The National Committee on American Foreign Policy hosted a discussion featuring David Mussington (Director of the Center for Public Policy and Private Enterprise, at University of Maryland), Michael Sulmayer (Director of the Cyber Security Project at the Belfer Center for Science and International Affairs at Harvard U.), Andrew Futter (Associate Professor of International Politics at the University of Leicester, focusing on emerging strategic technologies and global nuclear order), and Rafal Rohozinski (CEO, The SecDev Group).
Much of the discussion was focused on figuring out the extent to which cyber and nuclear issues interact. Part of the problem is that to a large extent they do not, and the specialists in these areas do not understand each other's disciplines, nor do they interact with each other. That said, cyber and nuclear are also not necessarily automatically similar or connected on every level. Another issue muddling the general discussion is that cyber threats greatly vary among themselves, and one of the easiest ways to get to nuclear technologies is through social engineering which facilitates implementation of cyber threats - or may have nothing to do with cyber at all. One of the conflicts with respect to any technology, whether it's cyber, or nuclear is tension between functionality and security. If something is upgraded to a digital version, it may be faster and better, but is also hackable.
With nuclear technology, there is the additional tension of having them ready to be used at a moment's notice, while also being kept safe from both unauthorized access of any kind and incidental deployment. Nuclear modernization digitized much of its function, but also made it less secure. And of course, the access by humans, and errors in judgment remains a factor. Additionally, there is the problem of the full spectrum missile defense capabilities, which would utilize cyber functions, but may also have nuclear components. That makes them more effective, but have more ways in which they can be sabotaged.
Other issues of concern are the lack of civilian oversight over devices, the fact that the government security is only as strong as its weakest link, and the weakest link - civilian devices, such as PCs and cell phones - are pervasive. Additionally, there is a tension between whether vulnerability to cyberattacks is largely an individual and domestic problem or something greater. The argument that it's not limited to educating the society on how to be more aware is that much of the contemporary technology is comprised of internationally made hardware and software, and there are backdoors built into cell phones and so forth, so being simply on guard is not enough.
Added to the complication is the fact that large corporations such as Equifax are not held accountable for poor internal habits, and as a result the regular people suffer and pay the price. The Silicon Valley has a culture of resistance to getting involved in politics, and additionally of being strongly opposed to government oversight, to the point that Facebook was denying any manipulation of data by the Russians, up until the point where it could not engage in any more denials. The strategy may be shifting in Congress to impose greater demands of tech companies and social media companies into taking action to safeguard themselves from external interference.
The one issue that was not mentioned is the impact of data compartmentalization, including the effect of eroding barriers on nuclear susceptibility to attacks. At issue is to what extent can an attack on an unrelated industry or device affect digital functions of nuclear technology, and to what extent is it even functionally possible to keep various types of information separate enough that the damages from serious cyberattacks can be mitigated. In the national security arena, the erasure of compartmentalization as a best practice has had a noticeably negative effect in a variety of areas, but some issues may be just as due to the simple inability to keep track of the vast quantities of data being collected or utilized as to poor agency culture.
No comments:
Post a Comment