In an increasingly globalised world, communication is key to success, and the development of cyberspace provides many advantages and opportunities for nations around the globe. However, this development also has the potential to be exploited by malevolent actors. A large portion of US daily life, economic vitality and national security depends on a safe and stable cyberspace, as stated by the US Department of Homeland Security. In the last decade, the US experienced a massive growth of cyberspace based around the cloud system of organisation, but there are major concerns over the security of the US systems. There have been growing accounts of cyber-attacks on the US infrastructure, many of which have been linked to the ease with which the cloud system is hacked.
Many defence experts in the US believe that cyber-attacks are the most serious threat facing the country, even more so than terrorism. Almost half of the US national security leaders (45.1%) identified cyber-warfare as the principal danger to the US according to a poll by published by Defense News, with the most cited concerns being Chinese hackers and state sponsored attacks. An article in Security Affairs, stated that on November 26, 2013, US-China Economic and Security Review Commission reported that cloud computing “represents a potential espionage threat.” Chinese hackers are targeting high profile companies such as Google, Microsoft, and Apple to spy on the US. The commission also reported that the Chinese government wages a “large-scale cyber espionage campaign” and has successfully targeted both private and public US networks.
The cloud computing system raises concerns over the way data are managed by service providers as well as a potential platform for cyber-attacks. The entire infrastructure of information technology is based on mostly an open architecture approach to computer systems and network infrastructure. The open architecture approach has led to the fast development of new commercial technology. Unfortunately, the downside to this commercial approach is that security is not the primary objective of such a system.
Recently, the main issue with the cloud computing system has been the possibility to exploit zero-day vulnerabilities present in the cloud architecture. Zero-day is the vulnerability in a Microsoft graphics component that is exploited in attacks using crafted Microsoft Word documents sent by email. It allows attackers to install a malware via infected Word documents and target Microsoft Office users running on Windows Vista and Windows Server 2008. This provides the ability to anonymously attack government and military networks with relative ease. Another problem with the cloud computing system is the potential risk posed by special cloud-computing zones in foreign nations. Any company located in this cloud-computing zone would be at risk of having their data syphoned off by the intelligence agencies of the host nation. One such zone exists in the City of Chongqing in China, and has been suspected to be a source of Chinese espionage.
Stephen Bryen, founder and first Director of the Defense Technology Security Administration, believes that the US is losing the Cyber War. In his article, Bryen states that there is no US government or military website that has not been hacked, and the problem now extends to banks, health care systems, financial transactions, credit card data, and identity theft among other targets. He asserts that analysis of cyber warfare should be treated just like any conflict, where metrics are used to conclude what the conflict outcome will be. An Army general surveys the battlefield, estimates resources and technologies, and decides on a strategy. If the general believes that the war will be lost, he tells his political leaders and waits for guidance. In these conflicts there are four scenarios: fight to win, fight to reach a stalemate, negotiate or surrender. Bryen uses this approach of analysis to the US cybersecurity situation.
Bryen explains that the US cannot win due to a lack of troops or the technology to win. He further asserts that no one has developed a successful offensive strategy other than converting cyber war to traditional war, which is impractical. There is also no stalemate option for the US, since China is too important economically and politically to challenge. There are also other cyber war makers apart from China such as Russia, Iran, Syria and select individual hackers from around the globe. The US and its allies have tried to persecute some hackers, however, there has been little success in this strategy. Bryen suggests that the US does not possess a threat large enough to stop cyber-attacks, and there is no one to negotiate with since the Chinese simply deny any charges and accuse the US of spying. The last option that remains is surrender, however, unlike traditional war there is no one to surrender to. This means that the US will likely continue to fall behind on cybersecurity and become more susceptible to attacks on its information infrastructure even though it has been steadily increasing funding for its cyber defence programme.
Bryen concludes that what the US needs is a switch in infrastructure from a commercial, open architecture system like the cloud computing system to a closed and more secure system not relying on the cloud infrastructure. This secure operating system, along with all components, must be built in the US. He also states that the US should implement a compartmentalization system along with a series of decentralised and regulated security centres.
Recently, the National Security Agency (NSA) chief announced that the US is building a new cyber defence corps to protect the nation from attacks. The NSA director Michael Rogers, who also heads the US Cyber Command, said the 6,200-member unit should be fully operational by 2016. The new unit will protect critical infrastructure, which includes computer-controlled power grids, financial networks, transportation and other key sectors. The unit is said to strengthen the pentagon’s systems and increase the cyber capabilities of US command centres around the world.
There is no additional information as to what approach the US will use in building the new cyber defence corps, and whether it will still use the cloud computing system. Since a change in information infrastructure was not mentioned, one can assume that the US will not change its system much, and the new cyber defence corps is more of an attempt to deal with cyber-attacks rather than an incentive to create a safer US cyberspace.