While avoiding specific policy prescriptions, the recommendations of NSCI and CSIS had much in common, including calls for:
- coherent organization and leadership in establishing a national cybersecurity strategy;
- a foreign policy that lays out a vision for the future of a global Internet, including behavior norms and consequences for malicious action;
- better oversight to ensure privacy and civil liberties;
- more federal authority to ensure cybersecurity and develop public-private interaction on the issue; and
- federal workforce, R&D, and acquisition policies that will drive the public and private sectors toward more secure products and services.
CSIS’s commission, in its report, also called for “an expanded ability to use military capabilities for defense against advanced foreign threats.” Coupled with the commission’s call for better privacy oversight, this requirement points to a major obstacle to progress thus far: the age-old tension, in civil society, between security and liberty. Many Americans remain ambivalent about how to secure an arena still widely viewed as an unspoiled intellectual frontier.
There has been no such ambivalence in the U.S. military, which has been securing defense-related computer networks for half a century. Its experts, most of them employed by the National Security Agency (NSA), are among the world’s most skilled and knowledgeable in protecting communications and information systems. They are also, however, military personnel, and therefore generally barred from policing domestic infrastructure; lawsuits resulting from NSA’s warrantless wiretapping activities over the past several years are still playing out in the courts.
Despite the fact that the DHS has been given unambiguous leadership, by both the Bush and Obama administrations, for protecting civilian cyberspace, its position tends to be treated as something of an open question by those reluctant to squander the military’s expertise. As recently as April 2011, retired Marine Corps Gen. Peter Pace, former chairman of the Joint Chiefs of Staff, publicly stated the opinion that DHS’s cybersecurity work should be handed over to the military’s Cyber Command, situated with NSA at Fort Meade, Md.
“It’s really hard to do some of the things NSA does,” said James A. Lewis, director of the Technology and Public Policy Program at CSIS, “like encryption. They’ve been doing it for 50 years, and they have 800 of the world’s best mathematicians and a giant supercomputer. DHS doesn’t … that means for some tasks, you have to go to NSA. There is some merit to the argument that NSA should protect national networks – except that politically, the U.S. just doesn’t invite the military to do police work. So you have this misallocation: NSA has the capability; DHS has the responsibility. We’ve got to find some way for them to work together.”
In late 2010, DHS took its first step toward a working partnership with the military, in the form of a memorandum of agreement on cybersecurity signed by then-Secretary of Defense Robert M. Gates and Secretary of Homeland Security Janet Napolitano. Under the agreement, the Department of Defense’s (DoD’s) cyber analysts will work with their counterparts at DHS to formally support the National Cybersecurity and Communications Integration Center, or NCCIC; for its part, DHS will provide a full-time senior leader to the National Security Agency, along with a support team comprised of privacy and civil liberties advisers. The arrangement seems perfectly logical, given DoD’s mission of providing support to civilian authorities during attacks on the homeland.
With the question of authority seemingly settled – for now – the Obama administration released, in the spring of 2011, a series of documents outlining policies and strategies for securing domestic cyberspace, with two cornerstones: first, the International Strategy for Cyberspace, which the president described as the first attempt to unify “the nation’s engagement with international partners on the full range of cyber issues.” Second, the Cybersecurity Legislative Proposal, a package of proposals envisioning the government’s role in both confronting cybersecurity threats and protecting civil liberties and privacy.
The documents were a welcome follow-on to the president’s 2009 Cyberspace Policy Review, in which he identified cybersecurity as “one of the most serious economic and national security challenges we face as a nation.” While it’s still too early to measure tangible results of the White House’s strategic documents, the proposals outlined in them have been generally praised for being everything the government’s approach has not been so far: robust, proactive, and forward-thinking.
The 30-page International Strategy draws on President Barack Obama’s principle of global engagement, setting forth the U.S. government’s vision for cyberspace in the areas of defense, diplomacy, and international development. It follows on the administration’s change in position, during the summer of 2010, when it decided against going it alone on cybersecurity and instead joined a 15-nation collaboration to discuss collective norms of behavior in cyberspace. The document is a signal to other countries that the United States wants to collaborate to secure digital networks, but also sees these networks as a strategic national asset that will be defended. In November 2011, the Department of Defense issued a report to Congress clarifying this last point, confirming that it was ready to add cyberspace to sea, land, air, and space as the latest domain of warfare – the military would, if necessary, use force to protect the nation from cyber attacks.