Thomas Wright Falsely Claims U.S. Double Standard In Cyber Warfare

Thomas Wright is the Executive Director of Studies at the Chicago Council on Global Affairs. His OpEd in the Financial Times today "America has double standards in fighting cyberwar" attempts to make the case that the U.S. is hypocritical in its approach to building an international consensus on cybersecurity.

While Wright's academic credentials are impressive, he loses a lot of credibility with his opening sentence which claims that the CIA website was hacked, and that it, plus the IMF and Citibank attacks have pushed us to the brink of "cyberwar". Frankly, anyone who thinks that a website that suffered a Denial of Service attack has been "hacked" has no business writing about cyber-anything let alone something as emotionally charged and least understood as "cyberwar".


He immediately moves on to mis-state the White House position on optional responses to a cyber attack. There is no White House strategy that treats cyber attacks as acts of war. I encourage Mr. Wright to actually read the White House's International Strategy for Cyberspace (,pdf) rather than guessing what it contains. Here's a very brief summary taken from the report:

"International Strategy for Cyberspace", p. 12

Later, he refers to the well-publicized but non-supported theory that the Stuxnet worm was a U.S-Israeli operation. Personally, I doubt that Mr. Wright has spent any time at all evaluating what is known and unknown about the Stuxnet worm but I challenge him to present any evidence in support of that theory. He won't, of course, because there is none.

Thomas Wright has a Ph.D. in government from Georgetown University and lectures on National Security. He apparently is not a lawyer so I can forgive his liberal use of "act of war" which is a non-existent entity in the Law of Armed Conflict. But he's sufficiently educated where one of his professors at Georgetown, Cambridge or University College Dublin should have taught him some critical thinking skills. It doesn't take a Ph.D. to understand cybersecurity sufficiently to engage in discourse about the many difficult issues that need addressing. It does, however, require a commitment to spend some time understanding the facts first and making oneself familiar with the source material. Based solely upon reading Wright's OpEd, he doesn't know what a DoS attack is, he doesn't know what an act of war is, he doesn't understand the White House's strategy for cyberspace, and he assumes that the U.S. was behind Stuxnet without knowing why. This doesn't reflect well for Mr. Wright or the Chicago Council on Global Affairs that employs him. In fact, it goes contrary to the stated mission of the Chicago Council - to influence discourse. I'm assuming that the Council's board mean't "responsible" discourse.

Add to Cart View detail

The President's Cybersecurity Legislative Proposal Has No Teeth

On May 12, the White House announced its Cybersecurity Legislative Proposal to Capital Hill via a blog post by Cybersecurity Coordinator Howard Schmidt. I reviewed the section on critical infrastructure on my flight back from DC after speaking on this topic at the Cyber Security Strategies Summit. Predictably it's all bark and no bite. To wit:

If the Secretary determines, after conducting such a review, that the covered critical infrastructure is not sufficiently addressing the identified cybersecurity risks, the Secretary may:

(A) enter into discussions, or request another agency with sector-specific expertise to enter into discussions, with the owner or operator of the covered critical infrastructure on ways to improve the cybersecurity plan or the evaluation, which may include the provision of technical assistance;

(B) after discussions permitted in subparagraph (A), issue a public statement that the covered critical infrastructure is not sufficiently addressing the identified cybersecurity risks; and

(C) take such other action as may be determined appropriate by the Secretary;

except that the Secretary shall not, in enforcing the provisions of this Title, issue a shutdown order, require use of a particular measure, or impose fines, civil penalties, or monetary liabilities on the owner or operator of the covered critical infrastructure as a result of such review"

To put this in proper context, imagine that this proposal had to do with any other type of infrastructure: a bridge, an oil pipeline, your house. And let's say that the general contractor for that bridge project doesn't comply with the requirements. What happens then? He could get a stern talking-to (Section A); possibly get some publicity (Section B) which would probably land him a guest spot on Fox news as the little guy standing up to Big Brother's unreasonable demands that make it impossible for him to earn a living; or be subject to some other unidentified action (Section C).

Now here's what cannot happen to the builder of that bridge that you and thousands of others drive across twice a day:

• He cannot have his project shut down for non-compliance. 
• He cannot be fined for non-compliance. 
• He cannot be held financially responsible if the bridge collapses and people are killed or injured. 
• He cannot, essentially, be told what to do. 

This is clearly a ludicrous scenario for any type of physical infrastructure which is precisely why builders get fined, sued, or arrested and prosecuted if they don't comply with the law. However in the upside down world of "cyber", it's par for the course even when we're speaking about critical infrastructure (telecommunications, energy, financial services, water, and transportation sectors).

Let's move from the example of a bridge to one of a power plant. In the real world, the government regulates the construction of every aspect of a nuclear power plant or a hydro-electric dam except one: the protection of its networks. That's neither rational, nor responsible. The federal government must find a way to bring cyberspace into its existing authorities because if something is truly "critical", compliance cannot be voluntary or somebody doesn't know what "critical" means.

Add to Cart View detail