment:

The electronics, including all information and communications systems, are the infrastructure in this domain. And there we agree; the infrastructure of the Cyberspace domain is more malleable and easier to change than infrastructure in the other physical domains.
But, let me be crystal clear, changing infrastructure does not equate to changing the characteristics of the domain itself.

Cyber Operations does not constitute a new name on Computer Network Operations (CNO).
Electronic Warfare constitutes a major warfighting discipline inside the Cyberspace Domain.
So does among others CNO and Directed Energy Weapons.

Cyber Operations are without question very intelligence driven, but that does not constitute a reason or excuse to threat this domain in any other way than Land, Sea, Air or Space.

Knut Storvik
Knut Storvik

continued from last comment:

As in these other domains, with the exception of the land domain, man have been able to explore and exploit them only because we were able to develop infrastructure and equipment that allowed us to use their unique physical properties to our advantage.
Boats and vessels for maritime exploration, aircrafts for air-combat and airborne passenger transport and rockets, space stations and satellites to make use of the Space are examples of such equipment.

Cyberspace is a Geophysical Operational Warfighting Domain whose unique physical characteristics are defined by the use of the Electromagnetic Spectrum as its physical terrain.
This makes it a Geophysical Domain by defining its physical borders in the form of the Electromagnetic Spectrum.

Followed by another equally important definition; that all electronics equates to the manmade infrastructure and equipment man has developed to explore and exploit this domain, just as we built cars to exploit the land, boats to travel at sea, aircraft to explore the air domain and rockets to send man to the moon through space.

The Lines-of-Communications in Cyberspace are our networks, wired and wireless, our Cyber-Lines-of -Communications (CLOC).

Knut Storvik
Knut Storvik

General!
I'm only going to comment on the most important part of your article, namely the "What is it?"

And with all due respect, sir!, I'm afraid that your description is wrong in one critical area, and as a consequence of that you get a number of other points wrong to.
The one critical point is "What".
It is critically important to understand this, because when one does most of the other pieces fall into their places to.
The notion that Cyberspace is a manmade domain is a misnomer, and has been allowed to live far too long.

Cyberspace is NOT manmade, not any more than any other Geophysical Operational Warfighting domain, like Land, Sea, Air or Space.

US Marine
US Marine

I am eternally grateful that we have deliberate and thoughtful senior leaders like Lt Gen Williams, and I am even more grateful that the author of the MAKRPC post will never have an opportunity to test his/her uninformed and irresponsible approach to operating in this congested and contested domain.

I can assure the readers that the approach MAKRPC espouses is not the American way of any military operations let alone operations in the ubiquitous "cyberspace" that so many of the world's populations and economies depend...

Lt Gen Williams, thank you for taking the time to share your thoughts and may other senior military leaders do the same--we will have to be faster and wiser than our adversaries in this domain just as is needed in the other four domains.

GoNavy
GoNavy

Cyber is now receiving the attention it requires -- at the highest levels.  ADM Willard, as PACFLT and then PACOM, made cyber and C2-of-C2 major focal points of his theater strategies...these war factors are making their way into doctrine as well as day-to-day staff operations.

MAKRPC
MAKRPC

We're kidding, right? Caption under the photo here says, "Signal and military intelligence NCOs watch for network attacks at the Army's Cyber Operations Center at Fort Gordon, Ga. (Army/Michael L. Lewis)". WATCH???? What about actually doing something? How about defensively/offensively preempting/preventing effective threat engagement of our global interests and capabilities?  Given the mindset displayed in this dictum/truism/platitude drivel of an article what we have here is just another exercise in academic posturing - confirming a second-class school-house sense of the arena - through which we're demonstrating (from a very senior level - a two star for God sakes) - that after more than 30 years - we're STILL noodling definitions and the ever-finer filigrees of the "cyber" lexicon and the operational run rules (like the software is what we're all about). In sum we are admitting that we still do NOT know what the hell we're doing in the arena - WTFO? When EXACTLY do we plan to actually get on with real combat capabilities rather than continuing our mincing academic behavior at the edges where we wonder, wander and wallow in things that don't matter? My put is "knock off thedilettante pseudo-expert mumbo-jumbo", and get on with serious missionization and real-world execution of a properly balanced and comprehensive/coherent strategic-to-tactical defense/offense - that does NOT stand-alone in any way - but is absolutely part and parcel a key element in everything we do. While we're at it - STOP talking about anything related to either our vulnerabilities or capabilities (or the threat capabilities/intents for that matter). Step-up to be the new "silent service" credo and just get out there and kick-ass - preemptively & preventively ---- without seeking any claim to fame --- you know, by just doing the damn job! You know - by constantly pre-shaping to win hands-down in any/all battleshpere/infosphere scenarios! Hell of a concept - we ought to try it some time! Oh yeah, forgot - tell the damn lawyers to shut-up the hell up and get the hell out of the way - because that's where a lot of this waffling BS on the "meaning of life" nonsense has been coming from all along - as an ever-deepening result of their always preferred "navel engagement" reference what the cyber-meaning of "is" is. Other than that this was a totally uniformed and dull-witted attempt at a wholly unncessary tutorial and I rate it an "F" in all aspects. Bad Robot!