U.S. must fight cyberterror aggressively

Deputy Defense Secretary John Hamre told Congress last month that the United States has been under an organized and systematic attack for the past several months by a group of unknown hackers. Hamre's report prompted Rep. Curt Weldon (RPa.) to declare this month that 'we are at war.' Although the

Deputy Defense Secretary John Hamre told Congress last month that the United States has been under an organized and systematic attack for the past several months by a group of unknown hackers. Hamre's report prompted Rep. Curt Weldon (R-Pa.) to declare this month that "we are at war."

Although the Defense Department reported that classified computer systems had not been compromised, the attacks demonstrated once again that dedicated and persistent hackers can gain access to almost any government or business Internet-linked information infrastructure in the world.

How do we defend America against cyberattack? The sky is not falling, but information technology is as much an Achilles' heel as it is a Promethean gift of fire. To properly prepare for cyberattacks, the government needs assets and the legal authorities to quickly identify and penalize hackers. A systematic, 10-step approach to cyberterrorism will help the government, working with the private sector, defend itself against cyberattack:

1. Every commercial enterprise, academic institution and level of government must be a part of a national strategy of education and awareness. Information security is and will remain the initial responsibility of every individual who works with and around information systems.

2. IT users must be more careful of what they post on the Internet. In rushing to embrace the benefits of the World Wide Web, even DOD initially made too much information public about its capabilities, infrastructure, personnel and operations.

3. IT users must develop a comprehensive and integrated enterprise defense plan. They must train and educate employees, implement information security procedures and incorporate physical and virtual barriers to hackers. Because employees, known as insiders, are the greatest threat to computer systems, verification access protocols must be used to add another sophisticated level of restrictions on authorized users and hackers. Encryption is an absolute necessity for information security. The government and private industry must come to a reasonable compromise on the encryption issue.

4. IT users must use highly effective file integrity assessment software to monitor and record authorized and unauthorized activities. This type of software provides intrusion detection, assessment and recovery, and forensics. It is a tremendous asset in the prosecution of computer crimes.

5. Law enforcement agencies must establish an international cooperative response to computer crime. The FBI has done an excellent job in initiating treaties that address international cooperation, but it may be decades before even a limited treaty system is in place. Efforts that fall short of universal international cooperation will remain largely ineffective.

Universal law enforcement cooperation within the international community should be structured with a single multilateral treaty. Those who do not sign the treaty should be clearly notified that they are part of the problem and will be treated as such. For example, the unwillingness of a nonparty state to cooperate in the suppression or prevention of an acknowledged nonstate-sponsored cyberattack that originates in its sovereign territory should be considered as state sponsorship of a use of force under international law, thereby invoking the right to use force in defense against the state or the nonstate actors in that state.

6. The United States must create a presumption under the law that will enable an immediate investigation by law enforcement and national security assets of all cyberattacks against vital national information infrastructures. The current U.S. approach presumes the hacker is a nonstate actor and U.S. citizen, and only until law enforcement agencies determine that the hacker is not a U.S. citizen can the full weight of the national security intelligence structure be brought to bear against the hacker. The problem with this approach is that the United States must first determine the identity and legal standing of the hacker - specifically, whether the hacker is a U.S. citizen or corporation, foreign citizen or corporation, or another state - before it can engage the most appropriate response.

The solution to this problem is riddled with constitutional issues, but we cannot effectively defend our vital national information infrastructures by letting law enforcement be the initial response to all cyberattacks. If we do, we may not know we are under attack until it is too late.

7. All U.S. law enforcement agencies must develop expertise to investigate computer crime, and all jurisdictions must have fast-track procedures to pursue hackers.

8. As a condition for doing business, Internet service providers must have a legal duty to cooperate in tracing and identifying the hackers that are using their systems to hide their unlawful activities. ISPs certainly are aware that their lack of cooperation almost completely blocks an investigation. Accordingly, their lack of cooperation should be appropriately penalized with criminal sanctions and civil liability.

9. We must identify government and commercial information systems that are critical to our national security. The penetration by another state into sensitive U.S. computer systems should, by their nature, be presumed a demonstration of hostile intent. Similarly, computer attacks against commercial infrastructures such as the New York Stock Exchange also may seriously degrade our ability to defend ourselves. The United States should authorize the use of military force against any identified state that penetrates a government or private industry computer system critical to U.S. national security.

10. The United States must put into place an effective indication and warning system that enables the federal government to track patterns of attack on government and private industry to determine when an organized and coordinated attack is under way. Congress mandated such a system four years ago.

Every commercial enterprise and level of government must become more aggressive in implementing individual and collective defensive measures. It is not enough to work alone. Private industry and government must share security-related information and work together.

-- Sharp, former deputy legal counsel to the chairman of the Joint Chiefs of Staff, is senior counsel and principal national security policy analyst at Aegis Research Corp., Falls Church, Va. He also is adjunct professor at Georgetown University Law Center and author of Cyberspace and the Use of Force.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.