Pre-CSIS

The Center for Strategic and International Studies has provided a list of five readings that would better prepare us for our three day trip to D.C.  One has a comprehensive overview of CSIS and its programs, through a forecast that attempts to predict what will drive the future.  Two others are James Lewis discussing the importance of cyber-security.  The last two documents review the current United States cyberspace policy and the Department of Defense strategy in cyberspace.  While I had an active interest in cyber-space prior to reading these articles, I did not realize the scope of the problem or understand the United States’ position on it.

James Lewis has written numerous articles on how government should adjust to technological innovation.  Prior to joining CSIS, he had worked as a Foreign Service officer and as a member of the Senior Executive Service.  In his speech Rethinking Cybersecurity he remarks that cyber threats are not solely determined by how sophisticated our defense is.  Even if we had better technology, more sophisticated threats would evolve to threaten that technology.  Our largest risk comes from the outdated discussion on cybersecurity and the policy that has emerged from it.  He goes on to detail the source of threats that have emerged from cyberspace.  Cyber terrorism is considered a future problem that does not pose an immediate threat.  Military and intelligence services pose the largest threat and, along with that, state sponsored espionage.

In Lewis’ policy recommendations, his first step is to make internet service providers responsible for protecting its customers.  This is an interesting objective.  Almost every form of online censorship demonstrated by foreign governments dealt with the internet service providers.  When Egypt blacked out internet communication, they contacted their five providers and ordered them to redirect information.  When articles discussed whether this type of censorship was possible in the United States, most determined that it very improbable due to the vast number of companies the government would have to censor.  While internet traffic in the U.S. does have bottlenecks, they don’t reside with the internet service providers.  There are thousands of providers in the U.S. and it seems like a huge undertaking that would cause a lot of fear.  I’m sure if internet service providers began notifying people that they had a virus, it would largely give off a “big brother” vibe.  While I agree that service providers must bear some responsibility for security, implementing such a program seems costly and would face a lot of opposition.

Source: xkcd.com

 

Lewis goes on to describe a few more necessary policy changes.   Recommending active defense was one that stood out to me.  It’s not discussed very often, mostly due to the secrecy of the tradecraft.  The U.S. is currently allowed to actively monitor foreign networks to better prevent malicious attacks.  Active network monitoring carries a lot of ethical concerns with it, especially if it is done domestically.  While we actively monitor other forms of communication, it’s all foreign collection unless especially approved (to my understanding).  I was surprised to find out that Tier One service providers monitor the traffic that flows over their networks.  I hope to find out, when I have more time, what actual monitoring occurs.  I believe that a government partnership with these efforts would result in huge security improvements.  How to implement such a program is a sensitive conversation, which would need to involve the privacy concerns associated with domestic data monitoring.