Continuing where James Mulvenon left off at the the Cyber Statecraft Initiative’s and the Cyber Conflict Studies Association‘s “Addressing Cyber Instability” event, Greg Rattray, CEO of Delta Risk and former Commander of the Operations Group of the Air Force Information Warfare Center, spoke on “Instability in the Cyber Environment” at the Atlantic Council on July 10.
Rattray began by clarifying that in his view, while not secure, the design of the Internet isn’t flawed. The open, interconnected platform was a highly successful experiment that continues to add to global prosperity immensely in its current form. Now, however, the qualities that made it so successful threaten its security, creating an opportunity for a trade off, sacrificing a little of the Internet’s current open, connected nature to gain much in stability.
Another obstacle to Internet stability and security is the astounding technological rate of change. This does not bode well for security as the technology changes faster than defenders can react and this change will likely to speed up rather than slow down in the future. There is also a significant Internet underground with well resourced actors that can challenge and coerce states. Currently, non-state actors, including criminals, have an advantage in cyberspace and it’s unlikely that there will be any technological change or restructuring any time soon that will fundamentally alter these dynamics.
As technology can’t save us, we must cooperate to add stability to cyberspace. Criminal, terrorist, and hacktivist groups are one area where the United States can work together even with states where we have conflicting interests in cyberspace, such as China. Another way to help reduce cyber instability is by focusing less on security and more on risk management. Because the Internet today and for the foreseeable future cannot be perfectly secure, the most important choice becomes how we use it. We can avoid most risks by not using the Internet at all, but that’s neither wise nor even feasible anymore. Other trade offs, such as whether to take the efficiency of online banking along with the risks, are indicative of the sorts of decisions we will increasingly be faced with while trying to adapt to an insecure internet. Since attacks will keep coming and defenses will never be perfect, Rattray also emphasized moving away from a passive model with methods such as network deception.
Rattray concluded that, at the national level, we still want a vibrant internet so we can continue to reap the benefits of its openness and interconnectedness. To do so, we must make our networks and practices resilient, which will be expensive and require difficult choices and trade offs. And, as we are the nation with the most at stake online, Rattray warned against those living in glass houses like the United States throwing rocks like Stuxnet.
For more on these topics see the CTOvision Guide to National Security Technology and