This is the latest example of what’s wrong the metaphor of cyberspace for information security. Cyberspace isn’t a space. Cyber attacks don’t involve thrown projectiles or spears. A shield won’t bat them down. The meat of the policy is buried: look how little attention is devoted to the five points in the last paragraph quoted below.
If he had said that installing Norton Internet Security on every computer in America was the definition of a cyber shield, or ordering drone attacks against suspected zero-day-threat writers, or requiring American companies to write back doors for the feds into encryption, or mandating the use of federally issued firmware in critical industries….well, then that would be the definition of a cyber shield. It’s a completely empty term.
US urges NATO to build ‘cyber shield’
(AFP) – Sep 15, 2010
BRUSSELS — NATO must build a “cyber shield” to protect the transatlantic alliance from any Internet threats to its military and economic infrastructures, a top US defence official said Wednesday.
Cyber security is a “critical element” for the 28-nation alliance to embrace at its summit of leaders in Lisbon on November 19-20, US Deputy Defence Secretary William Lynn said in Brussels.
“The alliance has a crucial role to play in extending a blanket of security over our networks,” Lynn said.
“NATO has a nuclear shield, it is building a stronger and stronger defence shield, it needs a cyber shield as well,” he said at a forum hosted by the Security & Defence Agenda think-tank.
The Pentagon’s number two called for adopting the Cold War-era strategy of “collective defence” in the cyber arena.
“The Cold War concepts of shared warning apply in the 21st century to cyber security. Just as our air defences, our missile defences have been linked so too do our cyber defences need to be linked as well,” Lynn said….
The Pentagon was forced to review its own digital security in 2008 after the most serious cyber attack on the US military’s networks, which came from a tainted flash drive that was inserted in a military laptop in the Middle East.
Lynn said the Pentagon strategy has identified “five pillars” to cyber security: recognising cyberspace as the next domain of warfare; the need for active defences; the protection of critical infrastructure; enhancing collective defence; and the need to “marshall our technological prowess.”
How exactly would a cyber shield work? While it’s a compelling metaphor, it contains absolutely no technical information about the policies being advocated. Would the shield be comprised of software that runs on every American and allied desktop computer? Or comprehensive packet filtering at the level of backbone routers? Or just a big piece of steel wedged into your intercontinental fiber optic connections?
The metaphors you should bear in mind for cyberspace are more like Goethe’s Sorceror’s Apprentice, adapted for the silver screen by Disney. Digital data can be endlessly copied. If you accidentally leave the backup of the company’s email server on the public website, you have to assume it’s now publicly available. Electronic SCADA systems replace direct physical operation of industrial systems with software controlled systems, including everything from the operational controls of aircraft to oil refineries to trading platforms to medical devices.
Don’t get me wrong. There is a proper role for international cooperation and civil-military cooperation in cyber defense. It’s just that thinking about cyberspace as a space doesn’t get you very far.