May 17, 2011

Cyber Attacks Ranked With Military Threats Under Obama Security Strategy

An Obama administration policy for tightening global defenses against computer attacks places cybersecurity on equal footing with military and economic threats, according to security analysts.

The International Strategy for Cyberspace, unveiled at a White House event yesterday, calls for the U.S. government to work with other countries on standards to protect intellectual property, prevent theft of private information and ensure cooperation among foreign law enforcement agencies when a cybercrime is being investigated.

“We as a society should not take it as a fact of life living in the era of Internet that people are going to successfully take your identity or your credit card or disable networks,” Howard Schmidt, the top White House cybersecurity official, said in a phone interview yesterday. “We want nation states to be unified behind a vision like this so we can send a clear message to bad actors that there’s going to be no place for them to operate in the international sphere.”

The plan recommends setting consequences for countries and groups that don’t comply with the standards and strengthens the U.S. position on its response to a cyber attack.

The administration is sending the message that “cyberspace is not some separate world where our usual laws, our usual deterrence does not apply,” said Kristin Lord, vice president and director of studies at the Center for New American Security, an independent security research institution.

The message is meant to “deter attacks and say, ‘Look, we’re the United States, we have a full set of tools at our disposal,’ ” Lord said in a telephone interview yesterday.

‘All Necessary Means’

The cybersecurity plan states that the U.S. reserves “the right to use all necessary means -- diplomatic, informational, military and economic -- as appropriate and consistent with international law,” to defend itself and its allies.

The strategy calls for the U.S. government, including the State, Defense, Homeland Security, Commerce and Justice departments, to work with their global counterparts, Schmidt said.

“Long-term cybersecurity in cyberspace depends on cooperation” on the plan, which was a result of “more than 18 different departments and agencies” collaborating, Schmidt said at the White House event.

The departments must report back to the president in six months on their progress, which is an important time frame, Dean Garfield, president and chief executive of the Information Technology Industry Council, said in an interview yesterday.

“It has taken a long period of time to get where we are today and the fact that the administration has put some time frame around the next steps are important in making sure that we move forward at a more accelerated pace,” Garfield said.

‘Private Sector’

Federal departments will issue details on their strategies for the plan. In six months, the White House will assess agencies’ progress on meeting the plan’s policy goals, John Brennan, President Barack Obama’s assistant for counterterrorism and homeland security, said at yesterday’s event.

“We look forward to partnering with our private sector, with other nations and with others who share the same goal” to support trade and commerce, security, free expression and innovation in cyberspace, Secretary of State Hillary Clinton said at the event.

The strategy also emphasizes that the U.S. will respond to hostile acts in cyberspace “as we would to any other threat to our country,” according to a fact sheet released yesterday by the administration. Possible retaliation will mean the “right to use all necessary means -- diplomatic, informational, military and economic.”

International Norms

The strategy’s broader goal is to ensure that current conventions and international norms on self-defense and armed conflict include violations of cyberspace, Schmidt said in the interview.

“The rules are not different in cyberspace,” he said. “It’s been difficult over the years because there’s a desire to carve that off separately” from the rules governing conventional conflicts. “We need to make sure it’s brought up to the 21st century with the understanding that none of us want to see” a conflict, he said.

Schmidt said attributing cyber attacks to specific countries or groups remains difficult and “that’s why we need diplomatic ties” to help the U.S. and other countries talk about ongoing investigations.

The strategy also calls for helping small and developing countries build the capability to deal with cybercrime and theft of intellectual property.

Russia and China

The U.S. doesn’t want some countries to “become the next generation of cyber victims because the developed countries constantly do a better job of protecting our systems and citizens,” Schmidt said. “We want to make sure we are helping them build theirs as well.”

The Obama administration is consulting with a range of countries, including Russia and China, on developing these norms, Schmidt said.

“It’s very important to understand we can’t have these discussions without engaging” with both nations, Schmidt said.
The U.S. also is urging countries to sign a 10-year-old treaty called the Cybercrime Convention that calls for cooperation in probing crimes committed via the Internet and other computer networks. These crimes include copyright infringement, fraud, child pornography and violations of network security, according to the treaty website.

The treaty has been ratified by 30 countries, including the U.S. and 29 European nations. Signatories including the U.K., Canada and Turkey have yet to ratify the law, according to the treaty website. China and Russia are among nations that have not signed the treaty.