Dr. Richard Andres, Professor of National Security Strategy at the National War College, sat down with the Georgetown Journal of International Affairs to discuss cyber security. The opinions expressed in this conversation do not represent official positions of National Defense University or the Department of Defense. GJIA: We hear a lot about the term “cyber Pearl Harbor.” What do you think of this phrase, and do you think it is a useful way to view the cyber threat today?
RA: It is not very well defined. I can easily come up with a number of different cyber events that might fit the definition of a “cyber Pearl Harbor.” A full-scale attack on the electric grid by a nation state might do it. A massive terrorist attack on critical infrastructure, perhaps on the banking system, would qualify. There are a number of things that could fit into that category. None of them are very easy to pull off. But some of them are plausible and could be done by a dedicated, sophisticated and well-resourced opponent.
GJIA: The media recently reported that a Russian teenager was the author of the malware used in the cyber attacks against Target and Neiman Marcus, which compromised the personal information of tens of millions of customers. Do you think the U.S. government can play a role in preventing individuals from engaging in similar acts?
RA: Yes, obviously the government can create regulations that force companies to spend more on security precautions. Better yet, it can create legislation that makes companies liable for damage done to their customers by hackers. The reason legislation is necessary is that the economic incentives are not there to provide good security for customers. When a customer’s information is stolen, it does not necessary cost the company that lost that information much or any money, but it can cost the customer, the average citizen, highly. This is the type of situation where it is helpful to have government regulation enforce some standards to protect the public against criminals, hackers, and people who could damage their credit ratings. This is an even bigger issue when applied to privately owned providers of critical infrastructure, such as electric companies. Electric companies are aware that their Supervisory Control and Data Acquisition (SCADA) systems have been compromised by malware designed to take them offline, but are, for the most part, unwilling to spend the money to defend themselves and their customers.
GJIA: How would you describe the Russian cyber threat to the United States today? How is it different from cyber threats posed by other countries?
RA: Russia is the most sophisticated and powerful cyber state next to the United States. It is pretty much a peer of ours in terms of capability. It is aggressive in terms of using cyber technology against its opponents. For instance, quite a few energy companies around the world have noted that the Russians have put malware on the SCADA systems that control their critical infrastructure. The Chinese do this as well, but the Russians are much, much better at it. If you are looking for a country that has capabilities, Russia is clearly the biggest cyber threat. The Chinese are much, much more visibly active, and they do not seem to care if they get caught; we catch them more than nine times as often as we catch the Russians. But the Chinese just are not nearly as good as the Russians at any of this.
GJIA: Why do you think the Chinese do not care about being caught?
RA: I think they are getting a lot out of it. They are taking an enormous amount of intellectual property and making hundreds of billions of dollars from it. There does not seem to be any downside, because no one in government in the United States is willing to sanction them for it. For them, it is pure profit, and there is no reason to worry about it. They do not seem to be able to do anything that is bad enough to elicit a response from the United States.
GJIA: As a professor of cyber security, what do you think are the most important topics in the field today?
RA: The most important topic in the United States right now is the question of how much power we should give the government to look at U.S. citizens. The National Security Agency debate right now is by far the most important thing going on in the cyber field. Behind that is another issue, which is that other countries are very aggressively looking at American citizens. If we disempower the National Security Agency and the U.S. government to look at U.S. citizens in a legal, court-ordered manner, all we are doing is opening a door for other countries to do the same thing even more than they are already. It is not a simple question, but it gets right at the roots of our Constitution and who we are as a nation. And there are no simple answers.
Richard Andres is Professor of National Security Strategy at the National War College and Energy and Environment Security Policy Chair at the Institute for National Strategic Studies.
Dr. Andres was interviewed by Eirene Busa on 29 January 2014 in Washington, D.C.