We all have computers that can be weaponized, says Jim Reavis.

Jim Reavis

Recently the Trump Administration reversed Presidential Policy Directive 20, which was Obama-era guidance governing how the United States can deploy cyber weapons as part of overall national security.  How this is being reported in the media is that the current administration is eliminating this policy framework to enable a more flexible use of cyber weapons, which depending upon your point of view could either be a very good thing or a very bad thing.  Here are a few points for SC Magazine readers to ponder:

  • The whole point of this policy change is for offensive cyberactivities, i.e. hacking the enemy. It is doubtful we need an act of the President to change a rule on a DoD firewall that is blocking an attack.  I love this euphemism within the directive – provides a procedure for cyber collection operations that are reasonably likely to result in “significant consequences”.
  • There is some logic to the current administration pushing back on a deliberative directive that has unilateral constraints compared to what an adversary may do, particularly when that directive was already leaked in full by Edward Snowden and published
  • The usage of all forms of computers and computer networks for military purposes has already happened or is happening, just as it happened for aviation and space. Demilitarization of the Internet is not happening.  I think warfare is inevitable, but resultant devastation is not.
  • A common military viewpoint that cyberspace is simply a new battlefield is simple and wrong. Cyberspace is pervasively civilian and mostly consists of commodity technology and services.  None of my neighbors have an F-35 fighter or M1 Abrams tank parked in their backyard, but all have computers that can be “weaponized” in some form or another.
  • The most insidious aspect of cyberweapons is their dependence upon identified vulnerabilities in this mostly civilian technology, which is a closely guarded secret and launched as a Zero Day attack. A vulnerability researcher may be selling the same vulnerabilities to multiple governments, these governments may independently uncover the same vulnerabilities or they simply may get stolen.  This reality has resulted in a cyberspace that is buggy and artificially less secure than it otherwise could be. While many types of military weaponry are difficult to hide or international treaties oblige disclosures, cyber weapon stockpiles are only effective through secrecy. 

In the almost 10 years I have been leading the Cloud Security Alliance (CSA), I have come to the conclusion that cyberwar and the stockpiling of cyberwar tools is inevitable, and that military forces depend upon maintaining weaknesses in mostly civilian technology to have an effective stockpile of these weapons.  As we continue to move forward in a world where more and more technology is shared and interdependent, including the global cloud computing utility, we need to understand which actions we can take that give us the best opportunity over time to segregate cyberwar from civilian computing.

What I would like to see the industry do, on an international level, is to create a rigorous taxonomy of cyberwar weapons and extensively document the use cases of acceptable cyberwar activities versus unacceptable activities.  Who wants to see a hospital under cyberattack?  Why would we want to disrupt a farmer’s drones?  Collateral damage occurs in traditional warfare, but in cyberspace everything can become collateral damage rather quickly.  I would like to see the broadest set of stakeholders participate in creating this guidance

No whitepaper is a panacea.  However, I see the development of a global understanding of the meaning of cyberwar and a consensus of inviolable civilian cyberspace activities as a tremendous first step in creating transparency and follow on actions.  This knowledge and shared language can be the basis for future government policies and international treaties.  In the age of nuclear proliferation, the very clear understanding of the destructive power of these weapons has prevented their usage.  If a nation understands that its own civilian cyberspace is risked any time it attempts an unacceptable cyberattack, we may see deterrence become effective in this realm as well.