The Cooperative Cyber Defence Center of Excellence, NATO’s think tank for cyberdefense, is located in the beautiful medieval city of Tallinn, Estonia–the front line of warfare’s future.
In 2007, Russian hackers paralyzed Estonia’s infrastructure as retaliation for tensions with Russia’s government–one of the world’s first confirmed acts of cyberwar. Since then, Estonia’s IT industry has served as the country’s digital militia.
Some people would like to see the same thing in the United States.
There is talk of establishing an American “cyberdraft” in which entire companies could be drafted to defend government and private computer networks in time of war. Talk is theoretical right now, but it could be inching closer to reality. Cyberdrafts of various sorts already operate in Estonia, China, Russia, Iran, Syria, Israel, and elsewhere. The question of the relationship between private Internet security firms and crucial American government and business interests is one of the great unresolved questions of a cybersecurity bill expected during Obama’s second term.
At the present time, relationships between online security firms and United States military and intelligence organizations are believed to be strictly informal. There have been cases of individual engineers and researchers at firms such as Google and McAfee comparing notes and offering off-record advice when foreign state-sponsored hackers were suspected of attacking government computers, but no protocol is on the books for press-ganging cybersecurity experts into government service. Google famously waded into the realm of cyberwarfare activism several months ago when it warned certain Gmail users they might be victims of state-sponsored attacks. These users disproportionately came from the political, think tank, and journalism worlds.
According to research presented at the 2011 International Conference on Cyber Conflict in Tallinn, legal precedent and tools exist for the United States to create a cyberdraft in a wartime situation. In order to mitigate concerns relating to the chain of command and the time-sensitive needs of protecting government and private sector servers, most experts agree that entire companies would have to be “drafted” and switch their entire focus to security-sensitive concerns dictated by government.
Recent government actions indicate that cyberdraft talk is, in fact, moving beyond mere theory. In August 2012, the Defense Department introduced extensive changes to their cyberwarfare rules of engagement that call for United States Cyber Command to collaborate with the private sector to defend non-government computers during emergency events. Cyber Command is the arm of the United States military that deals with offensive and defensive cyberwar capabilities. Even though the August rules call for the Pentagon to defend private business interests, the change nonetheless forces private IT and security teams to become de facto military partners during wartime.
One paper presented at the 2011 conference described both the potential need for a geek draft and the potential challenges. Authors Susan W. Brenner of the University of Dayton Law School and Leo L. Clarke believe that special wartime circumstances could dictate some form of a draft for security geeks to temporarily work in government service. Due to logistical and time frame issues, this would probably take the form of an entire company temporarily working in government service.
Private sector actors are, through government contractors, already being hired as cyberwar mercenaries. Defense giant Raytheon is actively hiring “cyberwarriors” to work with various intelligence and military entities. Raytheon is specifically hiring coders, engineers, and information assurance experts to work at installations in Fort Meade, Maryland, Melbourne, Florida, and various other sites. Fort Meade is home to Cyber Command and the National Security Agency, while a cluster of defense contractors locate cyberdefense-oriented offices in Melbourne. Other contractors, such as ManTech, also fulfill similar roles.
There are challenges to the geek draft. “If the draftees become full-time members of the military, it really doesn’t make sense as a practical matter. The government would presumably only need to call them into action when a crisis arose–along with, probably, having them take certain actions routinely to help fend off attacks–so it might be better to use a kind of National Guard approach, so they were only ‘called up’ when needed,” Brenner told Fast Company.
Brenner believes that if a cyberdraft comes to the United States, it would likely take the form of a geek National Guard. A similar setup already exists in Estonia, where the country’s Cyber Defense League is an informal militia of IT experts protecting the Baltic state’s infrastructure from attacks by Russian and other hackers. The volunteer organization works under the umbrella of Estonia’s Defense Ministry and jumps into action when the country’s extensive electronic banking, utility, or military infrastructure online is threatened. Estonia is one of the most wired countries on earth; the small nation even holds their elections online, with citizens able to cast secure and secret e-ballots through a special encryption and virtual signature system. The country also has a thriving tech sector that’s home to an abnormally large and robust startup scene.
While it isn’t a cyberdraft, Israel is building a Jewish foreign legion of computer geeks. Unit 8200 of the Israeli Defense Forces (IDF), which specializes in cyberwarfare and cyberintelligence, is embarking on a recruitment drive in the Jewish diaspora. According to a report in Israeli newspaper Yediot Ahronot, representatives from the IDF will be sent to scour for Jews abroad with cyberwarfare potential with interest in speaking to military recruiters. The newspaper cites a military source as saying that “Our first order of business is to search Jewish communities abroad for teens who could qualify […] Our representatives will then travel to the communities and begin the screening process there.”
Unlike the NSA or Cyber Command, Unit 8200 serves as a hotbed incubator for Israel’s thriving startup scene. Many of the country’s best known startups boast 8200 alumni as founders or prominent employees; Unit 8200’s alumni association even hosts annual startup fairs which attract recruiters from multinational corporations. Due to 8200 alumni’s backgrounds in information assurance and cryptography, veterans are in hot demand among security firms worldwide. At the same time, this also creates a network of ties which gives the Israeli military significant leverage in the private sector for potential informal cyberwarfare assistance.
Similar situations where the tech community serves government cyberwarfare interests exist in China, Russia, and Syria. All three countries’ governments and militaries hire hackers for cyberwarfare projects or collaborate with hackers on pro-bono operations performed for patriotic reasons.
If a geek draft ultimately does come to the United States, it will be through legislation. The proposed Senate Cybersecurity Act of 2012 was killed due to heavy lobbying by industry giants like Google and civil liberties activists groups such as the Electronic Frontier Foundation. Provisions in the Act would have arranged for coordinated responses by techies during large-scale attacks such as, say, a shutdown of U.S. banks. One of the biggest challenges for Obama’s second term will be the delicate horsetrading of passing a new, revised cybersecurity act that will satisfy the technology sector, banking, utilities, the military, intelligence agencies, and other actors.
The ultimate challenge for the United States–cyberdraft or not–is the logistical demand for building a coordinated response to any future digital Pearl Harbor. In both cyberespionage and cyberwarfare, hackers backed by foreign states have been equally enthusiastic about raiding information and causing problems on government and prominent U.S. private sector computers. If that awful day does happen when large sections of the power grid are taken down or the banking sector finds themselves offline en masse, we’ll suddenly find private Internet security firms working much more closely with the U.S. government.
[Image: Flickr user Jeff Schuler]