What Should the Government do about Cyber-Security?

News related to cyber-security has jumped into the spotlight with the recent hacks on the Office of Personnel Management. The first hack was discovered in April despite being committed in December of last year and resulted in the theft of 4 million federal employee’s records. The second hack from just last week, which was noted by now former-director Katherine Archuleta as a “separate, but related” breach, saw the theft of 21.5 million people’s records, those of not only federal employees, but private citizens as well.

Commentary on the issue has ranged from calling for the now former-director’s resignation (an obviously successful effort), to pushing for a congressional investigation, to demanding that the White House discover who initiated the hacks and issue some sort of response, to ridiculing OPM management for prioritizing measures such as hiring diversity instead of significant issues such as cyber-threats and security. At the center of each of these is the question, what should the government do about cyber-security? In order to answer that and provide a somewhat clearer path forward, one must look at what the government has already done, and why it has been ineffective.

Two of the bigger federal actions related  to cyber-security were the cyber-security directive issued by the President and the Cybersecurity Act passed by Congress in 2014. The President’s executive order focused largely on information sharing, while the Cybersecurity Act attempted to set up a centralized government strategy based on regulations and protocol mandates. According to a White House press release, the President’s directive, “refines and clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, as well as enhances overall coordination and collaboration.” Well at least, that’s what it’s supposed to do. In reality, the directive, also known as the Presidential Policy Directive on Critical Infrastructure Security and Resilience, or PPD-21, does little to clarify anything in regards to cyber-security. It charges various agencies with cyber and infrastructure security responsibilities. Some of these include: engaging foreign governments to increase security, engaging private sector and academic organizations to encourage security, identifying and prioritizing communications infrastructure, and informing the situational awareness capability for critical infrastructure. If those sound vague and undefined for you, you’re not alone. For a document that aims to clarify functions across the federal government, this directive is woefully inadequate at its task.

A related directive discussed in a White House press release one day later charged the Secretary of Homeland Security to “strongly encourage the development and formation of Information Sharing and Analysis Organizations” to facilitate information sharing between the federal government and private entities. In this, the President has addressed a critical element of a holistic cyber-security strategy – information sharing. There is an incredible amount of information related to cyber-security practices and breaches that is currently spread across a vast network of public and private systems. The federal government should prioritize the development of an information clearing house to encourage businesses and other private entities to cooperate with the government in assessing and addressing cyber-breaches. The directive attempts to do this with the ISAOs, but these are not centralized and have little connection to each other, and therefore are unlikely to be truly effective.

Part of the reason why the government is so terrible at addressing cyber-attacks is because it doesn’t know how to do so. Setting up an information-clearing house would allow businesses who are victims of cyber-attacks to have a single point of contact to be directed to the proper agency (FBI, DHS, etc…) in order to address the breach. Additionally, this would allow the government to learn the extent and intensity of cyber-breaches against U.S. entities and get a sense of best practices for addressing these attacks.

The Cybersecurity Act, meanwhile, takes a different approach to dealing with cyber-security threats. It attempts to create a series of regulations to combat cyber-security threats. Unfortunately, such proposals make no allowance for individual actors and businesses to address their own cyber-security needs. There is no single approach that will comprehensively address cyber-security concerns, and these government mandated regulations will only serve as a setback for developing a truly effective national strategy on cyber-security.

What more can the government do? First, and most importantly, the President needs to send a clear signal that cyber-security is a priority for the administration. This would serve a dual purpose. First of all, it would require the development of a comprehensive national security strategy on cyber-security. Second of all, such a strategy would allow Congress to produce more targeted legislation aligned with the overall goals and priorities of that national security strategy. Congress doubled the funding for U.S. Cyber Command and cyber-security measures last year, and yet we’ve seen more data breaches this past year than ever before. How do we account for that? The problem is not one of money, but of information – or in this case, a lack of information: information about national priorities, industry best practices, and current threats. This is not a problem that will be solved by simply throwing money at it.

I’ve already mentioned that the President should push for the development of a comprehensive strategy for responding to cyber-attacks and cyber-threats. This strategy should include specific responsibilities for relevant federal agencies, strategies for reaching out to private entities, summaries of current industry best practices, recommendations for how to apply those specific practices to an overarching national strategy, and the development of a framework for an information clearing house to partner with private firms and share information on cyber-breaches in order to more effectively respond to them. We must be careful here. When it comes to information sharing by private firms with the federal government, it must be entirely voluntary. Further, this must not be used as an excuse to take private information. Any legislation on this front must be written with a view towards privacy and protecting personal information – theft of private information is part of the reason why such legislation is necessary to begin with, after all. The clearing house must also include a focus on distributing information related to counter-measures and preventative measures for cyber-attacks, and education on how to mitigate the risks of such attacks. Many cyber-attacks could be prevented or responded to effectively if the relevant actors had all necessary, available information. The clearinghouse would provide a way to more easily distribute such information. Additionally, the government should provide strong FOIA (Freedom of Information Act) protections to firms that cooperate in identifying risks.

When it comes to cyber-security, the government must lead by example. Yet it cannot do so alone. Finding a way to incentivize private entities to cooperate with the government is a necessary first step. But in order to be effective at managing such public/private partnerships, the government must show that it is serious about addressing cyber-security concerns. On the federal side, government agencies such as the State Department and the Department of Defense should provide incentives for their employees to develop effective cyber-security measures and report cyber-breaches. Compliance is key here. Government agencies at the federal level ought to be required by federal law to have periodic systems checks performed by outside contractors in order to discover security flaws. These evaluations could be published online after a period of time – say 6 months or a year – in order to encourage government agencies to take these evaluations seriously and incentivize them to address security concerns as they are identified. This would go a long ways towards addressing a significant problem in U.S. cyber-security. The firm Veracode reported recently that, “only 27 percent of identified vulnerabilities in government applications get remediated,” thus leading to breaches such as the ones at OPM.

Other measures can be mentioned as well. The government could begin providing stronger oversight for cyber-related contractors, thus ensuring that they are providing sensitive access to trustworthy sources. They could also make encryption of federal systems and data a priority to better protect government computers and networks. They should do everything possible to enable information sharing. Additionally, the government should look towards the future by encouraging universities to develop and incorporate cyber-security programs into their STEM curriculum in order to provide for systems professionals in future years. In regards to other nations, the U.S. should punish nations that support cyber-crime or cyber-terrorism by naming them and ceasing to cooperate with them – either militarily, economically, or through cyber means. The U.S. Attorney General could be charged with pursuing legal recourse against foreign firms that traffic in stolen information. Finally, the government ought to set a standard of accountability for those in positions of authority at federal agencies so that those in management who fail to protect cyber-security will be held accountable for cyber-attacks brought on by negligence, such as those at OPM.

What should the government do about cyber-security? It should focus on supporting and encouraging the safe sharing of information to the best of its ability within the context of a cohesive, detailed national security strategy. Anything else will invite further cyber-attacks and ultimately weaken U.S. national security.

Containment against ISIS?

The National Interest recently reported that containment is the “only option” left open to the United States in its response to the growing threat of ISIS. This view has been echoed by many others including: the Washington Institute, the International Institute for Strategic Studies, writers at the Daily Kos and the Associate Press, Foreign Policy, the Mackenzie Institute, and Senior Fellows at the Atlantic Council. What many fail to recognize is that the U.S. not only should not, but cannot treat ISIS the way that it did the Soviet Union during the Cold War. They are fundamentally different types of enemies, and strategies that may have been effective against the USSR are unlikely to prove effective against groups such as ISIS.

While some have compared the U.S.’s struggle against ISIS to the Cold War tensions with the Soviet Union, these premises are arguably flawed on a fundamental level. First, the Cold War was just that – cold. While certainly a time of deep and abiding tension, one did not see full-scale combat or attacks on civilian populations the way one does today with ISIS.

One of ISIS’s goals is to establish a state in its own right. One need look no further than the name, the Islamic State of Iraq and Syria (or the Islamic State of Iraq and the Levant if using the alternative acronym – ISIL). Should this happen then, and a true nation-state run by ISIS appear, would the U.S. – should the U.S. – pursue a policy of containment? While I cannot speak to what will happen, it would be foolish to attempt to use a policy of containment to halt the spread of such a state. There are two reasons for this. First, there is an as yet un-articulated difference between ISIS and the Soviet Union – one which renders a policy of containment useless. Second, the strategy of containment relies heavily upon demonstrably ineffective neo-conservative ideas about nation building.

I will address the differences between ISIS and the USSR first. The Soviet Union and the Islamic State – granting that it is a state with a given territory and recognized at least in some respect by other powers – differ in a key aspect. For the Soviet Union, expansion was a fundamental necessity. The profound economic burden of a socialist state required constant expansion in order to provide the natural resources and manpower necessary to power the communist machine. Proponents of containment found that by restricting the ability of the Soviet Union to expand its territory it slowly began to crush itself under the enormous strain required to maintain its economy. Such a calculus was rational and at least somewhat effective in regards to the Soviet Union. This is not necessarily the case for the Islamic State. While their ideology maintains that they seek a global caliphate, and this by its nature requires the ultimate in territorial acquisition – it is arguable that regardless of whether or not ISIS makes any strategic territorial gains, it will never be brought to its knees under its own weight as was the USSR. One reason for this is that ISIS’s need for expanding its territory is not based on economic necessity, but on ideology. It wants to acquire territory in order to further its goal of instituting a global caliphate. ISIS can always shift this policy by embracing a view similar to the one held by Osama Bin Laden, whom they refer to as Sheik Osama – a title of profound reverence and respect – who saw the global caliphate as a future reality, to be achieved at some point, even if not in his lifetime. Such a shift in outlook would not require that ISIS make any territorial gains in the immediate future in order to maintain internal consistency, yet it would do this without undermining its core principles and would still allow it to attract and recruit supporters. This is a flexibility that the Soviet Union did not possess. As I have mentioned, containment rested upon starving the Soviet Union of necessary resources. In an increasingly globalized economy, and especially with the presence of the internet, the prevalence of black markets, and the close proximity of nations that have at least some incentive to support ISIS with money, resources, and weapons, such a starving of resources arguably cannot be achieved by simply containing ISIS as the U.S. did with the USSR.

In addition, many of those who push for a strategy of containment in regard to ISIS fail to recognize or address the implicit neo-conservative assumptions of such a view. When discussing a grand strategy, recognizing the underlying premises is crucial to developing a rigorous and effective foreign policy. The core of containment rests upon the notion that the United States has not only the ability to institute democratic nation-states in the area surrounding the state in question, but also the responsibility to do so. I would disagree with both counts, but as my point is not to lay out an opposing grand strategy, I will confine myself to addressing only the former assertion. The United States does not have the ability to create democratic nation-states. While some still view this as a matter of opinion, I would assert that history has spoken quite clearly against such a view. The U.S. has attempted to institute democratic nation-states numerous times, and the record shows that few if any of these have been successful. Look at the Dominican Republic in the mid-1960’s, Vietnam, Cambodia, or Afghanistan. None of these saw lasting democratic rule, despite the U.S.’s best efforts. The U.S. has consistently failed to transplant democracy successfully to other nation-states, and I fail to see how any who rely upon a similar calculus can conclude that such a project has any likelihood of success – particularly when that project would be undertaken in one of the most unstable regions in the world. Democratic governance requires certain cultural norms and mores that do not as yet exist in these nations. To simply transplant democracy and expect it to take root without any fertile soil to sustain its growth is willfully utopian and foolish.

The National Interest article concludes with an assertion that while messy, containment is our only option. I disagree. The U.S. has many options, and the one for which I would advocate is providing arms and resources to local groups who oppose ISIS. These groups have the most to lose if ISIS rules, and therefore they have the most to gain by pushing ISIS back. They have greater local and cultural knowledge as well as a far greater incentive to resist territorial acquisition by ISIS (they are also one of the few groups that has actually been effective in responding to ISIS). The U.S. should focus on supporting those local actors who have expressed a will to see ISIS pushed back, rather than attempting to coerce uncooperative nation-states to adopt positions that the U.S. favors in a vain attempt at recreating Cold War era stratagems.