Is the U.S. Prepared to Manage Cybersecurity Threats?
By Stephen Recca, M.A
In recognition of Cybersecurity Awareness month in October, our faculty offer insights on both policy and technical issues related to cybersecurity. In our fourth post of the series Bruce Harmon, Ph.D., took a look at the individuals behind cybersecurity threats and the methods they used to wreak havoc. In today’s post, Stephen Recca, M.A., discusses whether the United States is prepared to meet the threats of cybersecurity through industry and government strategies, polices and practical activities.
The United States does not yet have a national strategy to deal with cybersecurity; cyber law is undeveloped; and while narrow segments of expertise exist inside and outside of government, broad understanding of the threat and what we might do to prepare for, recover from, and respond to cyber attacks is woefully lacking.
The Governmental Approach
Of course, some good work has been done by both the federal government and the private sector, both of which have a vested interest in protecting information and sensitive operating systems. The current administration has provided a general overview of the government’s approach to cybersecurity:
Our Nation’s cybersecurity strategy is twofold: (1) improve our resilience to cyber incidents and (2) reduce the cyber threat. Improving our cyber resilience includes hardening our digital infrastructure to be more resistant to penetration and disruption; improving our ability to defend against sophisticated and agile cyber threats and recovering quickly from cyber incidents—whether caused by malicious activity, accident, or natural disaster. Where possible, we must also reduce cyber threats. We seek to reduce threats by working with allies on international norms of acceptable behavior in cyberspace, strengthening law enforcement capabilities against cybercrime, and deterring potential adversaries from taking advantage of our remaining vulnerabilities.
While perhaps implicit, the strategies for public summary does not address how government and the private sector must work together to meet the threat. So there’s some work still to be done to ensure we have a comprehensive approach to cybersecurity, not just a government plan and a private sector plan (or, really, hundreds, if not thousands, of plans). Nevertheless, the “strategy” – really, just a website teaser – does what a strategy should do: provide the guiding principles for a national cybersecurity plan of action. In addition, the site also offers the administration’s 10-point plan, and supporting documents. Worth a visit, and deeper dive into the framework documents. One of which, the Comprehensive National Cybersecurity Initiative, gets to the heart of the vast challenges we face and puts placeholders down on how we might move the nation forward to address current and future threats.
Defense Department Approach
The Department of Defense has long been in the operational game of cyber or information operations. More recently, the Defense Department has taken a keen interest in cybersecurity and defensive strategies, as well as tactics, techniques and procedures. In 2010, U.S. Cyber Command reached initial operational capability and opened its doors for business. General Keith Alexander, head of the National Security Agency, took on the dual role as Commander, USCYBERCOM. In his statement to Congress at the time, Alexander described the playing field:
"My own view is that the only way to counteract both criminal and espionage activity online is to be proactive. If the U.S. is taking a formal approach to this, then that has to be a good thing. The Chinese are viewed as the source of a great many attacks on western infrastructure and just recently, the U.S. electrical grid. If that is determined to be an organized attack, I would want to go and take down the source of those attacks. The only problem is that the Internet, by its very nature, has no borders and if the U.S. takes on the mantle of the world's police; that might not go down so well." (Testimony before the House Armed Services Committee)
This gets to the hard truth of developing a national approach to cybersecurity: Are the cyber threats to be treated as crimes or acts of war? If the former, is there a place for the Defense Department to intervene? If latter is the case, what is our threshold for counterstrikes? What tool would we use in our military arsenal if say, China or Iran attack our critical infrastructure. “Before” is clearly the better time to discuss, build consensus, and develop the legal and policy frameworks, as well as the operational tools to protect and respond to these threats. Click for a general understanding of USCYBERCOM’s structure.
To diverge briefly, perhaps we can enjoy rational ignorance of the cyber threat for a bit longer. The term – and its application – is hardly new (coined by Anthony Downs in 1957). Rational ignorance is defined as a “deliberate choice of a person not to acquire (not to pay attention to) a certain kind of information because of its cost in terms of time and effort that yields little or no benefit.” So, in economic decision terms, we choose not to know based on a desire to save time (which is money). There’s another aspect, though, that may apply to our heretofore inability to adequately address cyber issues on a national scale. I’ll call it by its quasi-Latin name, ignoramus ostrichas. Or, the willful burying of our heads in the sand. How’s that working for us so far?
Are our Nation’s leaders doing enough manage cybersecurity threats? Share your thoughts in the comment box below.
Image credit: Oneeyeland / Colin Thomas