Deputy Defense Secretary John Hamre told Congress last month that the United States has been under an organized and systematic attack for the past several months by a group of unknown hackers. Hamre's report prompted Rep. Curt Weldon (RPa.) to declare this month that 'we are at war.' Although the
Deputy Defense Secretary John Hamre told Congress last month that the United States has been under an organized and systematic attack for the past several months by a group of unknown hackers. Hamre's report prompted Rep. Curt Weldon (R-Pa.) to declare this month that "we are at war."
Although the Defense Department reported that classified computer systems had not been compromised, the attacks demonstrated once again that dedicated and persistent hackers can gain access to almost any government or business Internet-linked information infrastructure in the world.
How do we defend America against cyberattack? The sky is not falling, but information technology is as much an Achilles' heel as it is a Promethean gift of fire. To properly prepare for cyberattacks, the government needs assets and the legal authorities to quickly identify and penalize hackers. A systematic, 10-step approach to cyberterrorism will help the government, working with the private sector, defend itself against cyberattack:
1. Every commercial enterprise, academic institution and level of government must be a part of a national strategy of education and awareness. Information security is and will remain the initial responsibility of every individual who works with and around information systems.
2. IT users must be more careful of what they post on the Internet. In rushing to embrace the benefits of the World Wide Web, even DOD initially made too much information public about its capabilities, infrastructure, personnel and operations.
3. IT users must develop a comprehensive and integrated enterprise defense plan. They must train and educate employees, implement information security procedures and incorporate physical and virtual barriers to hackers. Because employees, known as insiders, are the greatest threat to computer systems, verification access protocols must be used to add another sophisticated level of restrictions on authorized users and hackers. Encryption is an absolute necessity for information security. The government and private industry must come to a reasonable compromise on the encryption issue.
4. IT users must use highly effective file integrity assessment software to monitor and record authorized and unauthorized activities. This type of software provides intrusion detection, assessment and recovery, and forensics. It is a tremendous asset in the prosecution of computer crimes.
5. Law enforcement agencies must establish an international cooperative response to computer crime. The FBI has done an excellent job in initiating treaties that address international cooperation, but it may be decades before even a limited treaty system is in place. Efforts that fall short of universal international cooperation will remain largely ineffective.
Universal law enforcement cooperation within the international community should be structured with a single multilateral treaty. Those who do not sign the treaty should be clearly notified that they are part of the problem and will be treated as such. For example, the unwillingness of a nonparty state to cooperate in the suppression or prevention of an acknowledged nonstate-sponsored cyberattack that originates in its sovereign territory should be considered as state sponsorship of a use of force under international law, thereby invoking the right to use force in defense against the state or the nonstate actors in that state.
6. The United States must create a presumption under the law that will enable an immediate investigation by law enforcement and national security assets of all cyberattacks against vital national information infrastructures. The current U.S. approach presumes the hacker is a nonstate actor and U.S. citizen, and only until law enforcement agencies determine that the hacker is not a U.S. citizen can the full weight of the national security intelligence structure be brought to bear against the hacker. The problem with this approach is that the United States must first determine the identity and legal standing of the hacker - specifically, whether the hacker is a U.S. citizen or corporation, foreign citizen or corporation, or another state - before it can engage the most appropriate response.
The solution to this problem is riddled with constitutional issues, but we cannot effectively defend our vital national information infrastructures by letting law enforcement be the initial response to all cyberattacks. If we do, we may not know we are under attack until it is too late.
7. All U.S. law enforcement agencies must develop expertise to investigate computer crime, and all jurisdictions must have fast-track procedures to pursue hackers.
8. As a condition for doing business, Internet service providers must have a legal duty to cooperate in tracing and identifying the hackers that are using their systems to hide their unlawful activities. ISPs certainly are aware that their lack of cooperation almost completely blocks an investigation. Accordingly, their lack of cooperation should be appropriately penalized with criminal sanctions and civil liability.
9. We must identify government and commercial information systems that are critical to our national security. The penetration by another state into sensitive U.S. computer systems should, by their nature, be presumed a demonstration of hostile intent. Similarly, computer attacks against commercial infrastructures such as the New York Stock Exchange also may seriously degrade our ability to defend ourselves. The United States should authorize the use of military force against any identified state that penetrates a government or private industry computer system critical to U.S. national security.
10. The United States must put into place an effective indication and warning system that enables the federal government to track patterns of attack on government and private industry to determine when an organized and coordinated attack is under way. Congress mandated such a system four years ago.
Every commercial enterprise and level of government must become more aggressive in implementing individual and collective defensive measures. It is not enough to work alone. Private industry and government must share security-related information and work together.
-- Sharp, former deputy legal counsel to the chairman of the Joint Chiefs of Staff, is senior counsel and principal national security policy analyst at Aegis Research Corp., Falls Church, Va. He also is adjunct professor at Georgetown University Law Center and author of Cyberspace and the Use of Force.
NEXT STORY: Financial group lays security groundwork