Harrison Richard M. - Cyber insecurity: navigating the perils of the next information age

Cyber Insecurity

Cyber Insecurity

Navigating the Perils of the Next Information Age

Edited by

Richard M. Harrison and Trey Herr

PUBLISHED IN ASSOCIATION WITH

THE AMERICAN FOREIGN POLICY COUNCIL

ROWMAN & LITTLEFIELD

Lanham Boulder New York London

Published in association with The American Foreign Policy Council

Published by Rowman & Littlefield

A wholly owned subsidiary of The Rowman & Littlefield Publishing Group, Inc.

4501 Forbes Boulevard, Suite 200, Lanham, Maryland 20706

www.rowman.com

Unit A, Whitacre Mews, 26-34 Stannary Street, London SE11 4AB

Copyright 2016 by Rowman & Littlefield

All rights reserved . No part of this book may be reproduced in any form or by any electronic or mechanical means, including information storage and retrieval systems, without written permission from the publisher, except by a reviewer who may quote passages in a review.

British Library Cataloguing in Publication Information Available

Library of Congress Cataloging-in-Publication Data Available

ISBN: 978-1-4422-7284-2 (cloth : alk. paper)

ISBN: 978-1-4422-7285-9 (electronic)

The paper used in this publication meets the minimum requirements of American National Standard for Information SciencesPermanence of Paper for Printed Library Materials, ANSI/NISO Z39.48-1992.

Printed in the United States of America

Contents

Honorable Richard J. Danzig

Trey Herr and Richard M. Harrison

Eric Ormes and Trey Herr

David Weinstein

Robert M. Lee

Joshua Corman and Beau Woods

Jane Chong

Sasha Romanosky and Trey Herr

Trey Herr and Ryan Ellis

Paul Ohm

Sasha Romanosky

Robert Morgus

Trey Herr and Heather West

Aaron Brantly

Adrienne Allen

Allan Friedman and Jonah F. Hill

Trey Herr and Paul Rosenzweig

Trey Herr and Drew Herrick

Mailyn Fidler

Jason Rivera, Lauren Boas Hayes, Anastasia Mark, Matthew Russell, and Nathaniel Tisa

Herbert S. Lin and Taylor Grossman

Kat Dransfield, Abraham Wagner, and Rand Waltzman

Trey Herr and Richard M. Harrison

This book has taken several years to materialize. Back in 2013, with the help of Eric Ormes, we began planning a briefing series for professional staffers on Capitol Hill to address what they saw as a glaring lack of understanding about cybersecurity in official Washington. That program got underway in 2015, whenin collaboration with the American Foreign Policy Councils Defense Technology Program and a rotating group of expertswe held five events for Congressional staff. The briefings received an overwhelmingly positive reception, and were attended by staff from more than half of the Senate and nearly a hundred House offices. The success of this series, as well as the numerous requests for additional information that followed, made it clear that a larger and more comprehensive treatment of the subject matter was necessary. Hence this book.

We could not have done this alone. A number of individuals and organizations played a critical role in the development of this book, and deserve mention.

First, American Foreign Policy Council (AFPC) president Herman Pirchner Jr. has our thanks for his support of the inaugural briefing series and, thereafter, of this book project. His unwavering confidence in our abilities throughout was crucial to our success. We were also fortunate to have the support of a generous friend and donor, whowhile anonymouswas instrumental in helping shape the direction of this project.

Nor could either the briefing series or the book have happened without the generosity of the William H. Donner Foundation, which deserves our deep gratitude for understanding the importance of cyber threats to U.S. national security and economic vitality. So, too, do the contributors to this volume, who are the real talent behind a work that draws together a broad range of complex and arcane concepts.

Several others deserve credit as well. The New America Foundation, including Rob Morgus and Ian Wallace, played an integral role in connecting us with many of the experts who ultimately became the contributors for the book. AFPC vice-president Ilan Berman provided guidance with proposal writing and the publication process. Elizabeth Wood, AFPCs Special Programs Coordinator, gave first-rate copy editing assistance. We also benefited from the efforts of several dedicated researchers, who helped fact check the manuscript, format the citations, and lent a hand in graphic design: Amanda Azinheira, Christine Beauchemin, Ivanna Kuz, Georgina OShea, Paige Rotunda, Hannah Tyrrell, Alex Werman, and Simone Worthy. Additional thanks go to our outside reviewers, and to those who provided feedback, including Dr. Allan Friedman, Michael Specter, Richard Barnes, Dr. Peter Singer, and Eric Ormes.

On a personal note, Richard would like to thank his loving wife Allyson, his sons James and Nathan, and his extended family for their invaluable support and understanding during the production of this book. Trey would like to thank his Dad and brothers for their patience during this processand to his advisors, Drs. Lance Hoffman, Allan Friedman, Susan Sell, Robert Adcock, and Steve Balla, for support on this and related projects.

The challenges and discontinuities introduced by digital information systems are so diverse that no single analogy can properly capture them. However, one apt description may be contained in the observation that, in some important respects, the leaders of American government respond to the problems of cyber technology the same way Americans and their leaders responded to our Western frontier two hundred years ago.

We are excited by what we already have experienced, and believe that future discoveries and exploitations will have immense and transformative effects. At the same time, we are uncertain and conflicted. What is the shape of this new territory? How should it be governed? Must it be insecure for decades to come? How do we reconcile old values, interests, power relationships, and practices with the frontiers unfamiliar risks, demands, and ways of doing things?

Like our forbearers, we can only partially comprehend and map the unknown. We do so by relying on reports filtering back from scattered settlements and from explorers who tell us, sometimes inaccurately, where some trails lead. With haphazard information, we try to regulate areas that are at least somewhat settled, attempt occasional forays to maintain a modicum of order in some critical areas, and more or less acquiesce to anarchy in the remainder. Barely able to comprehend what will come, we project our hopes and fears onto our mental maps of the future.

American leaders concerned with national security have a particularly strong imperative to develop these maps, but have a deep difficulty in doing so. For all of our professional lives, we have built our security on a foundation of technological innovation that consistently, sometimes exclusively and usually disproportionately, came from initiatives largely directed by the national security establishment. Furthermore, these developments came (again, with some exceptions) at a pace that we could assimilate and control. Now, though the internet famously evolved from DARPA and the semiconductor industry significantly in response to military and NASA needs, we have all become sorcerers apprentices: we have little, and sometimes no, control over technology innovation generally, and information technology in particular.

At this frontier, there is a sense that no claims are exclusive, that the pace and direction of development cannot be bounded or well-predicted, that the settlers recognize no special allegiance to us, and that the bounty they produce may make us more, rather than less, vulnerable. Moreover, developments come with a speed that exceeds the ability of many decision-makers to gain familiarity with new developments, the capabilities of bureaucracies to adapt to them, and legislative efforts to respond to them.