Since the first edition of Jeffrey Carr’s Inside Cyber Warfare: Mapping the Cyber Underworld was published, cyber security has become an increasing strategic and economic concern. Not only have major corporations and government agencies continued to be victimized by massive data thefts, disruptive and destructive attacks on both public and private entities continue and show no signs of abating. Among the publicly disclosed targets of cyber attacks are major financial institutions, entertainment companies, cyber security companies, and US and foreign government agencies, including the US Department of Defense, the US Senate, and the Brazilian and the Malaysian governments.
Many of these cyber penetrations are aimed at theft of identity or financial data for purposes of criminal exploitation. These cannot simply be regarded as a “cost of doing business” or tolerable losses; such episodes undermine the public trust, which is the foundation for business transactions over the Internet. Even more significant is the threat posed by cyber theft of intellectual property. Every year, economic competitors of American businesses steal a quantity of intellectual property larger than all the data in the Library of Congress. As a result, these rivals are gaining an unfair advantage in the global economy.
Also gaining in seriousness are organized efforts to disrupt or even destroy cyber systems. Anarchist and other extremist groups, such as Anonymous and LulzSec (and their offspring), seek to punish those with whom they disagree by exposing confidential data or disrupting operations. Recent breaches of cyber security firms such as HBGary and EMC’s RSA SecurID division demonstrate a strategic effort to undermine the security architecture on which many enterprises rely. And the multiplication of social media and mobile devices will create many more opportunities for cyber espionage, social engineering attacks, and open source intelligence collection by nation-states, terrorists, and criminal groups.
Since the formation of the Comprehensive National Cybersecurity Initiative in 2008, the US government has unveiled a series of security-related strategies, including legislative proposals. These are useful and important steps, but they’re not enough to keep pace with the growing and diversifying threats. The private sector in particular must take ownership of much of the burden of defending the networks they own and operate. Moreover, while technology and tools are key to the solution, human beings are at the heart of any security strategy. Unless those who use the Internet observe good security practices, defensive technologies will merely be a bump in the road to those who seek to exploit cyberspace.
Finally, while defense against cyber attacks is important, it is not enough. When cyber attacks damage critical infrastructure or even threaten loss of life, sound strategy calls for preventive and deterrent measures. While some downplay the idea of cyberspace as a warfare domain, occurrences such as the 2008 Russia-Georgia conflict underscore that information systems are very much part of the battlefield of the future. For this reason, the US Department of Defense has issued its first official strategy for operating in cyberspace. To be sure, difficulties in attribution and questions of legal authority complicate the application of warfighting concepts to cyberspace. Nevertheless, we must tackle these issues to determine what measures can be taken offensively to eliminate or deter critical cyber threats, when those measures should be triggered, and who should carry them out. Without formulating a strategy that encompasses these measures, our cyber security doctrine will be, at best, disconnected and incomplete.
For policymakers and business leaders, cyber warfare and cyber security can no longer be regarded simply as the province of experts and technicians. The leadership of any public or private enterprise must consider the risks of and responses to cyber threats. This latest edition of Jeffrey Carr’s volume is indispensable reading for senior executives as well as savants.