How the US can avoid a 'cyber cold war'

As U.S. diplomats seek to elevate issues such as Internet freedom and cybersecurity in their talks with foreign counterparts, they have a tough balance to strike.

While State Department officials say that online censorship, surveillance and other Internet-related human rights concerns are a mainstay on their diplomatic agenda when dealing with repressive regimes, there is a fine line to walk between asserting core values such as freedom of speech and religion without sacrificing progress on a number of other cyber issues where common ground is easier to find, according to Howard Schmidt, who recently stepped down as White House cybersecurity coordinator.

Speaking at Gartner's annual security and risk management summit, Schmidt warned against allowing the perfect to be the enemy of the good in cybersecurity talks with foreign nations, "because people just fundamentally don't agree."

"Things that we fundamentally believe in," Schmidt said, "other countries say, 'Well, not so fast. That undermines our society.' And while we disagree, and we disagree vehemently about some of those things, we still don't want to focus our energy and time on the things we don't agree on. Let's look for the things we can agree on internationally."

That becomes especially important in talks with major powers such as Russia and China, which have checkered histories of using the Internet to squelch opposition, but with whom the United States maintains important, if fragile, strategic and economic relationships.

Slideshow: Quiz: Separate Cyber Security Fact From Fiction

In his time at the White House, Schmidt said that he worked hard to improve relations with Russia, seeking to engender a level of transparency and mutual confidence that could lower the risk of a potentially disastrous cyberattack.

"We don't want to wind up in sort of a cyber Cold War," he said. "If we're not talking, there's always a lot of room for worse things to take place."

At the top of that list of concerns is the prospect of a major attack that could disrupt a large swath of critical infrastructure, such as electricity grids, water systems or telecommunications networks.

While the Cold War watchwords "mutually assured destruction" are an imperfect analogy -- a cyber assault on critical infrastructure hardly carries the same threat to human life as a nuclear attack -- Schmidt is concerned that a similar dynamic of escalating attacks and counterattacks could take hold in the cyber realm.

"Many of us for years have been worried about the mutually assured disruption. Forget about the destruction," he said.

Global Cybersecurity Strategy

Navigating cybersecurity issues on a global scale is a formidable task, and the U.S. government has been incrementally advancing its set of policies since the Clinton administration. For all the novelties of the Internet age, the encouraging news is that many of the issues in play such as human rights and protocols for self-defense are already codified in international laws and conventions. In addition, more than two dozen nations have ratified the Budapest Convention on Cybercrime, which took effect in 2004.

So U.S. negotiators are not starting from scratch, and Schmidt suggested that questions of sovereignty, location and ownership in the context of cyberattacks can generally be addressed under existing codes of conduct. However, that doesn't make it easy.

"A lot of these things already exist, but yet we find ourselves on this squirrel wheel of trying to reinvent things," he said. "By the same token, we have to recognize that none of us will ever be 100 percent secure."

Schmidt also pointed out that U.S. government entities and businesses are facing an increasingly sophisticated and diverse set of adversaries, and the origins of today's cyberattacks are often difficult to discern.

"When you start looking at 'where's the threat coming from', that's another challenge. Attribution is extremely difficult. We know that some of it involves nation states," he said. "Some of them involve individuals and organizations that are supported by a nation state."

Still other attacks emanate from so-called "hacktivists," like the collective Anonymous, who are protesting a social or political issue, and then there is a whole range of identity thieves, fraudsters and other bad actors who give the cybercrime spectrum near infinite nuance.

Domestic Cybersecurity Strategy

On the domestic front, Schmidt put in an appeal for Congress to pass cybersecurity legislation that would strengthen penalties for cybercrimes and beef up cybersecurity education programs. Additionally, he threw his support behind one of the more controversial aspects of the various proposals that have been floated, which would empower an entity in the executive branch with some level of regulatory authority over private-sector providers of critical digital infrastructure.

One such bill is awaiting consideration before the Senate. Recently, Majority Leader Harry Reid (D-Nev.) praised the legislation and appealed to GOP members to engage in good-faith talks either to improve the measure or advance alternative proposals.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for

Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.

Join the CSO newsletter!

Error: Please check your email address.

More about FacebookGartnerGoogleLeaderLeader

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place