29 October 2015

An American Strategy for the Internet and Cybersecurity

October 26, 2015

As the Senate finally prepares to vote on the Cybersecurity Information Sharing Act (CISA) legislation, it is important to keep in mind that CISA alone will not solve our problems with respect to cyberspace. A much broader strategy is needed. America is largely responsible for today's Internet which, after creating enormous prosperity and human progress, is now being used to recruit terrorists, oppress freedom, harm our economy and threaten our national security.

If we are to continue to enjoy the web's blessings, we will need to develop and execute a comprehensive strategy to deal with those who would threaten us in the cyber domain, just as we did in previous ages when our well-being was threatened on land, at sea, and later in the air and in space.

Today's threats are well publicized. State and non-state actors stage daily attacks on critical information systems, stealing information and threatening damage and destruction; terrorists use the Internet to propagandize and recruit; autocratic powers use the Internet to censor and oppress. China alone is said to have hundreds of thousands of soldiers and Communist Party members working to ensure the truth cannot be “Googled” in the Middle Kingdom; Facebook is on the verge of exiting Russia altogether. 

To preserve both internet freedom and security, America needs a clear strategy that should have at least four main elements. First, it should begin with an understanding that--unlike land, sea and the other domains--security in the cyber domain will often require that the private sector, not the government, take the lead. If entrepreneurs and innovators continue to define the future of the Internet, American interests and ideals will be well served. In doctrinal terms, that means government must frequently embrace a supporting rather than a lead role. In practical terms, that translates into things like curbing regulatory and other liabilities for sharing cyber threat information. In time it could also mean giving the private sector more freedom to act in its own defense. 

Second, while the private sector must routinely lead and be routinely responsible for defense, government has an indispensable role to play in protecting national assets from significant cyber disruption. The Department of Defense recently defined this as attacks that threaten "loss of life, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States." The recent North Korean attack on Sony North America suggests the kind of circumstances in which American cyber combat power might be used to deter, disarm or retaliate against a renegade state or other cyber actor in the future. 

A third aspect of a successful strategy is pragmatism, including a recognition that we need to just get on with some things. The need for legislation to facilitate information sharing about cyber threats between government and business has long been recognized, but year after year Congress has failed to act. We should also be embarrassed by the seemingparalysis within the U.S. government when it comes to repairing a porous, poorly protected information infrastructure. Even after the disastrous OPM breach, the Department of Homeland Security still lacks authority to direct other departments to take necessary cyber defense measures. Internationally, the President's April executive order outlined sensible sanctions to punish the theft of American intellectual property, but none have been enacted to date. We have allowed endless arguments among policy makers, business leaders, security professionals, privacy advocates and bureaucrats to freeze us into inaction.

Lastly and most importantly, an American strategy for cyberspace must reflect and serve our ideals. In our zeal to secure the internet, we must be careful not to destroy that which we are trying to preserve, an open, accessible, ubiquitous, egalitarian, and free World Wide Web. There are nations--like Iran, China, Russia and others--who view precisely those attributes as the very definition of cyber security threats. Their concern is not digital theft, but the free movement of ideas. We must take care that in our efforts to prevent the former, we do not legitimize their efforts to prevent the latter. While strong encryption, for example, makes life more difficult for the legitimate surveillance needs of our law enforcement and intelligence agencies, it also serves the public by protecting personal and business information from being exploited.

In a democracy, the ability to successfully pursue and execute any long-run strategy requires a consensus on basic principles, and that must be the product of a meaningful national discussion. Fundamentally, all this is less about technology than it is getting the big ideas right and preserving fundamental values. 

Unfortunately, having that needed discussion has proven difficult in recent years, especially on issues surrounding the balance between civil liberties and surveillance. That is an important issue, but it is not the only important issue. We need to find ways to resolve that question, get beyond the volleys of accusations and hyperbole (from both sides) and put in place a strategy for promoting our shared interests in an increasingly hostile domain.

That will be hard work, but the sad alternative is a world in which our liberty and our security will be increasingly at risk.

Michael V. Hayden formerly led the National Security Agency and the Central Intelligence Agency. He is currently a partner at the Chertoff Group and an adviser to the American Enterprise Institute’s Global Internet Strategy Project.

No comments: