A recent US Congressional Hearing tried to establish the answer to the question:

“If a sophisticated cyber-attack occurred against the United States financial systems, who would coordinate the response?”

You might think that this straightforward question would get a simple answer, but apparently the answer it produced was:

“We’re in the process to building out a national cyber incident response plan, and that plan would more clearly define roles and responsibilities of the different departments and agencies.”

Pressed again by the Congressmen, the witnesses acknowledged:

“I think that’s one of the challenges that needs to be addressed: Who is actually in charge? With the White House cybersecurity coordinator in place now, what is his role relative to at DHS? I think that is certainly a valid challenge that still remains to be addressed.”

However, if it is confused in the United States, I would be surprised if there was any clarity if the same question was asked in the UK.

I might table a Parliamentary Question and see.

 

The former Director of the National Security Agency under President Clinton and Director of National Intelligence under president George W Bush, Mike McConnell, writing in the Washington Post, has expressed his concern that the USA is losing the cyber war.

He says:

“The United States is fighting a cyber-war today, and we are losing. It’s that simple. As the most wired nation on Earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking.

The problem is not one of resources; even in our current fiscal straits, we can afford to upgrade our defenses. The problem is that we lack a cohesive strategy to meet this challenge.

The stakes are enormous. To the extent that the sprawling U.S. economy inhabits a common physical space, it is in our communications networks. If an enemy disrupted our financial and accounting transactions, our equities and bond markets or our retail commerce — or created confusion about the legitimacy of those transactions — chaos would result. Our power grids, air and ground transportation, telecommunications, and water-filtration systems are in jeopardy as well.

These battles are not hypothetical. Google’s networks were hacked in an attack that began in December and that the company said emanated from China. And recently the security firm NetWitness reported that more than 2,500 companies worldwide were compromised in a sophisticated attack launched in 2008 and aimed at proprietary corporate data. Indeed, the recent Cyber Shock Wave simulation revealed what those of us involved in national security policy have long feared: For all our war games and strategy documents focused on traditional warfare, we have yet to address the most basic questions about cyber-conflicts.

What is the right strategy for this most modern of wars? Look to history. During the Cold War, when the United States faced an existential threat from the Soviet Union, we relied on deterrence to protect ourselves from nuclear attack. Later, as the East-West stalemate ended and nuclear weapons proliferated, some argued that preemption made more sense in an age of global terrorism.

The cyber-war mirrors the nuclear challenge in terms of the potential economic and psychological effects. So, should our strategy be deterrence or preemption? The answer: both. Depending on the nature of the threat, we can deploy aspects of either approach to defend America in cyberspace.

During the Cold War, deterrence was based on a few key elements: attribution (understanding who attacked us), location (knowing where a strike came from), response (being able to respond, even if attacked first) and transparency (the enemy’s knowledge of our capability and intent to counter with massive force).

Against the Soviets, we dealt with the attribution and location challenges by developing human intelligence behind the Iron Curtain and by fielding early-warning radar systems, reconnaissance satellites and undersea listening posts to monitor threats. We invested heavily in our response capabilities with intercontinental ballistic missiles, submarines and long-range bombers, as well as command-and-control systems and specialized staffs to run them. The resources available were commensurate with the challenge at hand — as must be the case in cyberspace.

Just as important was the softer side of our national security strategy: the policies, treaties and diplomatic efforts that underpinned containment and deterrence. Our alliances, such as NATO, made clear that a strike on one would be a strike on all and would be met with massive retaliation. This unambiguous intent, together with our ability to monitor and respond, provided a credible nuclear deterrent that served us well.

How do we apply deterrence in the cyber-age? For one, we must clearly express our intent. Secretary of State Hillary Rodham Clinton offered a succinct statement to that effect last month in Washington, in a speech on Internet freedom. “Countries or individuals that engage in cyber-attacks should face consequences and international condemnation,” she said. “In an Internet-connected world, an attack on one nation’s networks can be an attack on all.”

That was a promising move, but it means little unless we back it up with practical policies and international legal agreements to define norms and identify consequences for destructive behavior in cyberspace. We began examining these issues through the Comprehensive National Cybersecurity Initiative, launched during the George W. Bush administration, but more work is needed on outlining how, when and where we would respond to an attack. For now, we have a response mechanism in name only.

The United States must also translate our intent into capabilities. We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options — and we must be able to do this in milliseconds. More specifically, we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable. The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies and trading partners so they will do the same.

Of course, deterrence can be effective when the enemy is a state with an easily identifiable government and location. It is less successful against criminal groups or extremists who cannot be readily traced, let alone deterred through sanctions or military action.

There are many organizations (including al-Qaeda) that are not motivated by greed, as with criminal organizations, or a desire for geopolitical advantage, as with many states. Rather, their worldview seeks to destroy the systems of global commerce, trade and travel that are undergirded by our cyber-infrastructure. So deterrence is not enough; preemptive strategies might be required before such adversaries launch a devastating cyber-attack.

We preempt such groups by degrading, interdicting and eliminating their leadership and capabilities to mount cyber-attacks, and by creating a more resilient cyberspace that can absorb attacks and quickly recover. To this end, we must hammer out a consensus on how to best harness the capabilities of the National Security Agency, which I had the privilege to lead from 1992 to 1996. The NSA is the only agency in the United States with the legal authority, oversight and budget dedicated to breaking the codes and understanding the capabilities and intentions of potential enemies. The challenge is to shape an effective partnership with the private sector so information can move quickly back and forth from public to private — and classified to unclassified — to protect the nation’s critical infrastructure.

We must give key private-sector leaders (from the transportation, utility and financial arenas) access to information on emerging threats so they can take countermeasures. For this to work, the private sector needs to be able to share network information — on a controlled basis — without inviting lawsuits from shareholders and others.

Obviously, such measures must be contemplated very carefully. But the reality is that while the lion’s share of cybersecurity expertise lies in the federal government, more than 90 percent of the physical infrastructure of the Web is owned by private industry. Neither side on its own can mount the cyber-defense we need; some collaboration is inevitable. Recent reports of a possible partnership between Google and the government point to the kind of joint efforts — and shared challenges — that we are likely to see in the future.

No doubt, such arrangements will muddy the waters between the traditional roles of the government and the private sector. We must define the parameters of such interactions, but we should not dismiss them. Cyberspace knows no borders, and our defensive efforts must be similarly seamless.

Ultimately, to build the right strategy to defend cyberspace, we need the equivalent of President Dwight D. Eisenhower’s Project Solarium. That 1953 initiative brought together teams of experts with opposing views to develop alternative strategies on how to wage the Cold War. The teams presented their views to the president, and Eisenhower chose his preferred approach — deterrence. We now need a dialogue among business, civil society and government on the challenges we face in cyberspace — spanning international law, privacy and civil liberties, security, and the architecture of the Internet. The results should shape our cybersecurity strategy.

We prevailed in the Cold War through strong leadership, clear policies, solid alliances and close integration of our diplomatic, economic and military efforts. We backed all this up with robust investments — security never comes cheap. It worked, because we had to make it work.

Let’s do the same with cybersecurity. The time to start was yesterday.”

This is powerful stuff.

And it begs the question for the UK: given the substantial level of resources that the United States Government invests in this area, compared with the investment in this country, where does that leave us?  And are we contemplating the sort of joint working between Government and industry that he advocates?

The London Assembly and the Metropolitan Police Authority tonight hosted a celebration of the excellent work done by the thousands of members of the public who provide regular volunteer help to the Metropolitan Police.

Mayor Johnson told the throng in the nauseatingly-named London’s Living Room on the top floor of City Hall that the only reason he no longer committed crimes (for example, by cycling through red lights) was, not because of his innate respect for the rule of law, nor because as Mayor of London he should set a good example, but because he never knew when a Metropolitan Police volunteer in plain clothes might be watching. Fortunately, Len Duvall wasn’t there, so a referral to the Standards Board for moral turpitude and bringing his office into disrepute – on this occasion at least.

The apparent departure of Paul Coen from the top job at the Local Government Association following what sounds like a major falling out with the new leadership of the Association is a good opportunity to ask what should be the future direction of the LGA.

The LGA was formed to create a single body representing local government by the merger of the previous sectoral bodies (the Association of Metropolitan Authorities, the Association of County Councils and the Association of District Councils) in the mid-1990s.  The idea was that a unified voice would strengthen the hand of local councils in their dealings with central government.

I have to say (and this will probably mean that I will be stripped of my honorary position as Vice President of the LGA) that the reality has not lived up to this hope.  One necessary consequence of the merger was that the sharpness of the positions taken by the new Association became blurred as any statements or comments had to strive for consensus between the different parties on the Association and the different local authority interests.  The result was blandness.

Not so predictable, however, was the loss of expertise.  The predecessor Associations had formidable teams of specialists working on different local government policy areas, such as social care, education, housing, finance etc..  These teams were able to provide high level advice to individual local authorities but more particularly their expertise meant that they could respond effectively to civil servants in the different central government departments.  They often knew far more about the policy issues than the relevant civil servants concerned and the effect was that the local government cause was pursued quietly and efficiently behind the scenes.  Over the last decade, these teams have been dismantled and local government has suffered as a result.

I am sure that this loss of expertise was not at the heart of the dispute between Paul Coen and the leadership of the LGA, but I hope that what has happened will now provide an opportunity to look at the direction and purpose of the Association.

The Sunday newspaper pundits have been working themselves up into an indignant froth about the Government starting to consult about its Interception Modernisation Programme.  Henry Porter in The Observer, for example, regaled his readers with his fantasies about Home Secretary, Jacqui Smith, as a “comic-strip super-villain dominatrix” and describing the proposal as “a very great threat to individual privacy”  It may be that Henry Porter needs a cold bath, but he certainly needs to focus on some facts.

At present, telephone companies keep data on their subscribers who make telephone calls, who they connect to and for how long.  They do this, so that they can bill people.  For many years, it has been possible for the police to access this data as part of their investigations into crime.  To do so, they have to get proper authorisation, certifying that accessing the data is proportionate to the crime being investigated and each case has to be considered individually.  The data can be used as evidence in Court and does not involve tapping the call and listening to the content.  Many trials rely on this evidence for criminals to be convicted – there is a murder trial under way at the moment where the crucial evidence is which mobile phones contacted each other just prior to and immediately after the murder took place.

But – and this seems to have passed the pundits by – technology is changing.  Telecoms companies (both fixed line and mobile operators) are building new networks based on VoIP technology.  This is cheaper and more flexible and - critically – does not require detailed call-by-call billing.  The data on which so many trials now rely will soon cease to exist.  The Government is therefore quite rightly going to consult on what can be done to capture this information and allow it to be used in criminal investigations where necessary.

It is not about giving the police more powers to pry into people’s personal lives.  It is about not losing vital material that is currently used to catch criminals.

And, of course, new forms of communication are being created all the time (eg. on social networking sites and chat facilities built into on-line gaming).  Should the police have powers to find out who is communicating with who in these new ways?  That’s what the consultation is about.  It is not some monstrous new assault on civil liberties.  It is allowing a sensible debate about how existing powers should be modified to reflect the changes in technology.

No-one really expected the Government’s proposals for reserve powers to detain terrorists suspects for up to 42 days to pass through the House of Lords.  Even with all the safeguards – judicial oversight of each individual case, the proposals only triggered after a tortuous process to confirm the circumstances ware really extreme, and even then the longer detention period automatically lapsing after two months – heavy opposition was inevitable.

The majority against was larger than expected – I had guessed 170 (and been told I was pessimistic) – but in the end the Government lost the vote by 191 votes.  Having been part of the Light Brigade arguing in support of the proposals (Radio 4’s Today programme, Radio 5 and the debate itself), I was however taken aback by the speed with which the climbdown was announced – less than two hours after the vote.  It did feel like  the Grand Old Duke of York was settling the Parliamentary tactics …..