In May 2009, after President Barack Obama declared cyberspace a critical national asset that the United States would use all means to defend, the White House released a document called the “Cyberpsace Policy Review,” which laid out a framework for examining federal cybersecurity policy and establishing an integrated national strategy.
In January 2011, at the midway mark of the president’s first term, two outside entities have weighed in on how the White House is doing. The National Security Cyberspace Institute (NSCI), a private company offering cyberspace research, analysis, and education to public and private entities, issued a report card on the White House’s progress toward meeting its own near-term goals. The grades were nothing to brag about: four Bs, four Cs, and two Ds. The Center for Strategic and International Studies (CSIS), a bipartisan Washington, D.C., foreign policy think tank, also detailed a lack of progress in “Cybersecurity Two Years Later,” in which it concluded: “The energy in the national dialogue on cybersecurity has not translated into progress … In our view, we are still not prepared.”
In the introduction to its report, CSIS’s Commission on Cybersecurity wrote: “2010 should have been the year of cybersecurity. It began with a major penetration of Google and other Fortune 500 companies, saw the Department of Defense describe how its classified networks had been compromised, watched the Stuxnet worm cut through industrial control systems, and ended with annoying denial of service attacks over Wikileaks.”
It is not yet, the report concluded, the year of cybersecurity. While worded differently, and avoiding specific policy prescriptions, the recommendations of NSCI and CSIS had much in common, including calls for:
- Coherent organization and leadership in establishing a national cybersecurity strategy
- A foreign policy that lays out a vision for the future of a global Internet, including behavior norms and consequences for malicious action
- Better oversight to ensure privacy and civil liberties
- More federal authority to ensure cybersecurity and develop public-private interaction on the issue
- Federal workforce, R&D, and acquisitions policies that will drive the public and private sectors toward more secure products and services
The Sticking Points
CSIS’s commission, in its report, also called for “An expanded ability to use military capabilities for defense against advanced foreign threats.” Coupled with the commission’s call for better privacy oversight, this requirement points to one of the major obstacles to progress thus far: the age-old tension, in civil society, between security and liberty. Many Americans remain ambivalent about how to secure an arena still widely viewed as an unspoiled intellectual frontier.
Isaac Porche, a senior analyst and cybersecurity expert at the RAND corporation, a nonprofit policy think tank, has identified this as the crucial – and unresolved – issue in determining the nation’s cybersecurity policy. In an article entitled, “Stuxnet is the World’s Problem,” published in a December edition of the Bulletin of Atomic Scientists, Porche argued that the damage wrought by the Stuxnet worm heralded a new era of threats to the nation’s infrastructure, and raised the issue of whether – and how – the nation’s information laws should be reformed.
“There’s a tremendous amount of unsettled positions when it comes to who is going to be the protector of the networks of the United States,” Porche said. By far the best federal agency for the job, he said, is the National Security Agency – and that scares some people. “If you’re … concerned about privacy issues, are you going to be able to put the meanest, toughest bad guys there to protect you? We’re pretty good at this, really. We’ve got agencies that know how to handle this. But do you want a spy agency in charge of your home networks, even if they’re the best?” The details of the NCSI and the CSIS reports indicate that the White House, while designating the Department of Homeland Security as the coordinating agency for cybersecurity, is still struggling with this question.
Another obstacle to progress identified by CSIS is turf war – cyber functions are scattered across the executive branch, and reorganization could mean some offices would have to surrender control and lose independence. While these issues are still being negotiated, the White House’s Office of Management and Budget has used its legislative authority to require stricter measures from executive branch CIOs. It’s a small step toward greater cybersecurity within the executive branch – but still nowhere near the scale or the speed with which the White House’s critics are urging it to act.
“Before Stuxnet,” Porche said, “people were saying: ‘We don’t have to worry about critical infrastructure. Nobody is going to open up a dam or drop a power supply with a virus. It doesn’t work that way.’” It’s clear now, in the Information Age, that there is very little of value that can’t be reached from almost anywhere in the world – and that the government still has much work to do in preparing for that possibility.