Politics and Cyberspace

Any warfighter can tell you that when engaged in combat, every second matters.  It is no different in cyberspace.  At the speed of cyber, every nanosecond matters.  Make no mistake, just as sure as we've been at war in Iraq and Afghanistan, we're also fighting daily in cyberspace. Even more challenging, this war is being waged on all fronts simultaneously. 

Ironically, even as man wages conventional war, we recognize the need for governance and rules to protect the people that make up the very humanity that warfare destroys.  But this new battleground – cyberspace – is largely ungoverned.  No one has defined a Geneva Convention-like standard to check state actors' actions in cyberspace.  The equivalent of torture in cyberspace is undefined and never debated. Because of the lack of clearly defined cyber warfare constructs, every actor is primarily guided by their own ethos, morals, and sense of right and wrong.  This works to the distinct disadvantage of a democratic God-fearing nation such as the United States.  Our Constitution holds us to a higher standard than many of our adversaries, and that is detrimental in cyberspace.  Our inherent right to privacy and the debate over security and privacy, while essential to our democracy, present yet another hurdle that our adversaries do not have to face.

In essence, we are fighting with one hand tied behind our back due to our own legal restrictions and privacy concerns.  The privacy debate will—and should—continue.  While some of that cost is well worth paying to sustain our democracy, there are many policy measures we can take – without compromising our foundational ideals – to enable our cyber operators to protect our interests better.

We talk a blue streak about public-private cooperation and highlight small victories, but the reality is we are nowhere near where we need to be with respect to sharing. The government must take bold policy action to enable these partnerships to work better.  The government needs to recognize that most companies are in business to make money and that they are accountable to their shareholders.  Appealing to their better angels to do the right thing, even if it is detrimental to their bottom line, may work occasionally in one-off crises. Still, it is not a sustainable, scalable strategy. 

And we aren't China.  The Chinese Government stands out for the high level of support it receives from public entities, but that is mainly because its repressive form of government enables it to use heavy-handed tactics and compel companies to cooperate. That is not, nor should it be, an option for the United States.

A solid option is incentivizing companies to work with the U.S. Government (USG).  The USG must also work with the best-of-the-best U.S. cybersecurity companies to establish the gold standard for cybersecurity—and then incentivize companies to implement it (and that standard should include quantum communications technology, but we'll save that for another blog).  All cybersecurity elements need to be adaptable in real-time as threats evolve and emerge. The best defense is a good offense. 

The government, particularly the National Security Agency, needs to do more to share any cyber threats it uncovers with a broad group of stakeholders in near real time. Our Cold War classification guidelines are in dire need of revision to streamline information sharing across all friendly networks. They are working on it, and it is a challenge, but enough already.  If you can figure out how to hack 'unhackable' systems on the other side of the world, surely you can figure out intelligence sharing challenges without compromising sources and methods.  For the record, that information sharing needs to be multilateral.  It is not just a push from the USG to the private sector, but also a push from the private sector to the USG —and yes, the private sector to the private sector (GASP!—sharing threat information with the 'competition' for the greater good!). 

We are taking steps on all of these fronts, but progress is occurring in dribs and drabs – far from the speed of cyber.  And, every moment that goes by, intellectual property, personally identifiable information, and secrets fly out the window.  We have to move faster.  As for a gold standard, the National Institute of Standards and Technology (NIST) Framework for improving Critical Infrastructure Cybersecurity is a great resource, but it needs to grow, evolve, and proliferate. 

Big government is never particularly efficient, but on the political front, we need to move swiftly and demand action.  Our politicians need to be better.  Take some time away from the partisan bickering and read a cyber primer, perhaps?  Our elected officials need to understand the complexities of defending in cyberspace.  They don't have to do it, but they damn sure need to understand it.  It is difficult for a six-term senior senator to be a prolific advocate for technology reform when they have to rely on an aide to help them operate their computer or cell phone.  That's not ageism - that is just reality. It is time for new blood; it is time for younger, tech-savvy blood to rise to the top and step to the forefront.  Republican, Democrat, Libertarian, or Martian – I don't care.  Give me someone who 'gets it'.  When we start talking about cleaning house, we need to focus on the ability to comprehend technical issues in this modern world as much as anything else.