recommended reading

One If By Land, Two If By Sea, 10101101 If By Cyberspace


Until very recently, America’s battles have all been waged somewhere in physical space—on land, in the air, on water or in outer space. Many of these domains come along with inherent features that make life harder or easier in battle. History tells us, for example, that defenders generally have an easier time on mountains or hills with a view. Underwater, sound waves travel easily, so countries with the quietest submarines are more effective. And, in space, gravity sets boundaries on where you can go and when. To overcome these obstacles takes human ingenuity, but also a healthy respect for these environmental limits.

Americans are quickly learning now about a fifth domain: cyberspace. In some ways, this battlespace is the same as the others. It’s an arena where countries are competing with one another for political or economic advantage. But it’s also different in some fundamental ways. And how the world decides to use this space will go a long way toward determining how disruptive—or destructive—war in this domain will become. Michael Hayden, the former CIA director under President George W. Bush, believes the United States has a lead role to play in setting up man-made institutions to shape state behavior.

Unlike air, sea or land, Hayden told an audience at George Washington University Tuesday, cyberspace “is almost defenseless. There are no natural barriers up here in this domain.”

There are a few ways to solve this problem. One is to make some cyber activities prohibitively costly. The United States could, for instance, link cyber espionage attempts such as the kind China has allegedly committed with other issues in the U.S.-China relationship. As a start, lawmakers such as California’s Sen. Dianne Feinstein have complained directly to Chinese officials. But since Beijing doesn’t officially acknowledge its hacking activities, the United States might need to get more aggressive. Threatening to restrict the number of visas Washington gives out to Chinese nationals could be one way to deter further hacking, Hayden said.

A more significant step would be for Americans to decide how they want to be protected in cyberspace. It’s a more complicated problem than today’s debates over information-sharing and privacy currently capture.

Think about all the public services you use, directly or indirectly. There are rules governing each. When the cops come knocking, they need a warrant to search your house—but firefighters don’t generally need to ask to save your home. In other words, there isn’t just one best way to protect public safety online.

“Do you want it to be the way the military defends you?” asked Hayden. “The way law enforcement defends you? The way firemen defend you? The way the Centers for Disease Control defends you? Those are all models, they are all legitimate, they all work—in specific domains.”

For now at least, a broad consensus seems to be developing in favor of a more aggressive setup. A Washington Post poll last year found 50 percent of Americans in favor of heavy federal involvement in investigating cyber threats, even if it came at the expense of personal privacy. Only 38 percent thought otherwise. Meanwhile, the Pentagon has plans to dramatically increase the size of its cyber staff, though it’s not clear where all the manpower will come from. And as many businesses across the country are now becoming aware of gaps in their cyber defenses, Washington has been equally invested in going on offense. More and more, it looks as if the militarized model is taking over.

Yet even that approach contains pitfalls. Suppose the Defense Department gains access to a foreign network. Because it isn’t a large step from snooping around to wreaking havoc inside the system, taking that step becomes exceedingly tempting. And that’s true for any state. Setting up a world where checks against that temptation are easily violated raises the baseline risk of an accidental cyber war.

Thankfully, said Hayden, the vast majority of cyber problems the United States has dealt with so far have been attempts at cyberespionage—not cyberattack. And there’s a big difference between the two.

Colloquially, said Hayden, “we use cyberattack for anything unpleasant that happens to us on the Web. In my business, a cyberattack is someone using a weapon comprised of ones and zeros to effect damage. We don't call cyberespionage a cyberattack.”

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.