On May 31, 2011, the Center for a New American Security – a bipartisan think tank founded in 2007, with close ties to the Obama administration – released a two-volume, nearly 300-page report titled America’s Cyber Future: Security and Prosperity in the Information Age.
Largely a compilation of essays from the nation’s leading experts in information technology and security, the report defines U.S. national interests in cyberspace, identifies different cyber threats, and describes what the U.S. government has done, and is doing, to promote cybersecurity.
America’s Cyber Future consists of two volumes, the first of which is a primer on the issues of cybersecurity. In volume one, the report’s co-editors, Kristin M. Lord and Travis Sharp, assert that the nation’s growing dependence on linked information networks has created new vulnerabilities that are being exploited at a rapid and increasing rate: Government networks currently experience “approximately 1.8 billion cyber attacks of varying sophistication targeting Congress and federal agencies each month.”
Cyber attacks can result in serious damages – economically ($1 trillion in lost intellectual property in 2008, according to the computer security company McAfee), physically, and potentially even mortally, with the loss of human life.
Given the stakes, Lord and Sharp urge an approach that is both disciplined and imaginative, foreseeing threats before they can strike. “This is a race and America’s future is on the line,” they write. “There is no time to waste.”
A “Monroe Doctrine” for U.S. Cyberspace
Among the recommendations made by the report, few, if any, would surprise anyone familiar with the issue of cybersecurity – but that’s probably a good thing. Amid the many disclosures, over the past few years, of repeated and high-profile breaches of government and private systems – including those of several defense contractors – it’s probably wise to focus on a limited number of commonsense measures. CNAS’s proposals tend to focus on two major themes:
- Stronger, more unified leadership. So far, a major obstacle to a united government front on cybersecurity has been the dispersal of programs among the intelligence community, the departments of Defense, Justice, and Homeland Security, and other agencies. Because cybersecurity is such a relatively recent issue to American government, questions about who has legal authority to regulate and monitor government and private systems are still being sorted out.
CNAS urges a comprehensive strategy for a safe and secure cyberspace, and – perhaps acknowledging the intractable turf wars that have resulted – urges the creation of a White House Office of Cyber Security Policy to “build the institutional capacity necessary to coordinate U.S. government responsibilities for cyberspace.” It also urges several mechanisms for better oversight of U.S. government cybersecurity activities, by both the legislative and executive branches.
Once a comprehensive national strategy is articulated, the United States can begin working on an international cybersecurity agenda with partner nations and organizations.
- A more proactive strategy. Almost by definition, the ad hoc nature of U.S. cybersecurity measures has meant that many actions have been undertaken in response to, rather than in anticipation of, network breaches. A stronger and more unified approach to federal cybersecurity may, the report suggested, create an environment in which the private sector’s innovations and expertise can help to create more secure networks.
It’s been frequently pointed out that people or groups who attack U.S. networks have little fear of consequences, especially retaliation. With the Pentagon preparing to publicly declare that it considers cyber attacks to be acts of war, subject to a full-scale military retaliation, the CNAS report recommends establishing a “declaratory policy,” outlining broad guidelines for how the United States would respond to certain kinds of cyber attacks.
Deterring Cyber Threats
Articulating clear consequences for cyber attacks would, the CNAS said, make the United States “a shaper, not a victim, of developments in cyberspace.” But – significantly – the report’s authors also warn against sensationalizing the issue, hyping any term that contains the prefix “cyber.”
“Sobriety,” the report states, “is in order.” To think of cybersecurity as mostly a technical problem, with cyber-geniuses pitting themselves against each other in a global cat-and-mouse game, is counterproductive. At the root of every cyber threat are simple human behaviors.
This point was driven home nearly a month after the release of CNAS’s report, when the Department of Homeland Security revealed the results of a test it ran to discover how difficult it might be for an outsider to gain access to government computer systems. The test consisted of dropping computer discs and USB thumb drives in the parking lots of government buildings and private contractors, and waiting to see what happened. The results: 60 percent of the people who picked them up took them inside and plugged them into a computer to see what they contained; if the drives or discs were marked with official logos, the percentage climbed to 90. It’s easy to see why CNAS is calling for strong government leadership that, among other aims, “bolsters cyber security education and recruitment programs.”
“Success,” wrote Lord and Sharp in their introduction to the report, “requires stronger and more proactive leadership by the U.S. government. It requires companies and researchers to innovate faster than criminals and spies. And it requires organizations and individuals across America and around the world to take responsibility or their own security. We must not wait for a digital disaster, intentional or otherwise, to reverse the growing trend of cyber insecurity.”