Any warfighter can tell you, when engaged in warfare, every second matters. It is no different in cyberspace. At the speed of cyber, every nanosecond matters. Make no mistake, just as sure as we’ve been at war in Iraq and Afghanistan, we’ve also been at war in the unseen realm of cyberspace. Even more challenging, this war is being waged on all fronts simultaneously.
Ironically, even as man wages conventional war, we recognize the need for governance and rules to protect the humans that make up the very humanity warfare destroys. But this new battleground – cyberspace – is largely ungoverned. No one has defined a Geneva Convention-like standard to check state actors’ actions in cyberspace. The equivalent of torture in cyberspace has not been defined, nor its virtues debated. Because of the lack of clearly defined cyber warfare constructs, every actor is largely guided by their own ethos, morals and sense of right and wrong. This works to the distinct disadvantage of a democratic God-fearing nation such as the United States. Our Constitution holds us to a higher standard than many of our adversaries, and that is detrimental in cyberspace. Our inherent right to privacy and the debate surrounding security and privacy, while important to our democracy, provides yet another hurdle that our adversaries do not have to deal with.
In essence, we are fighting with one hand tied behind our back due to our own legal restrictions and overzealous privacy concerns. That debate will, and should, continue. While some of that price is well worth paying to maintain our democracy, there are still many things we can do from a policy perspective – without compromising our foundational ideals – to better enable our cyber operators to protect our interests.
We talk a blue-streak about public-private cooperation and we highlight small victories, but the reality is, it is nowhere near the level it needs to reach. We need the government to take bold action from a policy perspective when it comes to better enabling these partnerships. The government needs to recognize that most companies are in business to make money, and that they are accountable to their shareholders. Appealing to their better angels ‘to-do-the-right-thing’, even if it is detrimental to their bottom line, may work occasionally in one-off crisis situations, but it is not a sustainable, scalable strategy. And we aren’t China. The Chinese Government stands out respective to the high-level of support they get from public entities, but that is largely because their repressive form of government enables them to heavy hand and compel companies to cooperate. That is not, nor should it be, an option for the United States.
A solid option is incentivizing companies to work with the U.S. Government (USG). The USG also must work with the best-of-the-best U.S. cybersecurity companies to come up with the gold-standard for cybersecurity – and then incentivize companies to implement that standard (and that standard should involve implementing quantum communications technology, but we’ll save that for another blog). All cybersecurity elements need to be adaptable in real-time as threats evolve and emerge. The best defense is a good offense.
The government, particularly the National Security Agency, needs to do more to share any cyber threats they uncover with a broad group of stakeholders in near real-time. Our cold war classification guidelines are in desperate need of revision in order to streamline information sharing across all friendly networks. They are working on it, and it is a challenge, but enough already. If you can figure out how to hack ‘unhackable’ systems on the other side of the world, surely you can figure out intelligence sharing challenges without compromising sources and methods. For the record – that information sharing needs to be multilateral. It is not just a push from the USG to the private sector, but it is also a push from the private sector to the USG, and yes, the private sector to the private sector (GASP! – sharing threat information with the ‘competition’ for the greater good!)
We are taking steps on all of these fronts, but progress is occurring in dribs and drabs – far from the speed of cyber. And, every moment that goes by, intellectual property, personally identifiable information and secrets fly out the window. We have to move faster. As for a gold-standard, the National Institute of Standards and Technology (NIST) Framework for improving Critical Infrastructure Cybersecurity is a great resource, but it needs to grow, evolve and proliferate.
Big government is never particularly efficient, but on the political front, we need to move swiftly and demand action. Our politicians need to be better. Take some time away from the partisan bickering and read a cyber primer, perhaps? Our elected officials need to be capable of understanding the complexities of defending in cyberspace. They don’t have to do it, but they damn sure need to be able to understand it. It is difficult for a six-term senior senator to be a prolific advocate for technology reform when they have to rely on an aide to help them operate their computer or cell phone. It is time for new blood, it is time for younger, tech-savvy blood to rise to the top and step to the forefront. Republican, Democrat, Libertarian, or Martian (only if they can prove citizenship, of course 😊) – I don’t care. Give me someone who gets it. When we start talking about cleaning house – we need to focus on the ability to comprehend technical issues in this modern world as much as anything else.
Comments