Featured Article

Our Salt Risks Draining into Cyberspace

By John Reid, Principal at The Chertoff Group
Published in: Financial Times - June 22, 2011

The news was dominated on Wednesday by reports of the arrest of a suspected British teenage computer hacker, in connection with a range of security breaches including attacks on the website of the CIA and the UK’s Serious Organised Crime Agency. We can expect many more such events as our security agencies struggle to address the challenges of cyberspace.

In a matter of days we have seen a huge data theft from the International Monetary Fund, reports that the Pentagon is reclassifying cyberattacks as “acts of war”, and Liang Guanglie, China’s defence minister, saying his country and the US must work together to deal with the cyber “problem.” In Britain, there has been a flurry of announcements about cybersecurity, just as there has been in the US. William Hague, the UK foreign secretary, is hosting an international cyberconference in the autumn, and Nick Harvey, the defence minister, has announced a new cyberdefence group.

To the extent that these initiatives focus attention on the need for renewed effort on cybersecurity, they are to be welcomed. But they fail to answer an urgent question: How coherent are the doctrines that underpin strategies both of nation-states and other organisations?

Individual fixes will be scant defence against future crises. Rather, there needs to be a broader cyberdoctrine, linking the efforts and initiatives of industry, universities and government, as the only durable approach for effective cybersecurity.

Cyberspace cannot be controlled any more than the sea. Joseph Conrad said the seaman with an undue sense of security “becomes at once worth hardly half his salt”. I am afraid that when Mr Harvey says “existing international frameworks can be applied to cyberspace too”, I feel our salt draining away.

The limits of existing civil law in England were demonstrated recently by the furore over gossip on Twitter. Similarly, the United Nations Charter definition of “armed attack” is limited in cyberspace. We have no transnational law for cyberspace. Old frameworks and political structures will not be able to legislate by custom, treaty or domestic statute at the pace cyberthreats evolve.

Part of the problem lies in the hidebound conventions of the public sector. When I was Britain’s home secretary I found data systems for immigration and asylum 10 years out of date, and incapable of providing information on which coherent policy judgments could be based. At the Ministry of Defence, outdated procurement processes and contracts that were re-specified with every major technical advance caused perpetual delays.

The government urgently needs to recruit an elite cadre of innovators able to lead a workforce with a different, entrepreneurial ethos – including hackers – as solvers of puzzles. Rather than developing security measures in bunkers or silos, we should be bold and emulate the “small world clusters” that brought together the world’s best health laboratories to defeat the Sars epidemic in weeks, not years. The US now admits to a “human capital crisis in cybersecurity,” with estimates that up to 30,000 cybersecurity professionals are needed against the 1,000 it has. The answer could lie in online self-managing collaborative ventures of the kind that created the free open-source pc operating system, Linux. That is the future of cybersecurity, open networks collaborating against mutual threats.

Critically, innovation must not fall victim to budget constraints in the current climate of austerity. The US chairman of the joint chiefs of staff has described the economic crisis and recession as the greatest challenge to national security. In the US, cybersecurity co-ordinator Howard Schmidt forms strategic links with economic policy through the office of management and budget in the White House. The UK National Security Council appears to distance itself from economic matters, regardless of the security risks in a sluggish recovery. Britain needs to learn from the US and ask whether enough cyberspending is allocated to education, research and development. Strategies have to evolve fast. It is not yet too late.

The writer is a former British cabinet minister and co-author of ‘Cyber Doctrine’ published later this month