Cybersecurity
Cybersecurity is an important field of national security with which the Obama administration must contend. Currently, the United States government is extremely unprepared for any kind of cyber attack. In his 2008 Annual Threat Assessment testimony, Director of National Intelligence Mike McConnell finally acknowledged the importance of cybersecurity, but admitted that the country is “not prepared to deal with it.”
This comment was certainly reinforced by a recent “cyberwar” simulation conducted by U.S. government and industry representatives this past December. In the simulation, officials had to contend with a surge in computer attacks at a time of economic instability—a not unlikely scenario in today’s world. However—despite Bush’s recent cybersecurity initiative that attempted to address this exact kind of situation—the game participants committed planning and communications errors and failed to properly reduce the damage done by the attacks.
Luckily, President-elect Obama has already vowed to strengthen the nation’s cyber infrastructure in a number of ways. In a position paper on his website, Obama makes some of the following promises: To “strengthen federal leadership on cyber security” by appointing a national cyber advisor to coordinate and articulate national policy, to develop new and more secure hardware and software, to establish new IT standards for cyber security and physical resilience, and to prevent corporate cyber-espionage in order to protect the nation’s trade secrets.
These initiatives are all good starting points for the improvement of cyber security; however, Obama’s recommendations are fairly generic and fail to articulate how he will build upon the work done during the Bush Administration. After Chinese hackers managed to steal e-mail data from the Pentagon’s server in 2008, President Bush enacted a new Cyber Initiative (Presidential Directive 54). The initiative is a multiagency project that will create a new monitoring system for federal networks and that will also allow for data exchange with the private sector. Additionally, the Cyber Initiative will implement new smart-cards for employees and contractors (over the next few years) and will upgrade federal networks to a more secure IPv6 protocol. As President, Obama should improve upon these projects and remove some of the secrecy surrounding Bush’s Initiative. In this way, citizens can be assured that they will be protected at the same time that their privacy rights are protected, and the private sector can better cooperate with the government in order to prevent a security flaw or attack.
Other individuals and groups have also made some suggestions for the Obama administration that are worth noting. We believe that one of the most important of these is also one of the most basic: Obama needs to delink the connection that exists between federal cybersecurity efforts and the Bush war on terror. This recommendation, made by Gartner analyst John Pescatore, seems pertinent. In the post 9/11 world, the Bush administration has been overly concerned with the overall direction of the war on terror and has failed to address the more immediate threats to the federal cyber infrastructure.
Several suggestions made by the Center for Strategic and International Studies (CSIS) could also help guide the Obama administration. The CSIS Commission on Cybersecurity states that the acronym DIME—diplomatic, intelligence, military, and economic—should guide the new President, along with an emphasis on law enforcement. In other words, a cybersecurity program needs to be comprehensive and multi-dimensional in order to effectively ward off cyber attacks. Such a program would require central coordination; the Commission suggests creating a new office for cyberspace in the Executive Office of the President. Perhaps Obama’s proposed national cyber advisor could direct such an office, ensuring communication and cooperation with homeland security agencies (NSA, CIA, etc.) and technology agencies (perhaps the CTO’s office, if/when it is created) alike.
In addition, the CSIS recommends that the government buy only secure products. As the largest single customer of information technology, the U.S. is extremely vulnerable to product flaws, the smallest of which could be devastating to national security. With such a policy in place, combined with promises to build the government’s relationship with the private sector, the Obama administration would be significantly less exposed to attacks (such as the one that occurred last year). Combined with better authentication of digital identities, cyber infrastructure will be much safer in the U.S.
While all of the above-mentioned initiatives would greatly improve cybersecurity in the United States, one important caveat must be made: Privacy rights must be preserved. One can easily get caught up in the wonders of new technology or security initiatives, but civil liberties are one of the most fundamental values articulated in the U.S. Constitution and must be considered before implementing any new program. As we have mentioned in previous posts, the NSA’s warrantless wiretapping was a blatant and unnecessary intrusion on privacy rights, and should never occur again.
This warning is particularly applicable if the U.S. government begins to work more closely with the private sector. While we fully encourage the government to coordinate with private companies, there should be clearly articulated rules and guidelines that limit what information can be shared. Such a request is not unreasonable. In fact, it is merely a matter of openness and oversight: A new cyberspace office would be able to monitor data sharing and coordination, and would be able to maintain the delicate balance between civil liberties and national security. Hopefully, President Obama will be aware of this need when constructing a more detailed vision for cybersecurity and will learn from the mistakes of the secretive Bush administration.