For thousands of years, infrastructure connectivity has been key to the security, successes, and failures of citizens, countries, and their economies. Driving this connectivity are technologies that ultimately define the ways people, countries, and commerce connect.
From the ancient Appian Way, which sped information, military forces, and wealth throughout the Roman Empire, to today’s cyberspace, which transmits news, encrypted security information, and financial transactions in nanoseconds, human dependence on assured infrastructure connectivity remains essential to life.
Hence the challenge of dealing with today’s cyber infrastructure.
There is no facet of life on Earth today that is not affected or dependent upon cyber infrastructure. Public and private sectors of every size and shape are involved with its creation, maintenance, and operation. Opinions on how to preserve and protect it are as varied as their originators and the threats and challenges they must mitigate against.
As part of its overflowing ”to do” list of things to take care of, the newly installed administration of President Barack Obama took active ownership of the issue in early 2009 and tasked Elizabeth Hathaway, (who had served as one of the Bush administration’s leads for cybersecurity in the Office of Director of National Intelligence), to lead a top-to-bottom 60-day review of the nation’s cyber architecture. Released at the end of May 2009, Hathaway’s work, the “Cyberspace Policy Review,” became the epicenter of one of the most complex policy and operational debates to hit Washington in years. It involved all of the players you would expect from a Washington Beltway drama too: power, money, turf control, ego, finger-pointing, and much more.
With literally every sector of America involved with the cyber arena, the administration’s cyber approach would find no shortage of stakeholders, critics, or intrigue.
In the federal government, cabinet departments battled over roles, budgets and authorities on the issue.
In Congress, jurisdictional battles between committees and members appeared with multiple directions. Solutions have been numerous, along with competing, and often conflicting, remedies being proposed.
Privacy fears, civil rights protections, and concerns about the roles and responsibilities of the intelligence community, U.S. military, and governmental and law enforcement agencies also emerged.
The liabilities and responsibilities of private-sector members, infrastructure owners, and operators as well as individual citizens also took shape.
Among all of these players were growing and emerging threats, including:
• The role of nation-states (e.g., China, Russia, etc.) using cyber-warfare to disrupt or take down the infrastructures of others (e.g., communications and power infrastructures in Estonia and Georgia by Russia; penetration of the U.S. power grid by China); engage in espionage (e.g., Chinese hacking of congressional computers on Capitol Hill); or commit economic espionage of U.S. companies;
• The rise of organized crime and other criminal enterprises using cyber tools and architectures to commit complex and intricate crimes, including identity theft, bank fraud, illegal transactions, etc.
• Terrorist organizations that by a stroke on a keyboard (instead of pressing the button on a bomb detonator), could cause infrastructure disruption or destruction, incurring the loss of property and lives;
• Disgruntled employees, hackers, or “lone individuals,” who by using computer viruses, malicious code, and other cyber methods could deface, disrupt, or cause havoc to companies, communities or citizens; and,
• Increasing demands, interdependencies, and reliance upon cyber tools to operate and monitor existing infrastructures around the world.
In looking to prescribe its plan of action, the administration understood early on that when dealing with this issue, it had to form a broad-based
strategy that would have the buy-in of not just the federal government but the range of international, as well as other public, private, and nongovernmental organization (NGO) stakeholders that also held responsibilities with cyber.
Central to the White House’s cyber security strategy recommendations was establishing a position within the Executive Office of the President that would be responsible for coordinating the various national policies associated with cyber security. With a pledge by the president to personally select this individual, the post of White House cyber security advisor was greeted with a great deal of fanfare by the news media and cyber-focused constituencies when it was announced.
Dubbed by many early on as the “cyber czar,” the much heralded position that had been called for by many government sponsored and independent studies, including the congressionally mandated, Center for Strategic & International Studies (CSIS), “Securing Cyberspace for the 44th Presidency.” The position quickly became seen as a position with no authority, little strength or even real meaning when numerous efforts by the administration failed to fill the post with a qualified individual. With no statutory authority to move budgets or direct resources to respond to emerging threats or cyber events, administration officials began to play down the significance of the position in favor of reinvigorated and federally capitalized efforts at DHS, the Pentagon and within the intelligence community.
While the White House grappled with its inability to find someone for the position, the turf battle over what department led what in the cyber arena took shape.
Taking over in late January 2009 as the new secretary of Homeland Security, former Arizona Gov. Janet Napolitano took her department’s existing authorities and resources in cyber and consolidated them into one area of DHS. Bringing in new leadership in the form of former government and Microsoft executive Phil Reitinger, to serve as director of the National Cybersecurity Center (NCSC) and former Alltel Communications executive and Justice Department computer crime prosecutor Greg Schaffer to serve as the assistant secretary for cyber security and telecommunications, Napolitano’s team got off to a relatively fast start.
With established authority over the “.gov” domain, Napolitano’s team and DHS began to implement new security protocols for federal government agencies in terms of entrance portals to the Internet. As part of its Einstein Program (started during the previous Bush administration) these DHS efforts consolidated the previous entrance portals. By reducing the number of entry points, the security focus could be centralized into those areas instead of being distributed over too wide an area as had been the previous case.
While Reitinger and Schaffer’s team moved out on implementing Einstein and other cyber security safeguards in the federal sphere, they encountered a problem that has long plagued the federal government – retaining executive leadership. In the same week, two high-profile resignations – Melissa Hathaway from her post as acting White House cyber security advisor, and Mischel Kwon, as director of the U.S. Computer Emergency Readiness Team (CERT) – occurred, putting the administration on the defensive in terms of its ability to retain top talent to lead its cyber security efforts.
Starting in the Bush administration, DHS, as well as other federal components, have been in an uphill fight trying to attract new talent to work in the cybersecurity arena. With an overflowing inbox, enormous demands and pressures, and too few employees to handle all of the load, DHS’ and the federal government’s cyber team remains an active work in progress. To address the long-standing personnel problem, Napolitano announced in late September 2009 DHS’ intention to hire up to 1,000 new employees over the next three years to serve in the cyber arena. The challenge before DHS is competing for a limited talent pool when the private sector is able to offer potential applicants more options and money than traditionally offered by a government position.
DHS was not the only federal entity to have a challenging 2009 in the cyber arena. The Pentagon had its share of challenges as well.
With published reports of successful Chinese government efforts to access sensitive plans on U.S. military aircraft as well as other sensitive national security matters, the Pentagon leadership went on the offensive to address the threats it faced from nation-states, terrorist groups, spies and more.
While recognizing that U.S. forces needed to do a better job in safeguarding critical and sensitive information from enemy forces, the Pentagon was quick to note that their cyber efforts would not just be a defensive posture.
In his July 23 memorandum establishing the U.S. Cyber Command (which would be part of the U.S. Strategic Command) for military cyberspace operations, Defense Secretary Robert M. Gates explained:
“Cyberspace and its associated technologies offer unprecedented opportunities to the United States and are vital to our nation’s security and, by extension, to all aspects of military operations. Yet our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security. To address this risk effectively and to secure freedom of action in cyberspace, the Department of Defense requires a command that possesses the required technical capability and remains focused on the integration of cyberspace operations.”
After three-weeks of Russian cyber attacks on Estonia in May 2007 that crippled the small Baltic country’s government computers, national media, financial systems and other infrastructures (without firing one gun shot) and the subsequent Russian cyber attack on the nation of Georgia in August 2008 prior to its military invasion, the Pentagon and U.S. allies (NATO), were aware that a new era in warfare had begun.
Military-style “blitzkrieg” tactics now had a new weapon – the keyboard – which, like the bombs of old, could destroy or disrupt communications, cut off information flow, shut down power sources, and more. Having an edge in this environment has now become the greatest tactical weapon a nation can have, and the Pentagon’s efforts were meant to show they took the threat and the ability to have an offensive capability very seriously.
As U.S. Marine Corps Gen. James E. Cartwright described in his June 4 remarks at the Center for International and Strategic Studies (CSIS), “There will be a cyber capability at the tactical level, and … we [will] deploy it forward.”
The fact that the Pentagon has made the move on establishing a cyber command brought a sense of security to many, but nowhere were there more concerns about the role of government in cybersecurity than the operations of U.S. intelligence services.
In a blistering resignation letter to Napolitano in March 2009, then-NCSC Director Rod Beckström described the National Security Agency (NSA) as “effectively” controlling “DHS cyber efforts through detailees, technology insertions” and more.
He went on to say:
“NSA currently dominates most national cyber efforts. While acknowledging the critical importance of NSA to our intelligence efforts, I believe this is a bad strategy on multiple grounds. The intelligence culture is very different than a network operations or security culture. In addition, the threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization either directly or indirectly.”
Beckström’s very public resignation and finger-pointing at the NSA spoke to the fears of many civil liberties groups and concerned citizens about the role of the intelligence community.
With fears of privacy infringements, domestic spying, and other prospective civil rights abuses being echoed nationally, the president sought to allay those fears by declaring that his administration’s “pursuit of cyber security will not – I repeat, will not – include monitoring private-sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans. Indeed, I remain firmly committed to net neutrality so we can keep the Internet as it should be – open and free.”
While suspicions remain for many about the roles of U.S. intelligence and government agencies in monitoring the nation’s cyber security interests, few proposals drew more concern from the private sector than those proposed in the initial draft of legislation proposed by U.S. Senator’s Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine).
Seeking to create a centralized point for the federal government for cybersecurity, a presidentially appointed individual would oversee all federal computer networks, but their authorities would not stop there. In this legislation, if a cyber attack were under way, this person would have the authority to shut down private sector cyber networks, regardless of liability or impact. With additional authorities to provide oversight over the various federal budgets, programs and policies in these areas, as well as cyber security standards for the public and private sectors, the scale and scope of this proposed position was described by intelligence officials as “unprecedented.”
The size, scale and scope of the Rockefeller-Snowe legislation raised enormous concerns with private industry, as well as other federal agencies, but their legislation was not the only congressional voice on cyber security. By October 2009, numerous other drafts of various legislative bills were being shared for comments among congressional members, staffers, lobbyists, and industry groups. At stake in this legislative debate were more than just new titles for government positions and statutory guidance on who would do what to whom in the cyber arena.
Billions of dollars were involved in the public and private sectors and who controlled where and how those dollars were spent would be at the center of the debate when it came to dealing with this issue. More than any other U.S. infrastructure, the cyber arena would be the recipient of more money, resources, and attention and as such it had captivated the interests of everyone.
As to the future of cyber security, it remains an unsettled field, with threats and challenges expanding more rapidly than ever before. While DHS, because of its existing programs and authorities, is home to the majority of efforts in cyber security, the role that the private sector plays cannot be understated or discounted.
Nowhere is cyber more prevalent than in the world that has defined and revolutionized its uses – the private sector. New technologies, cyber-enabled tools (e.g., social media sites), emerging applications (e.g., iPhones), and infrastructure dependence arrive daily, and as citizens, companies, and conglomerates begin to adapt them into their lives, the fact remains that actors with less than diplomatic intentions and other nefarious users will use the same breakthroughs for their ill-intended purposes as well.
As ongoing attacks against U.S. forces in the Middle East and the November 2008 attacks in Mumbai, India, have revealed, terrorists are becoming increasingly sophisticated in using new technologies and tools. This includes using cyber methods to execute their assaults. In remarks at the National Spy Museum in Washington, D.C., in early October, the former director of national intelligence, Mike McConnell, observed that, “When terrorist groups have the sophistication, they’ll use it.”
In their crosshairs will be public utilities (power, water, etc.), financial institutions, public health centers, transportation networks and other critical infrastructures. With more than 80 percent of U.S. infrastructure either owned or operated by the private sector, more of the private sector is directly on the front lines. As such, the private sector has been more than proactive in securing its own self-interests and those of its customers, but like its public-sector counterparts, there remains more to be done.
To secure an ever-evolving and dynamic infrastructure, such as cyberspace, it will require patience and partnership with multiple parties. Those are items in short supply when assaults and infractions are continuous, and coming from all sides. Those same items, though, will be necessary as cyber security strategies are shaped and executed in 2010 and beyond.
The consequences of failure will have negative ramifications to every part of American life, and those are costs no one wants to bear. In the words made famous by NASA’s Apollo 13 mission, “Failure is not an option.”
This article was first published in The Year in Homeland Security: 2009 Edition.