What’s Mine Is Mine
By user701213 on May 11, 2009
The 2009 RSA Conference is over and it was, as always, a good chance to catch up with old friends and new trends. I was on four panels (including the Executive Security Action Forum on the Monday before RSA) and it was a pleasure to be able to discuss interesting issues with esteemed colleagues. One such panel was on the topic of cloud computing security (ours was not the only panel on that topic, needless to say). One of the biggest issues in getting the panel together was manifest at the outset when, like the famous story of 6 blind men and the elephant, everyone had a different “feel” for what cloud computing actually is.
The “what the heck is cloud computing, anyway?” definitional problem is what makes discussions of cloud computing so thorny. Some proponents of cloud computing are almost pantheists in their pronouncements. “The cloud is everything; everything is the cloud. I’m a cloud, you’re a cloud, we’re a cloud, it’s all the cloud; are in you in touch with your inner cloud?” It’s hard to even discuss cloud computing with them because you need to know what faction of the radical cult you are with to understand how they even approach the topic.
One of the reasons it is hard to debunk cloud computing theology is that the term itself is so nebulous. If by cloud computing, one means software as a service, this is nothing new (so what’s all the fuss about?). Almost as long as there have been computers, there have been people paying other people to manage the equipment and software for them using a variety of different business models. When I was in college, students got “cloud services,” in a way. You got so many computer hours at the university computer center. You’d punch out your program on a card deck, drop it off at the university computer center, someone would load the deck, and later you’d stop by, pick up your card deck and your output. Someone else managed running the program for you (loading the deck) and debited your account for the amount of computing time it took to run the program. (I know, I know, given all the power on a mere desktop these days, this reminiscence is the computing equivalent of “I walked 20 miles to school through snow drifts.” But people who remember those days also remember dropping a card deck, which was the equivalent of “the dog ate my homework” if you couldn’t literally get your cards lined up in time to turn your homework in. Ah, the good old days.)
Today, many companies run hosted applications for their customers through a variety of business models. In some cases, the servers and software are managed at a data center the service provider owns and manages (the @myplace model); in other cases, the service provider manages the software remotely, where the servers and software remain at the customer site (the @yourplace model). What both of these models have in common is knowing “what’s mine is mine.” That is, where the servers are located is not as important as the principle that a customer knows where the data is, what is being done to secure it and that “what’s mine is mine.” If you are not actually managing your own data center, you still will do due diligence – and have a well-written contract, with oversight provisions – to ensure that someone else is securing your data to your satisfaction. If it is not done to your satisfaction you either needed to write a better contract or to terminate the service contract you have for cause.
I therefore find some of the pronouncements about cloud computing to be completely ludicrous if you are talking about anything important, because you want to know a) where something is that is of value to you and b) that it is being secured appropriately. “Being secured” is not just a matter of using secure smoke and mirrors – oops, I mean, a secure cloud protocol – but a bunch of things (kind of like the famous newspaper reporting example – who, what, when, how, why and where). Maybe “whatever” also begins with a W, but nobody would accept that as an answer to the question, “It’s 11PM, do you know where your data is and who is accessing it?”
I’ve used the following example before, most recently at the 2009 RSA Conference, but it’s worth repeating here. Suppose you have a daughter named Janie, who is the light of your life. Can you imagine the following conversation when you call her day care provider at 2pm.?
You: “Where is Janie?”
DCP: “Well, we aren’t really sure right now. Janie is off in the day care cloud. Somewhere. But we are sure she’ll be at the door by 5 when you come to pick her up.”
The answer is, you wouldn’t tolerate such “wherever, whatever” answers and you’d yank Janie out of there ASAP. Similarly, if your data is important, you aren’t going to be happy with a “secure like, wherever” cloud protocol.
There is another reason “the cloud is everything, everywhere” mantra is nonsense. The reality is that if the cloud is everything and everywhere, then you have to protect everything, which is simply not possible (basic military strategy 101, courtesy of Frederick II: “He who defends everything defends nothing”). It’s not even worth trying to do that. If everything is in the cloud then one of two things will happen. Either security will have to rise to that digital equivalent of Ft. Knox everywhere: if not all data is gold, some of it is and you have to protect the gold above all else. Or, security devolves to the lowest common denominator, and we are back to little Janie – nobody is going to drop off their precious jewels in some cloud where nobody is sure where they are or how they are being protected. (You might drop off the neighbor’s kid into an insecure day care cloud because he keeps teasing your cat, but not little Janie.)
One of the reasons the grandiose claims about cloud computing don’t sit well is that most people have an intuitive defensiveness about “what’s mine.” You want to know “what’s mine is mine, what’s yours is yours” and most of us don’t have megalomaniacal tendencies to claim what’s yours as mine. Nor frankly, do we generally care about “what’s yours” unless you happen to be a friend or there are commons that affect both of us (e.g., if three houses in the neighborhood get burgled, I’m more likely to join neighborhood watch since what affects my neighbor is likely to affect me, too).
I buy the idea of having someone else manage your applications because I learned at an early age you could pay people to do unpleasant things you don’t want to do for yourself. My mother reminded me of this only last weekend. When I was a 21-year-old ensign stationed in San Diego, my command had a uniform inspection in khakis. I did not like khakis and had not ever had to wear them (the particular shade of khaki the uniforms were made of at that time made everyone look as if he/she had malaria, and the material was a particularly yucky double knit). I was moaning and groaning about having to hem my khaki uniform skirt when my mother reminded me that the Navy Exchange had a tailor shop and they’d probably hem my skirt for a nominal fee (the best five dollars I ever spent, as it happens). If you don’t want to manage your applications (in business parlance, because it is not your “core competence”), you can pay someone else to do it for you. You’re not completely off the hook in that you have to substitute due diligence and contract management skills for hands-on IT skills, but this model works for a lot of people.
What I don’t buy is the idea that – for anything of value – grabbing storage or computing on the fly is a model anybody is going to want to use. A pharmaceutical company running clinical trials isn’t going to store their latest test results “somewhere, out there.” They aren’t necessarily going to rent computing power on the fly, either if the raw data itself is sensitive (how valuable would it be to a competitor to learn that new Killer Drug isn’t doing so well in clinical trials?) You want to know “what’s mine is mine, and is being protected to my verifiable satisfaction.” If it’s not terribly valuable – or, more precisely, if it is not something you mind sharing broadly - then the cloud is fine. A lot of people store their photographs on some web site somewhere which means a) if their hard drive is corrupted, they have a copy somewhere and b) it’s easier to share with lots of people – easier than emailing .JPG files around. I heard one presenter at RSA describe how his company crunched big numbers using “the power of the cloud” but he admitted that the data being crunched was already public data. So, the model that worked was “this is mine; I am happy to share,” or “this is already being shared, and is not really mine.”
Speaking of “what’s mine is mine,” I mentioned in my previous blog entry that I’d had the privilege of testifying in front of Congress in mid-March (the Homeland Security Subcommittee on Emerging Threats, Cybersecurity, Science and Technology). As I only had five minutes for my remarks, I wanted to make a few strong recommendations that I hoped would have an impact. The third of the three recommendations was that the US should invoke the Monroe Doctrine in cyberspace. (One of my co-panelists then started referring to this idea as the Davidson Doctrine, which I certainly cringe at using myself. James Monroe was the president who first invoked the doctrine that bears his name – he gets to have a major doohickey in foreign policy named after him since he was – well, The President. I am clearly not the president or even not a president, unless it is president of the Ketchum, Idaho Maunalua Fan Club.)
For those who have forgotten their history, the Monroe Doctrine – created in 1823 – was a basic enumeration that the United States had a declared sphere of influence in the Western Hemisphere, that further efforts by European governments to colonize or interfere with states in the Western Hemisphere would be viewed by the US as aggressive acts requiring US intervention. The Monroe Doctrine is one of the United States’ oldest foreign policy constructs, it has been invoked multiple times by multiple presidents (well into the 20th century), and has morphed to include other areas of intervention (the so-called Roosevelt Corollary).* In short, the Monroe Doctrine was a declared line in the sand: the United States’ way of saying “what’s mine is mine.”
My principle reason for recommending invocation of the Monroe Doctrine is that we already have foreign powers stealing intellectual property, invading our networks, probing our critical defense systems (and other critical infrastructure systems). Nobody wants to say it, but there is a war going on in cyberspace. Putting it differently, if a hostile foreign power bombed our power plants, would that be considered an act of war? If a group of (non-US) actors systemically denied us the use of critical systems by physically taking control of them, would that be considered an act of war? I am certainly not suggesting that the Monroe Doctrine should govern (if it is invoked in cyberspace) the entire doctrine of cyberwar. But it is the case that before great powers can develop doctrines of cyberwar, they need to declare what is important. “What’s mine is mine: stay out or face the consequences.”
Another incident from the RSA Conference brought this home to me. In the Q and A session after a panel I was on: a woman mentioned she had grown up during the Cold War, when it was obvious who the enemy was. Who, she asked, is the enemy now? My response was, “We aren’t actually allowed to have enemies now. Wanting to annihilate western civilization is a different, equally valid value system that needs to be respected in the interests of diversity.” This sarcastic remark went right over her head for no reason that I can fathom. It is, however, true, that a lot of people don’t want to use the term “enemy” anymore, in part because they don’t even want to acknowledge that we are at war. From what is already public knowledge, we can state honestly that we have numerous enemies attacking our interests in cyber space – from individual actors to criminal organizations to nation states – part of our problem is that because we have not developed a common understanding of what “cyber war” is, we are unable to map these enemies to appropriate responders in the same way we pair street crime up with local cops and attacks on military supply lines with the armed forces.
We need to at least begin to elucidate a larger cyberwar doctrine by declaring a sphere of influence and that messing with that will lead to retribution. Like the Monroe Doctrine, we do not need to publicly elucidate exact responses, but our planning must include specific exercises such as “if A did B, what would our likely response be, where ‘response’ could include signaling and other activities in the non-cyber world?” Nations and others do “signal” each other of intentions, which often allows others to gracefully avoid conflict escalation by reading the signals correctly and backing off.
Slight aside: there are parents more worried about their children’s self esteem than stopping their obnoxious behavior Right This Second. My mother had a great escalation protocol using signaling that I wish all the Gen-Xers, Gen-Yers and Millennials would adopt instead of “we want Johnny to feel good about being a rude brat.” Mom has not had to invoke this on the Davidson kids in several decades because she invoked it so well before we were 10:
Defcon 5 - (Child behaves himself or herself)
Defcon 4 - The “look” (narrowed eyes, direct eye contact, tense body language)
Defcon 3 - The hiss through clenched teeth
Defcon 2 - “Stop That Right This Minute Or We Are Leaving. I Mean It.”
Defcon 1 - The arm pinch and premise-vacating
This was, my siblings and I can attest to, a well-established escalation protocol with predictable “payoffs” at each level. As a result, we only rarely made it to Defcon 1 (and, in defense of my mother, I richly deserved it when we did).
So, below are some thoughts I wrote up as a later expansion on my remarks to the subcommittee. Invoking the Monroe Doctrine in cyberspace is, I believe, a useful construct for approaching how we think about cybersecurity as the critical national security interest I believe it is.
Applicability of the Monroe Doctrine to Cyberspace
1. The essential truth of invoking a Cyber Monroe Doctrine is that what we are seeing in cyberspace is no different from the kinds of real-world activities and threats our nation (and all nations) have been dealing with for years; we must stop thinking cyberspace falls outside of the existing system of how we currently deal with threats, aggressive acts and appropriate responses.
Referencing the Monroe Doctrine is meant to simplify the debate while highlighting its importance. The Monroe Doctrine became an organizing principle of US foreign policy. Through the concept of the Americas sphere of influence, it publicly identified an area of national interest for the US and clearly indicated a right to defend those interests without limiting the response. Today cyberspace requires such an organizing principle to assist in prioritization of US interest. While cyberspace by its name connotes virtual worlds, we should recall that cyberspace maps to places and physical assets we care about that are clearly within the US government's remit and interest.
Conceptually, how we manage the cyber threat should be no different than how we manage various real-world threats (from domestic crime to global terrorism and acts of aggression by hostile nation-states). Just as the Monroe Doctrine compelled the US government to prioritize intercontinental threats, a Cyber Monroe Doctrine also forces the US government to prioritize: simply put, some cyber-assets are more important than others and we should prioritize protection of them accordingly. We do not treat the robbery of a corner liquor store with the same response (or same responders) as we treat an attempt to release a dirty bomb into a population center, for example. With this approach, policy makers also benefit from existing legal systems and frameworks that ensure actions are appropriate and that protect our civil liberties.
Similarly, not all European incursions into the Western hemisphere have warranted a response under the Monroe Doctrine. For example in 1831, Argentina, which claimed sovereignty over the Falkland Islands, seized three American schooners in a dispute over fishing rights. The US reacted by sending the USS Lexington, whose captain, Silas Duncan, “seized property taken from the American ships, released the American seamen, spiked the fort’s cannon, captured a number of Argentine colonists, and posted a decree that anyone interfering with American fishing rights would be considered a pirate”(The Savage Wars of Peace, Max Boot, page 46).
The territorial dispute ended in 1833 when Great Britain sent a landing party of Royal Marines to seize the Falklands. In this instance the US specifically did not respond by invoking the Monroe Doctrine; the Falklands were deemed of insufficient importance to risk a crisis with London.
2. The initial and longstanding value of the Monroe Doctrine was that it sent a signal to foreign powers that the US had a territorial sphere of influence and that incursions would be met with a response. Precisely because we did not specify all possible responses in advance, the Monroe Doctrine proved very flexible (e.g., it was later modified to support other objectives).
It is understandable that the United States would have concerns about ensuring the safety of the 85% of US critical (cyber) infrastructure that is in private hands given that much of this critical infrastructure (if attacked or brought down) has a direct link to the economic well-being of the United States in addition to other damage that might result. That said, declaring a national security interest in such critical infrastructure should not mean militarizing all of it or placing it under military or other governmental control any more than the Monroe Doctrine led to colonization (“planting the flag”) or militarization (military occupation and/or permanent bases) of all of the Western hemisphere. Similarly, the US should not make a cyberspace “land grab” for the Western hemisphere, or even our domestic cyber-infrastructure.
A 21st century Cyber Monroe Doctrine would have the same primary value as the original Monroe Doctrine - a signal to others of our national interests and a readiness to action in defense of those interests. Importantly, any consideration of our cyber interests must be evaluated within the larger view of our national security concerns and our freedoms. For example, it is clear where the defacement of a government website ranks in comparison to a weapons of mass destruction (WMD) attack on a major city. All cyber-risks are not created equal nor should they have a precisely “equal” response.
Another reason to embrace a Cyber Monroe Doctrine (and the innate flexibility it engendered) is the fact that cyberspace represents a potentially “liquid battlefield.” Traditionally, wars have been fought for fixed territory whose battlefields did not dramatically expand overnight (e.g., the attack by Imperial Japan on Pearl Harbor did not overnight morph into an attack on San Francisco, Kansas City and New York City). By contrast, in cyberspace there is no “fixed” territory and thus the boundaries of what is attacked are fluid. For a hostile entity, almost any potential cybertarget is 20 microseconds away.
A Cyber Monroe Doctrine must also accommodate the fundamental architecture of the Internet. Since the value of the Internet is driven by network effects, policies that decrease the value of the Internet through (real or perceived) balkanization will harm all participants. While a Cyber Monroe Doctrine can identify specific critical cyber infrastructure of interest to the U.S., parts of the cyber infrastructure are critical to all global stakeholders. In short, even as the United States may have a cybersphere of influence, there are nonetheless cybercommons. This is all the more true as attacks or attackers move through or use the infrastructure of those cybercommons. Therefore, the US must find mechanisms to be inclusive rather than exclusive when it comes to stewardship and defense of our cybercommons.
3. Placing the critical assets we care about within a framework that maps to existing legal, policy and social structures/institutions is the shortest path to success.
For example, military bases are protected by the military, and a nation-state attack (physical or cyber) against a military base or military cyberassets should fit within a framework that can offer appropriate and proportionate responses (ranging from State Department harassment of the local embassy official, to application of kinetic force). Critical national assets (power plants, financial systems) require similar flexibility, but through engagement of the respective front-line institutions in a manner that permits escalation appropriate to the nature of the attack.
There are a number of challenges in applying a Cyber Monroe Doctrine. Below is a representative but by no means exhaustive list of them.
A deterrence strategy needs teeth in it to be credible. Merely telling attackers “we are drawing a line in the sand, step over it at your peril,” without being able to back it up with an actual and proportionate response is the equivalent of moving the line in the sand repeatedly in an attempt to appear fierce while actually doing nothing. (The Chinese would rightly call such posturers “paper tigers.”) Mere words without at least the possibility of a full range of supporting actions is no deterrent at all. A credible deterrent can be established through non-military options as well - for some a sharply worded public rebuke may change behavior as much as if we were sending in the Marines.
Because the Monroe Doctrine did not detail all potential responses to provocation in advance, the United States was able to respond as it saw fit to perceived infractions of the Monroe Doctrine on multiple occasions and over much of our history. The response was measured and flexible, but there was a response.
2. Invocation Scenarios
To bolster credibility, the “teeth” part of a cyber doctrine should include a potential escalation framework and some “for instances” in which a Cyber Monroe Doctrine would be invoked. This planning activity can take place in the think tank realm, the cyber exercise realm, or a combination thereof.
We know how to do this. Specifically, military strategists routinely look at possible future war scenarios. In fact, it is not possible to do adequate military planning by waiting for an incident and only then deciding if you have the right tools, war plans, and defense capabilities to meet it, if for no other reason than military training and procurement take years and not days to implement.
Similarly, “changing the battlefield” could be one supporting activity for a Cyber Monroe Doctrine. For example, it has been argued (by Michael Oren in Power, Faith and Fantasy: America in The Middle East 1776 to the Present) that the United States only developed a strong Navy (and the centralized government that enabled it) as a result of the wars of the Barbary pirates. Similarly, the fabric of our military may change and likely will change in support of a Cyber Monroe Doctrine and that could include not only fielding new “troops” – the Marines first made a name for themselves by invading Tripoli – but new technologies to support a changed mission. One would similarly expect that a Cyber Monroe Doctrine as a policy construct would be supported by specific planning exercises instead of “shoot from the hip” responses.
A complicating factor in cybersecurity is that an attack - especially if it involves infiltration/exfiltration and not a “frontal assault” (e.g., denial of service attack) - and the perpetrator of it may not be obvious. Thus two of the many challenges of cybersecurity are detecting attacks or breaches in the first place, and attributing them correctly in the second place. No one would want to initiate a response to a cyber attack if one cannot correctly target the adversary. In particular, highly reliable attribution is critical in cyberoffense, since the goal is to take out attackers or stop the attacks, not necessarily to create collateral damage by taking down systems being hijacked by attackers. Notwithstanding this challenge, “just enough attribution” may be sufficient for purposes of “shot over the bow warnings,” even if it would be insufficient for escalated forms of retaliation.
For example, in cybersecurity circles last year there were a number of discussions about the types of activities that occur when one takes electronic devices overseas (e.g., hard drives being imaged, cell phones being remotely turned on an used as listening devices) and the precautions that one should take to minimize risk. While specific countries were not singled out on one such draft document (outlining the risks and the potential mitigation of those risks), the discussion included whether such warnings should be released in advance of the Beijing Olympics. Some expressed a reluctance to issue such warnings because of the concern that it would cause China to “lose face.”
Ultimately, the concern was rendered moot since Joel Brenner, a national counterintelligence executive in the Bush Administration, otherwise made the topic public (http://blogs.computerworld.com/slurping_and_other_cyberspying_expected_at_olympics). It seems ludicrous in hindsight that the concern over making a government “feel bad” about activities that they were widely acknowledged to be doing should be greater than protecting people who did not know about those risks. (Do we warn people against walking through high crime areas at night, or are we worried that criminals might be offended if we did so?) Even when we choose to exercise diplomacy instead of countermeasures, diplomacy inevitably includes some element of “you are doing X, we’d prefer that you not do so,” if not an actual “cease and desist” signal.
The difficulty of proper attribution of non-state actors deserves specific attention because of the need for multi-stakeholder cooperation in order to identify and eliminate the threat. When an attacker resides in one location, uses resources distributed around the world, and targets a victim in yet another country, the authorities and individuals responsible for finding out who (or what) is behind the attack may only have portions of the information or resources needed to properly carry out their job. Taking a unilateral approach will at times be simply impossible, and may not offer the quickest path to success. However, working collaboratively with other governments and stakeholders not only builds our collective capacity to defend critical infrastructures around the world, but also ensures that our weakest links do not become havens for cyber criminals or terrorists.
While it can be at times harder in cyberspace to distinguish what kind of foe we face, a Cyber Monroe Doctrine will work best when we can clearly distinguish who is conducting an attack so that we can deliver the appropriate response. This is not an easy task, and will require new skill sets across the entire government to ensure cyber threats are properly categorized.
* The government of the Dominican Republic stopped payment on debts of more than $32 million to various nations, which caused President Theodore Roosevelt to invoke (and expand upon) the Monroe Doctrine to avoid having European powers come to the Western Hemisphere for the purpose of collecting debts. This expansion of the Monroe Doctrine became known as the Roosevelt Corollary
For More Information
Book of the Week
The Forgotten Man by Amity Shlaes
This is a fascinating economic history of the Depression and why Hoover’s and Roosevelt’s economic policies made the Depression worse – much worse. It’s worth reading for such gems as (quoting philosopher Wiliam Graham Sumner): "The type and formula of most schemes of philanthropy or humanitarianism is this: A and B put their heads together to decide what C shall be made to do for D. The radical vice of all these schemes, from a sociological point of view, is that C is not allowed a voice in the matter, and his position, character, and interests, as well as the ultimate effects on society through C's interests, are entirely overlooked. I call C the Forgotten Man." Roosevelt, of course, twisted this to make D the Forgotten Man. Very well written and a reminder of what disastrous government intervention in the economy looks like.
More Useful Hawaiian:
Na´u keia mea. Nou kēlā mea. (This is mine. That is yours.)
More on the Monroe Doctrine:
About William Graham Sumner: