How the U.S Can Avoid a ‘Cyber Cold War’

NATIONAL HARBOR, Md. — As U.S. diplomats seek to elevate issues such as Internet freedom and cybersecurity in their talks with foreign counterparts, they have a tough balance to strike.

While State Department officials say that online censorship, surveillance and other Internet-related human rights concerns are a mainstay on their diplomatic agenda when dealing with repressive regimes, there is a fine line to walk between asserting core values such as freedom of speech and religion without sacrificing progress on a number of other cyber issues where common ground is easier to find, according to Howard Schmidt, who recently stepped down as White House cybersecurity coordinator.

Speaking at Gartner’s annual security and risk management summit, Schmidt warned against allowing the perfect to be the enemy of the good in cybersecurity talks with foreign nations, “because people just fundamentally don’t agree.”

“Things that we fundamentally believe in,” Schmidt said, “other countries say, ‘Well, not so fast. That undermines our society.’ And while we disagree, and we disagree vehemently about some of those things, we still don’t want to focus our energy and time on the things we don’t agree on. Let’s look for the things we can agree on internationally.”

That becomes especially important in talks with major powers such as Russia and China, which have checkered histories of using the Internet to squelch opposition, but with whom the United States maintains important, if fragile, strategic and economic relationships.

Slideshow: Quiz: Separate Cyber Security Fact From Fiction

In his time at the White House, Schmidt said that he worked hard to improve relations with Russia, seeking to engender a level of transparency and mutual confidence that could lower the risk of a potentially disastrous cyberattack.

“We don’t want to wind up in sort of a cyber Cold War,” he said. “If we’re not talking, there’s always a lot of room for worse things to take place.”

At the top of that list of concerns is the prospect of a major attack that could disrupt a large swath of critical infrastructure, such as electricity grids, water systems or telecommunications networks.

While the Cold War watchwords “mutually assured destruction” are an imperfect analogy — a cyber assault on critical infrastructure hardly carries the same threat to human life as a nuclear attack — Schmidt is concerned that a similar dynamic of escalating attacks and counterattacks could take hold in the cyber realm.

“Many of us for years have been worried about the mutually assured disruption. Forget about the destruction,” he said.

Global Cybersecurity Strategy

Navigating cybersecurity issues on a global scale is a formidable task, and the U.S. government has been incrementally advancing its set of policies since the Clinton administration. For all the novelties of the Internet age, the encouraging news is that many of the issues in play such as human rights and protocols for self-defense are already codified in international laws and conventions. In addition, more than two dozen nations have ratified the Budapest Convention on Cybercrime, which took effect in 2004.

So U.S. negotiators are not starting from scratch, and Schmidt suggested that questions of sovereignty, location and ownership in the context of cyberattacks can generally be addressed under existing codes of conduct. However, that doesn’t make it easy.

“A lot of these things already exist, but yet we find ourselves on this squirrel wheel of trying to reinvent things,” he said. “By the same token, we have to recognize that none of us will ever be 100 percent secure.”

Schmidt also pointed out that U.S. government entities and businesses are facing an increasingly sophisticated and diverse set of adversaries, and the origins of today’s cyberattacks are often difficult to discern.

“When you start looking at ‘where’s the threat coming from’, that’s another challenge. Attribution is extremely difficult. We know that some of it involves nation states,” he said. “Some of them involve individuals and organizations that are supported by a nation state.”

Still other attacks emanate from so-called “hacktivists,” like the collective Anonymous, who are protesting a social or political issue, and then there is a whole range of identity thieves, fraudsters and other bad actors who give the cybercrime spectrum near infinite nuance.

Domestic Cybersecurity Strategy

On the domestic front, Schmidt put in an appeal for Congress to pass cybersecurity legislation that would strengthen penalties for cybercrimes and beef up cybersecurity education programs. Additionally, he threw his support behind one of the more controversial aspects of the various proposals that have been floated, which would empower an entity in the executive branch with some level of regulatory authority over private-sector providers of critical digital infrastructure.

One such bill is awaiting consideration before the Senate. Recently, Majority Leader Harry Reid (D-Nev.) praised the legislation and appealed to GOP members to engage in good-faith talks either to improve the measure or advance alternative proposals.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.

Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.