T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )

PROPOSITIONS: ASYMMETRIC RISKS TO THE NETWORKED IN-

FORMATION ECONOMY (UNDERSTANDING THE CYBERSPACE
THREAT ENVIRONMENT)

What follows are a series of propositions that, if true, or at least measurably

describe the substance of what we presently understand concerning the real-
ity of the cyberspace environment, can provide a framework for developing
design standards that may be used to develop cyberspace threat deterrence
measures. Thus, from a probabilistic risk assessment (PRA) perspective, each
proposition has a ‘cost’ or economic ramification embedded in the logic (truth
or falsity) of the statement:

The advent of advanced computational resources, large-scale data stor-

age, and cyber networks (collectively, “cyberspace”) and the networked
information economy is the most significant economic change since the
start of the industrial age. Cyberspace presently serves as the substrate for
the evolution of the post-industrial economy of the twenty-first century in
advanced countries of the world;

Cyberspace is an human-engineered complex, dynamical system de-

scribed most accurately as a system comprised of a large network of
components operating with simple rules (programs and protocols) with
no central control (i.e. the system is self-organizing) that results in sophis-
ticated information processing (computational processes), adaptation,
and complex collective behavior. Additionally, this complex, dynamical
system is non-linear in its exhibition of emergent behavior (i.e. the behav-
ior of the system cannot be fully predicted from a knowledge of all its
parts) and probably exhibits features of a chaotic system (i.e. there is a
sensitive dependence on initial conditions). 1

If cyberspace is the foundation for a large portion of the annual GDP

growth of the national economy, it has taken on a mantle of ‘critical infra-
structure’ with National Security implications;

Cyberspace network resilience is lower than it should be given its National

Security importance.2 For example, critical cyber network infrastructure is
outdated, highly vulnerable to threats, inefficient, and unsuitable for sus-
tained future economic growth. Using the Federal Interstate Highway
System3 as an analogue, it is as though we have both high powered sports
cars and model T Fords traveling down the road together for 8 hours a

LYLE A. BRECHT --- DRAFT 1.3--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- July 3, 2009 PAGE 1 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )

day every day, going not more than 30 MPH because the road is in such
disrepair, and there are bandits all along the road who may hijack our car
at any moment;

As critical infrastructure, cyberspace has also become a potential envi-

ronment for novel cyber warfare strategic initiatives and weapons devel-
opment. Both cyber security4 and cyber warfare, 5 although interlinked
and enmeshed, are proceeding apace rapidly and, for the most part, inde-
pendently;

What is different about cyber warfare is that the technologies underlying

weapons of mass destruction (WMD) i.e. nuclear, biological, and chemical
weapons require access to hard to acquire and often large scale, sophisti-
cated weapons programs. However, cyber warfare weapons, along with
other networked technologies such as genetics, nanotechnology, and ro-
botics are widely within the reach of individuals or small groups;

Cyber weapons are potentially so powerful that accidents, abuses, and

deliberate malicious attacks are capable of producing circumstances
whereby, for example, instead of global GDP going from $60 to $240 tril-
lion (in $2005 purchasing power parity) by 2050, it declines to $6 trillion; 6

Thus, we now have the possibility of threats not just of weapons of mass
destruction, but of knowledge-enabled mass destruction (KMD) weapons;
KMD weapons will most likely use the power of self-replication to am-
plify their destructiveness by many orders of magnitude. Knowledge
alone will enable the use of and destructiveness of these weapons;7

The estimated ongoing operating and maintenance (O&M) costs and re-
pair and replacement (R&R) costs for the nation’s cyber infrastructure is
$248 billion annually. 8 On an annual basis, the deferred O&M and R&R
costs are approximately $126 billion;

Annual network-dependent revenues from the various uses of the net-

work amount to a significant portion of the annual GDP of the nation
amounting to approximately, $5,000 billion.9 That is, if the network was
crippled and disabled for an extended period of a year or more, the ap-
proximate opportunity cost for the nation’s economic output might
amount to as much as $5,000 billon;

LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009 PAGE 2 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )

The size and ongoing nature of the deferred investments in adequate

O&M and R&R for the nation’s network(s) result in a highly vulnerable
system that is prone to compromise and partial system collapse;

Probabilistic annualized threat estimates of network disruptions or col-

lapse from system-related problems (e.g. cascading failures) due to lack of
O&M and R&R = 40%;10 deliberate attack of the national network infra-
structure exacerbated by insecure, outdated infrastructure = 30%; emer-
gent causes (black swans) = 20%11 and faults due to natural causes = 10%
(earthquakes, tornados, hurricanes, floods, asteroid collision with earth,
etc.);

Threats to the network follow a power distribution in number and sever-

ity of system related threats over time (i.e. only a few threats will be se-
vere and large scale, but potentially catastrophic);

Sources of threats to the national network(s) are local, regional, national

and international and constitute a national security threat in their severity
and cost to the national economy, when they occur at scale;

Even with adequate O&M for some portions of the national cyber net-
work, some portions of the network are so vulnerable due to lack of
timely R&R, that adequate security of the national network cannot be as-
sured. The fact that these outdated portions of the network connected to
the national cyber network creates a situation of heightened vulnerability
for all cyber network users;

There is a statistically higher probability for catastrophic damage to sec-

tors of the nation’s economy from cyber network failure/collapse due to
inadvertent system failures than in deliberate malicious attacks against
the national network infrastructure;

The inherent vulnerabilities of the U.S. national cyber network to with-

stand powerful solar storms12 and EMP (electromagnetic pulse) attack13
disruption or shutdown due to inherent system design limitations, as
well as from human error introduces another significant level of risk. 14
There is an economic cost ripple effect for inadequate O&M and R&R to
the nation’s electricity grid. For example, the entire national cyber system
infrastructure relies on clean, dependable electricity sources to function at
all;

LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009 PAGE 3 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )

Practically speaking, the network’s vulnerability is often determined by

the lowest common denominator of present technical capabilities. It is
unlikely from a probabilistic perspective, and from a game theory per-
spective probably undoable, that the network can ever achieve 100% se-
curity. That is, there will always be some level of probabilistic risk in the
system that is not able to be adequately ‘managed;’

Regularly upgrading network technology is one potential means for

managing the risk assessment curve. That is, with each new successive
introductions of network technology, there is a high probability that struc-
tural and functional security issues will have been addressed. Thus, only
known operational security issues will remain until the flaws in the new
network technologies become widely known;

Normal new technology adoption cycles are typically 15-20 years. A great
deal of additional security could be established if these technology adop-
tion cycles were reduced to 7-10 years for system components of the na-
tional cyber infrastructure;

The opportunity cost of not making the investment to re-engineer and

improve the probabilistic forecasts for cyber infrastructure disruption or
collapse may result in an Incremental Capital Output Ratio (ICOR) that
equates to a loss of about $500 billion in GDP annually, on average. 15

A PROPOSAL FOR A COMMONS-BASED, SMART CYBER NETWORK

Below are a few potential programs/projects that fall out from the above
propositions. At most, these program initiatives require further economic vet-
ting, hopefully using PRA measures to prioritize timely work toward deter-
ring the full range of cyberspace threats:

A Smart Cyber Network Infrastructure includes two components: (1) a

smart national electricity grid16 and (2) an updated national cyber net-
work infrastructure. Potentially, the only reliable and safe means to cost-
efficiently build these smart systems is to declare both the national elec-
tricity grid and the national cyber network infrastructure a commons;

It is timely to introduce legislation similar to the Federal-Aid Highway

Act of 1956 that created the vision and financing mechanism for building
the federal interstate highway system. In this case, what the nation needs

LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009 PAGE 4 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )

now is a vision that charts out the development of critical national cyber-
space infrastructure development over an extended multi-year period
and the funding mechanism to accomplish this vision;

For the national electricity grid, the federal government could arrange for
the investment capital necessary to upgrade this grid to national security
standards, and provide all O&M and R&R funds necessary to operate this
grid on an ongoing basis until the grid is fully modernized to limit threats
from cyber warfare, malicious attacks to the nation’s cyber infrastructure,
and collapse due to lack of O&M and R&R. The anticipated initial capital
allocated to upgrade the grid to national security standards is $400 to
$500 billion over the next seven years to twelve years;

For the national cyber infrastructure, the federal government could over-
see a network connectivity regulatory program that creates market incen-
tives for organizations/individuals to continually upgrade their cyber
network components. The second step will be to create a registry of net-
work ‘connectors’ so that we can assess annual feebates (fees/rebates)
based on their timely implementation of cyber network upgrades.

Cyberspace should be an environment where the military use of cyber-

space is limited by nonproliferation agreements. You may have seen the
NYT article on May 28th, “Pentagon Plans New Arm to Wage Wars in
Cyberspace.”17 What caught my attention is the notion that cyberspace is
considered just another war-fighting domain by the Pentagon: e.g. “We
need to be able to operate within that domain just like on any battlefield,
which includes protecting our freedom of movement and preserving our
capability to perform in that environment.” While the blowback from
such loose ‘calculated ambiguity’ talk may be unwanted (e.g. loss of
credibility and needed cooperation with the private sector and another
very expensive arms race, this time in cyberspace), there are two concep-
tual problems with this approach to cyber defense/warfare:

With cyber weapons, there presently is no countervailing strategic

‘game’ doctrine for cyberspace, like MAD (mutual assured destruc-
tion), that has the potential to actually ‘deter’ First Use. The notion
that the doctrine of nuclear deterrence can be retrofitted and used to
deter cyber attacks is absurd.18 Because cyberspace threats can be ini-
tiated easily by privatized transnational groups, without the knowl-

LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009 PAGE 5 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )

edge of national governments by rogue elements within the state, and

the originating location of the attack readily masked and even trans-
posed to a predetermined DNS, the threat of nuclear armageddon in
response appears both unwarranted and unproductive;

The notion of attacks and counterattacks in the digital environment

are not directly transferable from the analogue environment of con-
ventional war fighting. For example, the development and deploy-
ment of offensive weapons in cyberspace have a higher probability of
mimicking HIV i.e. the release into the environment a wild-strain ret-
rovirus that cannot be effectively inoculated against than of deterring
attacks or ‘punishing’ supposed attackers;

NSA use of cyberspace should be limited by thoughtful legislation. A

concern is the NSA move from passive listening to communication sig-
nals (analogue and digital) and data mining to an active gathering of data
in cyberspace through the use of digital agents released into the wild.
While I recommended the use of digital agents across the data sets owned
by the intelligence community post 9/11 to address certain information
pooling problems,19 there is a potential problem with the use of such digi-
tal agents to collect data across all of cyberspace. The potential for a seri-
ous problem is in the capture of the digital agent by a hostile force and
the alteration of the code to infect NSA data stores, as well as other gov-
ernment or private sector data stores. With the potential for self-
replication, and modification of basic code sets, once these sophisticated
agents are released in the wild, it may not either be affordable or feasible
to turn them off easily;

A clearly articulated process to develop capital budgets for protecting cy-

berspace should be developed ASAP. Presently, the process whereby
budgets are decided and funds employed to implement policy across
multiple, often competing jurisdictional boundaries is not well thought
out. One option is to employ a PRA (probability risk assessment) meth-
odology applied across the cyberspace domain that helps to establish
high level policy discourse to set budget priorities analytically. 20 The use
of PRA across the entire cyberspace domain will highlight private sector
capital investment requirements and spur federal policy that supports
making these investments in a timely fashion. 21 Otherwise, the policy co-
ordinating function may have difficulty against agency budgeting by the

LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009 PAGE 6 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )

politically powerful for ideas that are topical (or popular), the private sec-
tor will be left to their own devices, and we will be in reactive mode as
crises (real or perceived) materialize. If a PRA was performed for the cy-
berspace domain, we may discover that:

~90% of cybersecurity resides in the private sector and the task will be
to establish polices that promote rapid technology adoption and capi-
tal investment at scale;

more than 80% of the annual $20 billion military budget for cyber
warfare might be best allocated toward defensive cyber weapons and
much of that should be allocated to infrastructure upgrades and end
user training. Thus, much of the cyber warfare outsourcing work by
the Pentagon may not be well formulated nor money well-spent;

the greatest achilles heel to cyberspace may be the current design and
physical shape of the national electricity grid, problems that will not
be solved by Band-Aids, and that the grid’s digital switches need to
be secured not only from anomalies, but also from solar storm spikes
and EMP in order to be secure;

we probably do not yet have our arms around the full range of large
scale structural risks of cyberspace.22 Essentially, its like 1980 and the
USEPA has noticed that enforcement of NPDES permits for point
source pollution is not producing clean water. The bigger problem
than the 40,000 point source attacks in cyberspace, is non-point
pollution-like potential for system collapse from Black Swan-like
sources, an emergent problem based on that we are dealing with a
complex system whose behavior and expression of full properties over
time are non-linear. Thus, many of the policy frameworks, policy co-
ordination, and cyberspace protective initiatives presently identified
or proposed do not go far enough to address the threats to cyberspace
that may/will be encountered over time.

ENDNOTES
1The “presence of chaos in a system implies that perfect prediction... is impossible
not only in practice but in principle.” See Melanie Mitchell, Complexity: A Guided Tour
(Oxford & New York: Oxford University Press, 2009), 13, 15, 20, 23, 33.

LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009 PAGE 7 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )

2Resilience is understood here as the “ability of networks to maintain short average

path lengths in spite of the failure of random nodes” (Mitchell, 257).

3Developed as a national critical infrastructure initiative in 1956 during the Dwight

D. Eisenhower administration.

4 “In January 2008, President George Bush signed National Security Presidential Di-
rective 54/ Homeland Security Presidential Directive 23 — more commonly known
as the Comprehensive National Cybersecurity Initiative (CNCI). The CNCI recog-
nizes that cyber security must be elevated to a level of importance on par with an
organization’s core functions and missions. It emphasizes that cyber security is a
leadership responsibility, not just a function of the Chief Information Officer and in-
formation technology staff. And it acknowledges that effective cyber security is mul-
tidimensional, multifaceted, and actively involves the entire organization.”

5Either force or counter-force measures applied with the frame that cyberspace is just
another ‘war-fighting environment.’ The subtext typically assumes that ‘National
Defense’ means force projection and is based on Deterrence Doctrine, which today
relies on fundamentally on U.S. Nuclear Posture.

6 Global GDP estimate is from U.S. Central Intelligence Agency.

7 Bill Joy, “Why the future doesn't need us,” Wired (June 2008) at http://www.wired
.com/wired/archive/8.04/joy_pr.html.

8All numbers in this draft are placeholders, requiring additional analytical work for
accuracy.

9This amount is the estimated network dependent productivity of the national econ-
omy out of $14.29 trillion total 2008 GDP for the U.S.

10Although there has been undue focus on malicious threats to the nation’s cyber-
space, what may be a more serious and likely reason for LOSE (Loss of Service Event)
and LODE (Loss of Data Event) incidents are risks from cascading failures where the
failure of one node causes the failure of other nodes (Mitchell, 257).

11Emergent
behavior is difficult to predict from an analysis of the system and its
components.

12The consequences of a future solar storm like the Carrington Event of August-
September 1859 are extensive and involve a range of potential economic impacts not
unlike a major Force 5 hurricane or tsunami that could cripple the present national
electricity grid for an extended period. See National Research Council, “Severe Space
Weather Events--Understanding Societal and Economic Impacts Workshop Report”
(NASA, 2008).

13See Dr. William R. Graham, et. al., “Report of the Commission to Assess the Threat
to the United States from Electromagnetic Pulse (EMP) Attack, Volume 1: Executive
Report (2004).”

LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009 PAGE 8 OF 9
T H I N K I N G S T R AT E G I C A L LY A B O U T C N C I ( C o m p r e h e n s i v e N a t i o n a l C y b e r s e c u r i t y I n i t i a t i v e )

14The national electricity grid, 164,000 miles of high-voltage transmission lines and
5,000 local distribution networks is outdated, highly vulnerable, inefficient, and un-
suitable for fluctuating renewable power sources.

15A metric that measures the marginal amount of investment capital necessary for an
improvement in the national economy’s level of production efficiency.

16From an overall systems perspective, the #1 ‘threat’ I determined was with the
electricity grid itself. There is no way I could make the national cyber defense secure,
over time, with the present national electricity grid.

17http://www.nytimes.com/2009/05/29/us/politics/29cyber.html?

_r=1&th&emc=th

18Gen. Kevin Chilton, the head of U.S. Strategic Command, said “I think you don’t
take any response options off the table from an attack on the United States of Amer-
ica,” Chilton said. “Why would we constrain ourselves on how we respond?.... “I
think that’s been our policy on any attack on the United States of America.... “And I
don’t see any reason to treat cyber any differently.” (“U.S. General Reserves Right to
Use Force, Even Nuclear, in Response to Cyber Attack,” Global Security Newswire May
12, 2009).

19http://www.scribd.com/doc/9862402/Homeland-Security-Data-System-

Schematic-August-2002

20Probabilistic Risk Assessment (PRA) is an analytical process that begins with two
system design counterfactuals: (1) the magnitude (severity) of the potential adverse
consequences of system failures; and (2) the likelihood (probability) of the occurrence
of each potential consequence. The objective is not as a predictive exercise, but as a
disciplined descriptive process that may identify and highlight budget requirements
for a secure national cyberspace environment.

21My thought is that strategic policy analysts such as at BAH and SCIC might be able
to perform this work.

22 A recent example of not addressing structural risk is the use of CDO (collateralized
debt obligations) financial instruments by Wall Street. These instruments’ individual
risk was hedged via complex. financially engineered derivatives, but the structural
risk to the entire CDO market was not managed. Thus, the Federal government has
pledged, lent, provided guarantees, and provided tax relief to the tune of $11,000 bil-
lion since 2008, and the collapse of the CDO market has produced $50,000 loss of
value in financial assets worldwide to date.

LYLE A. BRECHT --- DRAFT 1.1--- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- May 24, 2009 PAGE 9 OF 9