The University of UtahU of U Campus Organization

Last week, Senators Sheldon Whitehouse (D-RI) and Jon Kyl (R-AZ) introduced the Cyber Security Awareness Act of 2011(S.813). Senator Whitehouse explained the need for the bill:

“[W]e as a nation remain woefully unaware of the risks that cyber attacks pose to our economy, our national security, and our privacy. This problem is caused in large part by the fact that cyber threat information ordinarily is classified when it is gathered by the government or held as proprietary when collected by a company that has been attacked. As a result, Americans do not have an appropriate sense of the threats that they face as individual Internet users, the damage inflicted on our businesses and the jobs they create, or the scale of the attacks undertaken by foreign agents against American interests.”

To remedy this problem, the proposed legislation would require the Department of Homeland Security and the Department of Defense each to submit annual reports to Congress providing statistics about the number of cyberattacks against computers in the .gov and .mil domains, as well as the estimated costs of those attacks. The legislation also calls for annual reports from the Department of Justice and FBI about the numbers of cybercrime investigations, prosecutions, and convictions. Finally, it calls for reports on cyber vulnerabilities and proposed responses from regulators of critical infrastructure, as well as the financial industry.

I have written extensively in the past about the poor quality of public policy discourse on the issue of cybersecurity in the United States. Three issues in particular have been of concern: 1) the lack of clear definitions of key terms and problems, 2) the inconsistent use and quality of evidence backing claims of serious cyber threats, and 3) the lack of transparency by both government and industry. Thus, while I appreciate the Senators’ attempts to address the transparency issue, I am not convinced that greater transparency is truly achievable without addressing the first two concerns, which are not addressed by the proposed legislation.

First, key terms will remain undefined. The bill calls for reports to Congress from DHS and DOD about cyber “intrusions,” “breaches,” “incidents,” and “sabotage.” But it is not entirely clear what those terms (and others) actually mean. Each reporting agency could define them in a different way, making it difficult to compare results across reports and agencies. This will make it difficult to get the kind of overarching view of cybersecurity threats that the Senators claim (correctly) is badly needed.

Second, the annual timeframe of the reporting requirement will exacerbate this problem. Most reports will only be made to Congress once per year. But in the arena of quickly evolving cyber threats, this time scale is too long. While yearly or quarterly summary reports should be required, more frequent, near real-time reporting that is available on the Web should also be required.

Third, Web availability of reporting raises the question of to what degree the reports mandated by this legislation actually serve to increase public awareness. All mandated reports will be to Congress and not directly to the public. If the goal is “public awareness,” then there should be some mechanism for getting this information directly to the public in a form that is understandable and useful. In short, if the concern is public awareness of fast-moving cyber threats at a time when “open government” is supposed to be a priority, annual written reports directly to Congress with no public-facing Web component are inadequate.

Fourth, the work of generating reports meant to raise public awareness is set to occur before or co-occurent with efforts to assess “impediments to public awareness” (sec. 10). This raises two problems. One is that there is no mechanism in the legislation for the results of that assessment to shape future public awareness campaigns. The other is that there is no mandate to assess what the public currently does and does not know about cybersecurity. Ideally, current public awareness should be assessed first and then a plan created for overcoming impediments and addressing gaps in awareness. At minimum, there should be a mechanism by which reporting requirements can be changed based on the results of an assessment of public awareness and related impediments.

Fifth, in each case, reporting requirements include the option of submitting “a classified annex as necessary to protect sources, methods, proprietary or sensitive business information, and national security.” While it is understandable that some information must remain classified, it is not clear how this legislation will guard against the well-known tendency towards over-classification, which is a key cause of poor public awareness of cyber threats in the first place.

Finally, another contributor to poor public awareness (and, hence, poor public discourse on cybersecurity) is the way in which evidence is deployed (or not) in support of claims made about cyber threats and vulnerabilities. There are too many claims made that are insufficiently supported with adequate evidence (see my previous posts linked above). The proposed legislation does nothing to address that problem. For example, it asks for “estimated costs for remedying the breaches” from both DHS and DOD. But how will Congress and the public be certain about the accuracy of these estimates or the data and methods used to calculate them? Add in the lack of agreed definitions and there is a very real possibility that instead of meaningfully increasing public awareness, these reports will merely serve as one more vehicle for reporting agencies to pad their own budget requests.

In conclusion, while the spirit of the Senators’ legislation is to be applauded, it is not clear that it will actually solve the problem it seeks to address. What’s more, if problems of definition, over-classification, and questionable use of evidence are not adequately addressed, the legislation could actually serve to further undermine public awareness instead of improving it.

The Egyptian government’s recent cutting of all Internet traffic in and out of the country in response to ongoing protests calling for the resignation of President Hosni Mubarak has garnered a great deal of international attention and condemnation. One result has been a renewed debate in the United States about the possibility of creating a so-called Internet “kill switch.”

The kill switch is associated with S.3480, The Protecting Cyberspace as a National Asset Act [PDF], which is co-sponsored by Senator Joseph Lieberman (I-CT), Senator Susan Collins (R-ME), and Senator Tom Carper (D-DE). The bill, which was first introduced in June 2010, has come under fire for supposedly giving the President the ability to do what Egypt did last week–i.e. cut off the nation’s connection to the rest of the Internet during a time of crisis. But does it really? It’s hard to say. And therein lies the problem.

In a statement released this week, Senators Lieberman, Collins, and Carper explain

The steps the Mubarak government took last week to shut down Internet communications in Egypt were, and are, totally wrong. His actions were clearly designed to limit internal criticisms of his government. Our cybersecurity legislation is intended to protect the U.S. from external cyber attacks. Yet, some have suggested that our legislation would empower the President to deny U.S. citizens access to the Internet. Nothing could be further from the truth.

We would never sign on to legislation that authorized the President, or anyone else, to shut down the Internet. Emergency or no, the exercise of such broad authority would be an affront to our Constitution.

The remainder of their press release provides more detail about how their proposed legislation, in its current form, would not allow the President to do what Mubarak did in Egypt. They end by saying that they “will ensure that any legislation that moves in this Congress contains explicit language prohibiting the President from doing what President Mubarak did.”

On the surface, this all sounds very reassuring. But when confronted with similar concerns about the granting of “kill switch” authority to the President in S.3480, Senator Lieberman’s description of the powers that his legislation would grant the President sounds very much like what we have witnessed in Egypt. In an interview with Senator Lieberman on June 20, 2010, CNN’s Candy Crowley said,

First of all, you have an Internet bill, it has been called the “kill switch bill” that would allow the president to seize control or shut down portions of the Internet if the U.S. was under some sort of cyber attack. […] [T]here are a lot of people out there who think that what you are granting the president is absolute power to shut down freedom of speech.

Senator Lieberman responded by saying, “No way, and total misinformation.” But then he went on to clarify, saying

We need the capacity for the president to say, Internet service provider, we’ve got to disconnect the American Internet from all traffic coming in from another foreign country… Right now, China, the government, can disconnect parts of its Internet in a case of war. We need to have that here, too.

Disconnecting the American Internet sounds very much like what we have just seen in Egypt. Senator Lieberman’s comments could be read as indicating that he is not talking about a total shutdown of the Internet, only the blocking of traffic from select foreign countries. But it is not entirely clear.

Invoking China, a government known to engage in filtering and censoring of the Internet on a massive scale, to justify his argument has only added to the controversy. Only months earlier, Secretary of State Hilary Clinton had criticized China for its restrictions on Internet freedom.

This week’s response by Senators Lieberman, Collins, and Carper only seems to add to the confusion over what powers over the Internet they intend for their bill to give the President.

Finally, the Bureau of Reclamation has recently fired back, claiming that one of the main cyber-doom scenarios being used by promoters of S.3480–i.e. that hackers could open the floodgates on the Hoover Dam, killing thousands–is impossible.

So is there an “Internet kill switch” buried in the Lieberman, Collins, Carper cybersecurity bill? It is still not entirely clear. The seeming contradictions in the statements made by the sponsors of the bill can cause one to question the veracity of those statements, whether the sponsors themselves really understand what powers their bill would grant the President, or both. Add in the fact that Senator Lieberman has identified China as a model for U.S. cybersecurity policy on top of using dubious cyber-doom scenarios to encourage support for their bill, and one wonders if Senators Lieberman, Collins, and Carper can be relied upon to deliver meaningful cybersecurity legislation that balances protection of critical infrastructures and the protection of Americans’ own Internet freedoms.

Sean Lawson

Whether or not those claiming that cyberwar poses a serious threat to U.S. national security are providing sufficient evidence to back their claims has been a bone of contention in public discourse about cybersecurity. As part of our effort to document and analyze shifts in U.S. cybersecurity discourse, we are coding the Cyberwar Discourse Event (CDE) documents that we collect for the types of evidence that are deployed in support of the claims being made. Additionally, we are categorizing those documents by the type of individuals and institutions created them.

For example, evidence codes include “expert,” “quantitative,” “simulation or war game,” “historical events & analogies,” and “hypothetical scenarios, thought experiments.” Example institution categories include “government docs,” “op-eds” (written by influential policy makers, military leaders, etc.), “industry reports,” “bill” (e.g. legislation), and “think-tank report.”

Part of what we hope to accomplish in this project is to detect patterns in the overall U.S. cybersecurity discourse that may have gone unnoticed. We also hope to uncover how the discourse has changed over time. It seems that even some admittedly very preliminary analysis and visualization has uncovered an interesting pattern related to the use of evidence by various types of institutional actors.

Dr. Lauro Lins, a Postdoctoral Research Associate in the University of Utah’s Scientific Computing and Imaging Institute, created a visualization using preliminary data gathered from only about 20 of the roughly 80 CDE documents that we have collected and coded thus far. While much of the graph does not show much that is interesting, a clear pattern emerges in the area of evidence (bottom right of the graph).

What we can see is that certain types of institutional publications tend to rely more on certain types of evidence than others. Text segments are clustered around the types of evidence with which they were coded as we read through each of the CDEs. They are color coded based on the type of institutional publication from which they were extracted.

We can see that industry reports like those issued by companies such as McAfee or Symantec have tended to make more use of quantitative forms of evidence. Op-eds written by policy makers, military leaders, or other influential voices in the cybersecurity debate have tended to rely more upon references to historical events (e.g. references to prior cyberattacks like Estonia or Georgia) or historical analogies (e.g. the seemingly ever-present analogies to Cold War nuclear deterrence). Finally, the think-tank reports analyzed at the time of this visualization tended to make more use of hypothetical scenarios and thought experiments when making the claim for a serious cybersecurity threat.

Again, this analysis is very preliminary and is based on the coding of only about a fourth of the documents that have been collected and coded to this point. Thus, we will be interested to see if this pattern holds up when the rest of the data is included. Nonetheless, there are a couple of important points that can be made even at this point:

  1. Though many (including myself) have felt that the current cybersecurity discourse is lacking in its reliance upon evidence, it is clear that this is not entirely the case. Many of those statements that can legitimately be considered representative of the ongoing debate, or which have the potential to influence and shape that debate, do deploy some kind of evidence to support their claims.
  2. The issue over whether or not enough evidence is being provided may stem from a tendency for different groups to favor different kinds of evidence. As such, it could be the case that when members of one group listen to the arguments of another group that favors and deploys a different kind of evidence, the first group may not recognize that evidence is being provided at all.

As someone who has studied the history and sociology of the natural sciences, this is not surprising. Even in the sciences, we see that different disciplines can have radically different notions of what counts as “evidence.” It seems reasonable that the same phenomenon would be at work in such a diverse area as cybersecurity, where not only scientific and technical experts from various disciplinary backgrounds are interacting with one another, but where social scientists, humanities scholars, policy analysts, military professionals, and policy makers are also thrown into the mix.

In a piece that I wrote for The Firewall blog at Forbes.com back in October, I addressed the issue of who gets to have a voice in public debates about highly technical policy matters such as cybersecurity. I argued that

“No one person or group of people will have all the knowledge necessary to ‘know if government is screwing up’. Rather, multiple people with multiple skill sets and areas of expertise, all looking at the same problems from their various perspectives, will give us an idea about the wisdom of government decision making on cybersecurity (or any policy, for that matter).”

I still believe that to be true. But one lesson that might be emerging from the preliminary results presented here is that for such a diverse group of people to have an effective discussion about such an important and complex issue of like cybersecurity, the parties to that discussion must 1) recognize that those from different disciplinary and institutional backgrounds will likely deploy different kinds of evidence in support of their claims and 2) recognize both the strengths and limitations of the various types of evidence being deployed.

Robert W. Gehl

Drinking from a firehose. An overused metaphor, but it’s a pretty good way to describe the goals of this project. Project CyW-D (The Cyberwar Discourse Project) is funded by a grant from the College of Humanities at the University of Utah, and our mission is to track the shifting flows of discourse, debate, and rhetoric about cyber war.

This is a growing area of emphasis for politicians, military officials, businesses, infrastructure planners, and civil liberties advocates. Major American policies, including the Obama Administration’s proposal for Trusted Identities in Cyberspace and cybersecurity legislation pending in Congress, as well as international policies like ACTA and the State Department’s emphasis on “Internet Freedoms,” are all being influenced by contentious discussions of the threats – and hype – of cyber war. The distributed denial of service (DDOS) attacks against and on the behalf of Wikileaks have only heightened awareness of cyberspace as a battle ground. And of course, the continuing mystery and speculation surrounding the Stuxnet virus has made cyber war front page news. It seems every day has a news story trumpeting the coming cyber war as if this is a new, frightening, and inevitable outcome of our increasing use of the Internet.

However, this repeated and dominant cybersecurity discourse is not without its critics. Some observers contend that all of this talk of “cyber-warfare” simply involves threat inflation that has little to do with substantive domestic or international security issues. Various think tanks, corporate security firms, and business leaders who trumpet the problem of cyber attacks are portrayed as self-interested parties or ideologues who promote unrealistic portrayals of the power of hackers or other purveyors of “asymmetric warfare.” As Stephen Walt observed, even when very serious and “level-headed people” write about cyber attack incidents they often have a hard time actually documenting “how much valuable information was stolen or how much actual damage was done.” Tim Stevens has similarly worried that when “it comes to parsing and understanding the politics of cybersecurity,” there is a need for some oversight “over a system that is currently failing to curb the discursive excesses of powerful interests within government and industry.”

As academics, it is our goal to carefully interrogate this debate, mapping its flows over several matrices. First, we want to historicize the debate. How has it shifted over time? How have the alleged methods of cyber war changed? What is being threatened today, and is this different from past threats? And how have civil, business, and military policies changed in response to these alleged threats? This temporal matrix is extremely important: threats to and from cyber space have existed for as long as there have been computer networks (though most news reports tend to present cyber war and its cognates as something Brand New). Based on our initial research into government documents, op-eds, think-tank reports, and sundry blog posts, we believe that cyber war discourse has mutated significantly and even abruptly over the past several years, with potentially dire consequences for anyone who forgets this history.

Secondly, we want to map the network of actors involved in the debate. Who are they? What are they saying? What credentials do they claim? And very importantly, how might they stand to benefit from changes in cyber security policy? We believe that the political economy of cyber security – ie, the flows of immense wealth and power that are at stake due to the importance of communications networks – is a key area to consider, and we want to publish information about all actors involved.

Methodology

So how can we achieve this? This is where we must drink from the firehose. To do so, we developed a workflow using multiple software packages to track – as far as is possible – the real-time changes to cyber war discourse:

A flowchart that displays our method

Our workflow

Our method is as follows:

  1. We first have established persistent Google alerts (such as “cyberwar,” “cybersecurity,” and “hacktivism”) and subscribed to multiple RSS feeds of scholars and experts specializing in cyber security. This is our first mode of extracting useful information from all the online noise.
  2. This all flows into Google Reader, where we review all of the data in search of what we’re calling Cyberwar Discourse Events (CDEs). CDEs are those government, military, and news documents that are highly cited in the media and which are either reflective of or have the power to shape the overall public discourse about cyber war. Usually they are written by high-ranking politicians, respected think-tanks, and military officials. A recent example is a report from the UN-OECD [PDF].
  3. Next, we collect the CDEs in a spreadsheet and in the bibliographic program Zotero.
  4. We then load them into a qualitative analysis program, MaxQDA.
  5. We review the documents and tag them with a set of codes we have developed for this project. For example, we search for “Threat objects” (that which is being threatened), “Threat subjects” (who is threatening an attack), “Response” (how the military et al would handle an attack), and “Evidence.” These are not all of our tags; there are more, and many more sub-tags.
  6. In addition, we watch for notable individuals and organizations involved in shaping public discourse about cyberwar. Over the coming months, we will begin “seeding” a wiki with profiles that provide basic information about each of these individuals and organizations, as well as their interconnections.
  7. Finally, we have a public-facing element, part of which you’re seeing here on this blog. Our intention is to produce periodic “Change Reports” that outline how the debate has shifted over time. We also intend to produce visualized data such as timelines and other charts.

So far, we have gathered and analyzed nearly 80 CDEs, dating back to early 2009. Watch this blog in the coming months for analyses of cyber war discourse. We are already uncovering intriguing patterns and we want to share them with fellow researchers, journalists, policy makers, and civil liberties organizations. And, one major advantage of our method is that much of the data we gather can be followed with RSS feeds. We hope this leads to collaboration with anyone interested in this important debate.