We’ve heard national security leaders at the highest levels say it repeatedly: we are not prepared for cyber war.
Gen. Keith Alexander, director of the National Security Agency and commander of U.S. Cyber Command, made it clear when he rated America’s readiness for addressing a catastrophic cyber attack “three on a scale of ten.” Homeland Security Secretary Janet Napolitano has discussed the imminent threats of a breach that “shuts down part of the nation’s infrastructure in such a fashion that it results in a loss of life.” And Secretary of Defense Leon Panetta has often been quoted saying that a large-scale attack on our critical infrastructure could wreak havoc on a scale “equivalent to Pearl Harbor.”
Despite this awareness, we have not been able to mobilize a comprehensive cyber action plan. Recently it was revealed that the President has signed a new policy directive, further defining the government’s role in addressing cyber threats, which coincides with the Department of Defense’s sweeping changes to its rules of cyber engagement.
But today’s threats far exceed traditional military domains of land, air, sea or even space. They extend beyond the boundaries of official battlefields into private enterprises like the financial sector, chemical, electricity and water utility companies, as well as other industries that hold highly sensitive intellectual property. An attack on any of these networks would be crippling and extremely dangerous – yet these are the areas where we are most vulnerable to attack.
One critical difference between now and the Cold War era is that citizens understood the looming threat of nuclear warfare and were at least partially engaged in their own defense against it. Today, no such national doctrine exists for the cyber era.”
The Obama administration must establish a collective sense of purpose for our national cyber defense that can be adopted by government agencies, armed forces, private sector organizations and individual citizens. It is the only way that we, as a nation, can begin to act with deliberate foresight rather than in reactionary response.
We are operating in a new battleground, and the stakes are as high now as they ever were during the Cold War. One critical difference between now and then is that citizens of the Cold War era understood the looming threat of nuclear warfare and were at least partially engaged in their own defense against it. The military, private sector and individual population were aligned under a Doctrine of Containment that established a national-level framework for identifying and responding to the spread of Communism and nuclear threats. Today, no such national doctrine exists for the cyber era.
To understand the precarious and dangerous nature of our position without a national-level doctrine we must first consider how much has changed since the Cold War.
Cyber networks that were unimagined throughout most of the Cold War era have transformed from a utility to a necessity for virtually every aspect of our modern society, from the international to the individual. They facilitate global stock markets and our personal banking. They enable international trade agreements and our Craigslist garage sales. They communicate with UAVs in the Middle East and the DVRs in our living rooms. This dichotomy creates the most important difference between the world today and the previous generations: citizens have access to our critical infrastructures in ways that never existed before – and responsibilities for which they are largely unaware.
Historical models like the Truman Doctrine don’t translate to the constantly evolving world of cyber space and, as a result, the positions, policies and legislation that have been set forth on cyber security are disconnected at best. Citizens, businesses and even public sector agencies do not have a firm grasp of their role in cyber defense.
Thus far, cyber attacks haven’t carried the urgency of threats to our physical well-being, like nuclear warfare, and they are harder to understand because they may not fit within the parameters of traditional acts of aggression. We have allowed ourselves to be distracted by other priorities and we assume that we have more time before a major attack hits us at home. Standing at the precipice of a brave new world, we lack a prescriptive direction to mitigate our vulnerabilities and guide our efforts going forward.
Instead of turning to the past, we must face the future. We must create a new, national-level doctrine encompassing the cyber era that sets an overarching framework and defines long-term objectives for the country’s economy, education, foreign affairs policies and critical infrastructure. It is not an easy task, and the road ahead is long, but setting this framework is perhaps the most important responsibility of our lifetime.
As our nation did in the first stages of developing the doctrine that governed the nuclear age, we need to bring together scientists and practitioners to consider the impact of cyber technologies. We must call on our leaders to begin exploring the delicate balance of shared responsibility between government, industry, and private citizen that will give us the direction toward a common goal, as well as the flexibility we need to adjust our course as the environment rapidly evolves. We must create a debate among government entities, policy advocates, scientists and academics to pursue complex issues like attribution, international diplomacy, preemptive strike, the role of the private sector, location-based laws and many more to determine the best actions for the nation. We should empower our resources and invest in a national cyber research agenda that complements this debate to test and explore our options for action.
Most importantly, we must begin a conversation on the role cyber defense will play in the future of the country and what roles we each hold in shaping that future.
Without this guidance – without a national-level doctrine for the cyber era – our lives and livelihoods are at risk.
Timothy Sample is vice president and sector manager for special programs at Battelle Memorial Institute. He is co-editor of the new book #CyberDoc – No Borders, No Boundaries: National Doctrine for the Cyber Era.