US leads in cybersecurity/US does not lead in cybersecurity

Depending on the articles you read, the US is either a leader in cybersecurity or it isn’t.  According to an article from the E-CommerceTimes:

A new bill introduced in the Senate on Tuesday aims to put the United States in a leading role in the global fight against cybercrime.

Dubbed the "International Cybercrime Reporting and Cooperation Act," the bipartisan legislation was introduced by Sen. Kirsten Gillibrand, D-N.Y., and Sen. Orrin Hatch, R-Utah, in response to the growing threat of cyberattacks such as those perpetrated earlier this year against Google and other U.S. companies.

The new legislation will help the U.S. identify threats from abroad and work with other countries to crack down on their own cybercriminals. It will also recommend cutting off U.S. assistance and resources for countries that refuse to take responsibility for cybersecurity.

"The U.S. government has inadequately addressed the need for global cooperation and a harmonized framework" in the fight against cybercrime, agreed Jody Westby, CEO of Global Cyber Risk and distinguished fellow with Carnegie Mellon CyLab.

The Gillibrand-Hatch bill is "very important in that it requires the U.S. government to start taking a more global view of cybercrime," she added. Westby led the development of the ITU toolkit, which provides sample legislation countries can use to develop cybercrime laws harmonized with those of other nations.

The United States "has to understand that we now comprise only about 12 percent of the online population," Westby told the E-Commerce Times. "We clearly lead in cybersecurity and have to start asserting our leadership. The measures in this bill will go a long way toward doing that and raise awareness globally of where the problems are."

In short, "the senators have identified a very critical gap that has existed in cybersecurity," Westby concluded. "This could help focus and coordinate the U.S. government on global cybercrime in way it hasn't before."

The article doesn’t state what Westby means by the US leading in cybersecurity.  By contrast, Michael McConnell (director of the National Security Agency in the Clinton administration and the director of national intelligence during President George W. Bush's second term) recently wrote the following in the Washington Post:

The United States is fighting a cyber-war today, and we are losing. It's that simple. As the most wired nation on Earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking.

These battles are not hypothetical. Google's networks were hacked in an attack that began in December and that the company said emanated from China. And recently the security firm NetWitness reported that more than 2,500 companies worldwide were compromised in a sophisticated attack launched in 2008 and aimed at proprietary corporate data. Indeed, the recent Cyber Shock Wave simulation revealed what those of us involved in national security policy have long feared: For all our war games and strategy documents focused on traditional warfare, we have yet to address the most basic questions about cyber-conflicts.

Yet by contrast again, Howard Schmidt, the new cybersecurity czar for the Obama administration, refutes the assertion claiming the United States is caught up in a cyberwar that it is losing.

“There is no cyberwar,” Schmidt told in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

His stance contradicts Michael McConnell, the former director of national intelligence who made headlines last week when he testified to Congress that the country was already in the midst of a cyberwar — and was losing it.

On the one hand, the US is leading.  On the other hand, the US is losing the cyberwar.  But on the other hand, there isn’t even a cyberwar.  Which one is right?

Well, we know that in 2007 and 2008, Estonia and Georgia suffered large-scale DDoS attacks in a cyber-riot possibly with state sponsorship but possibly not.  In 2009, Twitter and Facebook suffered similar attacks in a cyber-riot, possibly with state sponsorship but probably not.  In January 2010, Google suffered from a cyber-attack, possibly with Chinese state sponsorship and possibly not.  Depending on the articles you read, the Pentagon and other military departments in the United States repel hundreds of cyber-intrusions every single day.  So, the question is not whether or not these types of attacks are occurring, it’s a question of who is conducting them and whether or not they are hostile actions from foreign governments (a Chinese-backed effort to steal secrets from Google could be considered a hostile act, in my opinion).  We do suspect that foreign governments do not actively pursue known spammers in eastern Europe, presumably because they are handy to have around just in case they need to launch cyber attacks.  But what is the threat level?

Is Schmidt right?  Is online crime and espionage the main threat to the Internet?  Or is McConnell right and that the US is already under attacked and critical pieces of infrastructure are vulnerable and it is only a matter of time before one of them is taken down?

I tend to lean more towards Schmidt, but for the existential threat I lean more towards McConnell.  Right now, armies of bots around the world are committing piles and piles of online fraud (spam, identity theft, and so forth) using botnets, and occasionally these botnets are harnessed to do DDoS attacks on businesses and even branches of government.  But it doesn’t necessarily follow that these are coordinated efforts by foreign governments. No doubt some of them are, but some aren’t.

However, it probably wouldn’t take much for a foreign government or non-state actor to harness these resources together and launch a sustained cyber attack on key American pieces of infrastructure.  If that were to occur, most experts would probably agree that the US is underprepared.  How likely is it?  Could the US repel it in a reasonable timeframe?  And could they launch a counterstrike?

Such questions and answers are above my pay grade (and not even part of my department); while I think that the threat is there, I don’t know how likely the threat is to actually occur.  It is possible, but is it probable?  And if so, how much time do we have?