By Suzanne Kelly and Pam Benson
The ancient Chinese military Gen. Sun Tzu emphasized that an effective war strategy required quick and appropriate responses to changing conditions.
If that is the measure of the battle for cyberspace, some experts would argue, the U.S. is losing.
Hackers are infiltrating networks and personal computers daily. Most often, victims don't even know they've been infiltrated until the damage is done.
The question now is just who will help prepare the U.S. to better position itself for the longer war?
Congress, former government officials and private sector experts often have conflicting ideas.
One example of that came from former director of National Intelligence Mike McConnell speaking this week at a cyber panel at George Washington University.
McConnell suggested granting the super secret National Security Agency the power to patrol private networks, both foreign and domestic, for signs of attack.
Such suggestions make some who are concerned about privacy and civil liberties, queasy.
McConnell argued that networks could be protected from unwanted government monitoring by legislation that would prohibit the NSA from looking at network content as they scan for bad guys.
As he put it, there is not a corporation in the country that can successfully defend itself against the threat, so why not grant power to the agency that already sees the globe at network speed?
"The question is, if it moves at network speeds and goes from one side of the globe to the other in less than a second, do we want to empower NSA to look at domestic networks to find bad things," McConnell said.
"That's monitoring. Well you can say well that's scanning, scanning for malware. You can define this lots of ways. You can also make it illegal to look at content. I think if you investigate and understand the behavior of these agencies, they do not violate the law. So make that part illegal and make scanning for malware legal. That's another way to address that issue."
Surveying the battlefield
As McConnell laid out his thoughts, another panel of cyber experts was convening across town.
Federal Communications Commission Chairman Julius Genachowski told the Bipartisan Policy Center crowd that some $8 trillion was exchanged each year on the Internet. Shutting down the Internet, he said, would essentially shut down our economic growth engine.
He outlined what he sees as the biggest threats, and called on Internet service providers to do a better job of informing Internet citizens about the risks they face every time they logon.
Botnets are perhaps the biggest threat, according to Genachowski. Essentially, botnets are like robots that take over your computer, rendering it a "zombie". One single botnet, Genachowski told the crowd, controlled some 12 million computers in 190 countries for a short period of time.
Actually controlled them, with the ability to perform transactions, steal data, you name it.
Internet 'hijacking' is another critical concern. A recent case of Internet hijacking saw Internet traffic being "re-routed" through a Chinese server where it was more than likely monitored. It was one single attack that had millions of pieces of e-mail traffic hijacked. That "battle" lasted just 10 minutes, but even the experts can't tell you the extent of the damage done.
Domain name fraud is also on Genachowski's top three lists. It allows identifying information about existing websites to be changed. You might think you're looking at your bank's website, but really it's being run by a criminal in some back room in another country. It actually happened in Brazil in 2009. The country's biggest bank had its online identity stolen for four hours, compromising customer's user names and passwords.
The FCC estimates the cost of such Internet attacks is in the tens of billions of dollars annually.
Saving business is a key concern of those drawing up the battle plan for this cyberwar, but protecting lives is important, too.
One bill introduced last week in the Senate proposes to require private companies that operate "critical infrastructure" to prove that they are protecting themselves from cyber attack.
Under the legislation, the Department of Homeland Security would determine which businesses are deemed "critical infrastructure." It would include things such as water filtration plants, air traffic control systems and electrical grids.
But Stewart Baker, former assistant secretary for policy at DHS and now a partner at Steptoe & Johnson LLP, calls Genachowski's efforts little more than "jawboning."
"It is an incremental step, but it's not even the beginning of the solution. The other guys have already lapped us and all we've done is tie our shoes," Baker said.
The private cyber warriors
Kevin Mandia was an unlikely cyber warrior. Stationed at the Pentagon in 1993 as an Air Force computer security officer, mainframes were his life from 9 to 5. He wanted to be a medical examiner and sort through the "blood and guts" to figure out what had caused some catastrophic event to a human body. Instead, he heads a firm that deconstructs cyberattacks and tells Fortune 100 companies just how the attack was launched. His company is actively investigating more than 40 intrusions reported by clients.
When he started the company in 2004, it was a one employee operation. Today, he employs more than 200 people. He's flown more than 100,000 miles a year for the past several years visiting clients who have been the victims of cyber attacks. He's not a big believer in government curing the problem.
"Cancer. We've known about cancer for 4,000 years and we've never cured it," Mandia said from his company headquarters in Alexandria, Virginia. "I think with a lot of the IT security woes, people think there's going to be a cure, you can legislate a cure, and to me it's almost like legislating a cure for cancer. It's more complex than that and the complexity is because a lot of the intrusions rely on human nature."
Mandia literally banks on human nature. That's because part of the problem with Internet security is the user. Using a computer screen displayed on an oversize monitor, he overlays the user's screen with the hackers. As the user logs into his e-mail account, the hacker waits. He has done his research. He knows that just a day earlier, the user attended a conference on security. He knows that because of the Internet. Both the conference and a list of attendees was posted on a company website. The hacker has downloaded the PowerPoint presentation that was given, infected it with a malware program to take over the user's computer and e-mailed it to the user with the subject line reading: Thank you for attending the conference. PowerPoint presentation attacked. With one click, the user has allowed the hacker into his computer.
"We are trusting and I think you've gotta be, and a lot of the intrusions I've seen would work on me," Mandia explains as he lays out just how cyberattack work so well.
Mandia predicts decades of growth for cybersecurity specialists ahead, regardless of what the U.S. government eventually does to tackle the problem.
"I think there's gonna be a growth in it because the private sector has to protect the private sector in this regard," Mandia said. "There's not going to be a magic phone number to get a DHS person on the phone for a computer intrusion."