Let me start with a simple statement of fact. Neither the government nor the private sector can completely control or protect the country's information infrastructure.
This is not just my view. It was one of the opening sentences of the US Director of National Intelligence, Dennis Blair, when he delivered the intelligence community's annual threat assessment to the Senate in February.
He went on to say that, 'with increased national attention and investment in cyber security initiatives, measures can be implemented to mitigate this negative situation'.
But I think we all recognise that there is a long way to go.
A lot of attention has focussed on a simulated cyber attack, 'Cyber Shockwave', which was organised by the Bipartisan Policy Centre a few weeks ago. One of the lessons from this event was that government urgently needs to establish firm guidelines and practices before a cyber attack occurs, including definitions of what constitutes an act of cyber war and what is considered a legally justifiable response.
Many in this audience will also be aware of recent comments by Dennis Blair's predecessor as DNI, Michael McConnell. He recently said in both the Washington Post and testimony to the Senate that the US was involved in a cyber war at this very moment, and losing. He went on: 'This is not because we do not have talented people or cutting edge technology; it is because we are simply the most dependent and the most vulnerable. It is also because we have not made the national commitment to understanding and securing cyberspace'. The International Institute for Strategic Studies shares the view that we do not understand the challenge: it has said that 'we are now, in relation to the problem of cyber warfare, at the same stage of intellectual development as we were in the 1950s in relation to possible nuclear war'.
There are, of course, differences between the threat posed by nuclear weapons and the risks posed by cyber space. A nuclear exchange would be an easily identifiable event with a catastrophic effect globally. But what do people mean when they refer to 'cyber warfare'? The Government recently admitted that there were 300 significant attacks on its core computer networks last year. But what is classed as a 'significant attack'? What were the purposes of these attacks? How can the Government put an accurate figure on the number of attacks against its networks?
My sense is that we do not understand the nature of the challenge in cyber space and therefore also its scale. That is our biggest vulnerability, as it means we have not been able to develop an effective response.
Cyber warfare versus kinetic warfare
To illustrate this point it is useful unpack the idea of 'cyber warfare'.
The term 'implies that there are parallels between kinetic warfare and what happens in cyber space. But, as this audience will be aware, there are some significant differences.
The most obvious is that kinetic warfare takes place in a physical domain and military forces are therefore organised around geography. But while actions in cyber space can certainly have physical effect, cyber space has been termed a 'logical battlespace'. So how are we to organise our departments and forces around this? There are a number of challenges.
First, actions in cyber space can have a range of purposes, from destruction, to data manipulation, to crime and espionage, to creating chaos and confusion. It is very difficult to determine the purpose of a cyber event until it is completed.
I do not rule out the prospect of an aggressive act of such a scale which deliberately targets the networks that are the nervous system of the country's critical infrastructure - that is, the energy grid, our water supplies, our food distribution, our transport system, our finance system, and all aspects of local and national government - for the purposes of destruction, disruption or disablement. An act like this could severely affect both the economy and the provision of essential services for hours if not days and weeks, with implications for the lives of many. It would have immediate, direct and measurable damage and therefore could rightly be classed as an 'armed attack'.
Now to date such assaults have tended to accompany kinetic or other conflict, as we saw in Georgia or Estonia. It is, however, also conceivable that an opponent could time such an event to coincide with a natural disaster, so debilitating our emergency response, or that terrorists in particular could develop the capability to do this - and they have certainly expressed the intent.
But perhaps a more difficult and impending challenge for governments is that posed by ongoing or gradual actions against our networks like intelligence collection, property theft, or meddling with the integrity of data and algorithms. Would these activities ever be classed as a form of attack? At what point might they become crippling? Could these activities be "dual use" or capable of being scaled-up, and therefore able to disrupt or destroy at a later date, rather than just aimed at securing industrial and economic advantage or knowledge to overcome technical superiority or develop military countermeasures?
As an illustration, it is worth noting that part of the Chinese government's military operational guidance is that if an imminent physical attack was presented by the United States, they would launch a pre-emptive network attack. In order to be able to do this, the Chinese would either have had to launch a distributed denial of service attack to overwhelm systems (without needing to penetrate them), or they would have needed to have access to networks beforehand.
This example goes to my second point, which is that, unlike what happens on a physical battlefield, people are often not aware of events in cyber space - at least not until they have happened, and even then not always the case. This is because in cyber space there is no (to use the military term) 'strategic warning time' - that is, there will not be a long and visible build-up to an event: events can happen rapidly or are ongoing. As a result there may well be low awareness as well as no mobilisation time for effective response, which in turn means that a dedicated capability for detection, monitoring and warning is needed.
The third point I want to make follows on from this. In cyberspace it is very difficult to identify the perpetrator of an action. We face a multitude of adversaries, including terrorist networks, organised criminal groups, lone individuals and states. If it is difficult to identify the purpose of an event in cyber space until its culmination, or even to know that something has taken place, how can we expect to know who did it and for what purpose? Even if we are able to eventually trace an event to the country from which it emanates, can we be sure that the government there is responsible for it or sponsoring an individual or group? Or even knows about it?
Just as on the physical battlefield, where we have seen the convergence of state and non-state actors with non-state actors rapidly achieving the level of capability once only the preserve of states, so in cyber space we are seeing the convergence of state and non-state actors and their ambitions. These interconnections complicate finding defensive solutions. In many cases governments have assigned different areas of responsibility to different agencies on the basis of their respective policy competences and, sometimes, legal powers. But these divisions do not necessarily - indeed are unlikely to coincide with the dividing lines between cyber actors, so we are immediately faced with a problem of mismatch. This is an issue which increasingly confronts government policy makers. The machinery of government no longer corresponds with the demands of efficiency and effectiveness.
My fourth point is about the exploitation of vulnerabilities. Vulnerabilities unknown to operators and users are exploited in cyberspace. If they are found quickly there is usually time to fix them, without the consequences of undiscovered vulnerability on the physical battlefield where a single vulnerability can result in immediate death or destruction. Of course this comforting thought is made less compelling when one realises that vulnerabilities habitually persist for long periods without discovery and that they may of course be part of a system governing what happens on the battlefield.
An effective response: active defence and deterrence
Now, what does all this mean for our conceptualisation of cyber insecurity?
I echo Howard Schmidt's recent comment: there is a question mark as to whether cyber war as a discrete event really exists. Schmidt, President Obama's recently appointed cyber czar has said that the term is 'a terrible metaphor and [...] a terrible concept' which does not reflect the nature of cyberspace - that there is 'no win-lose in the cyber realm today'. As he says cyber space 'affects everybody; it affects businesses, it affects government, so number one, there's no value in having [a cyber war]'.
Shared interest in fact operates as something of a deterrent to open conscious clashes between players. Take criminals. An extreme example I grant you. But like states, they also increasingly rely on the enabling effect of the internet for their business model, as do terrorists for radicalisation, recruitment and planning. Not that they should therefore be left alone to get on with it! But methods other than direct confrontation are often preferred by their pursuers.
So the exploitation of cyberspace is more sophisticated than implied by the idea of 'cyber war': hundreds of thousands of actions are targeting our systems each day, each with different aims and effects, not necessarily aimed at immediate destruction or disruption but rather more subversive effects. How do we respond to this?
We are talking about cyber defence, which necessarily involves offensive tactics to be effective. I would argue that there are three components.
The first concerns the definition of 'state'. Can - or should - we expect the operators of critical infrastructure, often in the private sector, to respond to so-called 'cyber attacks' by themselves, and should they have sole responsibility for reconstituting infrastructure after any event? I doubt this. What about our defence and security industry, which is under significant threat? So government needs to work in partnership with the private sector and, I would suggest, develop minimum security standards and shared detection and response mechanisms. This might mean that government needs to have the authority to require operators to implement certain measures.
The second component concerns the way in which we structure the task of responding to events in cyber space. We need a truly national capability, underpinned by the necessary powers, to co-ordinate the assessment of existing vulnerabilities, receive reports on the evolving situation, collate information, and co-ordinate responses. At the moment these functions are dispersed across government in ways which do not reflect the realities of cyberspace - that is, the interconnections between different actors and events and the difficulty of identifying perpetrators and their motives.
The third component concerns the way we actually respond to cyber events. Just as events in cyber space are either rapid or ongoing, so our response also needs to have these characteristics. There are two streams of activity.
One, we need to accept that many security challenges are already present or designed into our networks. These could take the form of an insider threat. Or unidentifiable 'zero-day malware' which could be implanted years in advance and lie dormant until activated. Or a system could perform as specified or designed but in ways which the designers did not anticipate. Therefore we need real-time knowledge of how our systems are operating compared with how they are meant to operate, so that malicious activities can be identified immediately. For these reasons the cyber security and information assurance agendas cannot and must not be separated.
Two, we also need an ability to detect and assess incoming events to determine the risk they pose. I do not believe in this context that passive defences are sufficient. In a constantly evolving environment they do not guarantee total security, nor do they dissuade actors. So active defence - by which I mean using technologies that are able to identify and risk assess unexpected events, trace them to source and immediately disrupt them - is a concept and approach that should be seriously considered.
This of course raises a number of legal questions regarding the right to defence and anticipatory self-defence. More work undoubtedly needs to be done in this area, but arguably the scope, duration, intensity and ongoing nature of the events targeting our systems qualify as an 'armed attack'. One could also argue that delaying a response could hinder our ability to mount an effective defence later on. Taken together, these two factors could permit active defence.
Now active defence could well have unintended consequences and does not overcome the question of attribution. It might be possible to calibrate the disruptive effect of the unintended consequence to the risk it poses. Attribution is more complex. Even if a government is not directly responsible, states have an obligation to take steps to prevent their territory being used for attacks. But many do not have the capacity to control such exploitation of their sovereignty. This points to the need for increased technical help and capacity building by organisations like NATO and the EU.
My final points concern the development of effective responses, budgets and cyber awareness.
Our budgetary periods do not recognise the rapid pace of the development and deployment of technology. Given that cyberspace is a constantly evolving environment, we will often need to develop solutions to different insecurities within short time scales and this will require flexible funding arrangements.
Finally, underpinning each of the components I have outlined must be an increase in cyber awareness, expertise and forensic skills across the private and public sectors. Operators seldom have enough understanding of their systems to know when something is going wrong or how to defend effectively. So we all need to know a lot more about our cyber assets and to monitor what they - and users - are doing.
Let me conclude.
We are without doubt vulnerable given our dependency on cyber space. But the concept implied by the term 'cyber warfare' is not entirely accurate; we are talking about cyber defence, which necessarily involves offensive tactics to be effective but is premised on an understanding of the sophisticated ways in which cyberspace is exploited.
For our cyber defence to be effective we need sustained partnership between government and the private sector; we should reorganise functions that are currently dispersed across government; to bring together the cyber security and information assurance agendas; we must increase international technical co-operation, capacity building and develop international standards; and, perhaps most importantly, adopt an active rather than passive approach. In the end this concerns us all.