What Should the Government do about Cyber-Security?

News related to cyber-security has jumped into the spotlight with the recent hacks on the Office of Personnel Management. The first hack was discovered in April despite being committed in December of last year and resulted in the theft of 4 million federal employee’s records. The second hack from just last week, which was noted by now former-director Katherine Archuleta as a “separate, but related” breach, saw the theft of 21.5 million people’s records, those of not only federal employees, but private citizens as well.

Commentary on the issue has ranged from calling for the now former-director’s resignation (an obviously successful effort), to pushing for a congressional investigation, to demanding that the White House discover who initiated the hacks and issue some sort of response, to ridiculing OPM management for prioritizing measures such as hiring diversity instead of significant issues such as cyber-threats and security. At the center of each of these is the question, what should the government do about cyber-security? In order to answer that and provide a somewhat clearer path forward, one must look at what the government has already done, and why it has been ineffective.

Two of the bigger federal actions related  to cyber-security were the cyber-security directive issued by the President and the Cybersecurity Act passed by Congress in 2014. The President’s executive order focused largely on information sharing, while the Cybersecurity Act attempted to set up a centralized government strategy based on regulations and protocol mandates. According to a White House press release, the President’s directive, “refines and clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, as well as enhances overall coordination and collaboration.” Well at least, that’s what it’s supposed to do. In reality, the directive, also known as the Presidential Policy Directive on Critical Infrastructure Security and Resilience, or PPD-21, does little to clarify anything in regards to cyber-security. It charges various agencies with cyber and infrastructure security responsibilities. Some of these include: engaging foreign governments to increase security, engaging private sector and academic organizations to encourage security, identifying and prioritizing communications infrastructure, and informing the situational awareness capability for critical infrastructure. If those sound vague and undefined for you, you’re not alone. For a document that aims to clarify functions across the federal government, this directive is woefully inadequate at its task.

A related directive discussed in a White House press release one day later charged the Secretary of Homeland Security to “strongly encourage the development and formation of Information Sharing and Analysis Organizations” to facilitate information sharing between the federal government and private entities. In this, the President has addressed a critical element of a holistic cyber-security strategy – information sharing. There is an incredible amount of information related to cyber-security practices and breaches that is currently spread across a vast network of public and private systems. The federal government should prioritize the development of an information clearing house to encourage businesses and other private entities to cooperate with the government in assessing and addressing cyber-breaches. The directive attempts to do this with the ISAOs, but these are not centralized and have little connection to each other, and therefore are unlikely to be truly effective.

Part of the reason why the government is so terrible at addressing cyber-attacks is because it doesn’t know how to do so. Setting up an information-clearing house would allow businesses who are victims of cyber-attacks to have a single point of contact to be directed to the proper agency (FBI, DHS, etc…) in order to address the breach. Additionally, this would allow the government to learn the extent and intensity of cyber-breaches against U.S. entities and get a sense of best practices for addressing these attacks.

The Cybersecurity Act, meanwhile, takes a different approach to dealing with cyber-security threats. It attempts to create a series of regulations to combat cyber-security threats. Unfortunately, such proposals make no allowance for individual actors and businesses to address their own cyber-security needs. There is no single approach that will comprehensively address cyber-security concerns, and these government mandated regulations will only serve as a setback for developing a truly effective national strategy on cyber-security.

What more can the government do? First, and most importantly, the President needs to send a clear signal that cyber-security is a priority for the administration. This would serve a dual purpose. First of all, it would require the development of a comprehensive national security strategy on cyber-security. Second of all, such a strategy would allow Congress to produce more targeted legislation aligned with the overall goals and priorities of that national security strategy. Congress doubled the funding for U.S. Cyber Command and cyber-security measures last year, and yet we’ve seen more data breaches this past year than ever before. How do we account for that? The problem is not one of money, but of information – or in this case, a lack of information: information about national priorities, industry best practices, and current threats. This is not a problem that will be solved by simply throwing money at it.

I’ve already mentioned that the President should push for the development of a comprehensive strategy for responding to cyber-attacks and cyber-threats. This strategy should include specific responsibilities for relevant federal agencies, strategies for reaching out to private entities, summaries of current industry best practices, recommendations for how to apply those specific practices to an overarching national strategy, and the development of a framework for an information clearing house to partner with private firms and share information on cyber-breaches in order to more effectively respond to them. We must be careful here. When it comes to information sharing by private firms with the federal government, it must be entirely voluntary. Further, this must not be used as an excuse to take private information. Any legislation on this front must be written with a view towards privacy and protecting personal information – theft of private information is part of the reason why such legislation is necessary to begin with, after all. The clearing house must also include a focus on distributing information related to counter-measures and preventative measures for cyber-attacks, and education on how to mitigate the risks of such attacks. Many cyber-attacks could be prevented or responded to effectively if the relevant actors had all necessary, available information. The clearinghouse would provide a way to more easily distribute such information. Additionally, the government should provide strong FOIA (Freedom of Information Act) protections to firms that cooperate in identifying risks.

When it comes to cyber-security, the government must lead by example. Yet it cannot do so alone. Finding a way to incentivize private entities to cooperate with the government is a necessary first step. But in order to be effective at managing such public/private partnerships, the government must show that it is serious about addressing cyber-security concerns. On the federal side, government agencies such as the State Department and the Department of Defense should provide incentives for their employees to develop effective cyber-security measures and report cyber-breaches. Compliance is key here. Government agencies at the federal level ought to be required by federal law to have periodic systems checks performed by outside contractors in order to discover security flaws. These evaluations could be published online after a period of time – say 6 months or a year – in order to encourage government agencies to take these evaluations seriously and incentivize them to address security concerns as they are identified. This would go a long ways towards addressing a significant problem in U.S. cyber-security. The firm Veracode reported recently that, “only 27 percent of identified vulnerabilities in government applications get remediated,” thus leading to breaches such as the ones at OPM.

Other measures can be mentioned as well. The government could begin providing stronger oversight for cyber-related contractors, thus ensuring that they are providing sensitive access to trustworthy sources. They could also make encryption of federal systems and data a priority to better protect government computers and networks. They should do everything possible to enable information sharing. Additionally, the government should look towards the future by encouraging universities to develop and incorporate cyber-security programs into their STEM curriculum in order to provide for systems professionals in future years. In regards to other nations, the U.S. should punish nations that support cyber-crime or cyber-terrorism by naming them and ceasing to cooperate with them – either militarily, economically, or through cyber means. The U.S. Attorney General could be charged with pursuing legal recourse against foreign firms that traffic in stolen information. Finally, the government ought to set a standard of accountability for those in positions of authority at federal agencies so that those in management who fail to protect cyber-security will be held accountable for cyber-attacks brought on by negligence, such as those at OPM.

What should the government do about cyber-security? It should focus on supporting and encouraging the safe sharing of information to the best of its ability within the context of a cohesive, detailed national security strategy. Anything else will invite further cyber-attacks and ultimately weaken U.S. national security.

Containment against ISIS?

The National Interest recently reported that containment is the “only option” left open to the United States in its response to the growing threat of ISIS. This view has been echoed by many others including: the Washington Institute, the International Institute for Strategic Studies, writers at the Daily Kos and the Associate Press, Foreign Policy, the Mackenzie Institute, and Senior Fellows at the Atlantic Council. What many fail to recognize is that the U.S. not only should not, but cannot treat ISIS the way that it did the Soviet Union during the Cold War. They are fundamentally different types of enemies, and strategies that may have been effective against the USSR are unlikely to prove effective against groups such as ISIS.

While some have compared the U.S.’s struggle against ISIS to the Cold War tensions with the Soviet Union, these premises are arguably flawed on a fundamental level. First, the Cold War was just that – cold. While certainly a time of deep and abiding tension, one did not see full-scale combat or attacks on civilian populations the way one does today with ISIS.

One of ISIS’s goals is to establish a state in its own right. One need look no further than the name, the Islamic State of Iraq and Syria (or the Islamic State of Iraq and the Levant if using the alternative acronym – ISIL). Should this happen then, and a true nation-state run by ISIS appear, would the U.S. – should the U.S. – pursue a policy of containment? While I cannot speak to what will happen, it would be foolish to attempt to use a policy of containment to halt the spread of such a state. There are two reasons for this. First, there is an as yet un-articulated difference between ISIS and the Soviet Union – one which renders a policy of containment useless. Second, the strategy of containment relies heavily upon demonstrably ineffective neo-conservative ideas about nation building.

I will address the differences between ISIS and the USSR first. The Soviet Union and the Islamic State – granting that it is a state with a given territory and recognized at least in some respect by other powers – differ in a key aspect. For the Soviet Union, expansion was a fundamental necessity. The profound economic burden of a socialist state required constant expansion in order to provide the natural resources and manpower necessary to power the communist machine. Proponents of containment found that by restricting the ability of the Soviet Union to expand its territory it slowly began to crush itself under the enormous strain required to maintain its economy. Such a calculus was rational and at least somewhat effective in regards to the Soviet Union. This is not necessarily the case for the Islamic State. While their ideology maintains that they seek a global caliphate, and this by its nature requires the ultimate in territorial acquisition – it is arguable that regardless of whether or not ISIS makes any strategic territorial gains, it will never be brought to its knees under its own weight as was the USSR. One reason for this is that ISIS’s need for expanding its territory is not based on economic necessity, but on ideology. It wants to acquire territory in order to further its goal of instituting a global caliphate. ISIS can always shift this policy by embracing a view similar to the one held by Osama Bin Laden, whom they refer to as Sheik Osama – a title of profound reverence and respect – who saw the global caliphate as a future reality, to be achieved at some point, even if not in his lifetime. Such a shift in outlook would not require that ISIS make any territorial gains in the immediate future in order to maintain internal consistency, yet it would do this without undermining its core principles and would still allow it to attract and recruit supporters. This is a flexibility that the Soviet Union did not possess. As I have mentioned, containment rested upon starving the Soviet Union of necessary resources. In an increasingly globalized economy, and especially with the presence of the internet, the prevalence of black markets, and the close proximity of nations that have at least some incentive to support ISIS with money, resources, and weapons, such a starving of resources arguably cannot be achieved by simply containing ISIS as the U.S. did with the USSR.

In addition, many of those who push for a strategy of containment in regard to ISIS fail to recognize or address the implicit neo-conservative assumptions of such a view. When discussing a grand strategy, recognizing the underlying premises is crucial to developing a rigorous and effective foreign policy. The core of containment rests upon the notion that the United States has not only the ability to institute democratic nation-states in the area surrounding the state in question, but also the responsibility to do so. I would disagree with both counts, but as my point is not to lay out an opposing grand strategy, I will confine myself to addressing only the former assertion. The United States does not have the ability to create democratic nation-states. While some still view this as a matter of opinion, I would assert that history has spoken quite clearly against such a view. The U.S. has attempted to institute democratic nation-states numerous times, and the record shows that few if any of these have been successful. Look at the Dominican Republic in the mid-1960’s, Vietnam, Cambodia, or Afghanistan. None of these saw lasting democratic rule, despite the U.S.’s best efforts. The U.S. has consistently failed to transplant democracy successfully to other nation-states, and I fail to see how any who rely upon a similar calculus can conclude that such a project has any likelihood of success – particularly when that project would be undertaken in one of the most unstable regions in the world. Democratic governance requires certain cultural norms and mores that do not as yet exist in these nations. To simply transplant democracy and expect it to take root without any fertile soil to sustain its growth is willfully utopian and foolish.

The National Interest article concludes with an assertion that while messy, containment is our only option. I disagree. The U.S. has many options, and the one for which I would advocate is providing arms and resources to local groups who oppose ISIS. These groups have the most to lose if ISIS rules, and therefore they have the most to gain by pushing ISIS back. They have greater local and cultural knowledge as well as a far greater incentive to resist territorial acquisition by ISIS (they are also one of the few groups that has actually been effective in responding to ISIS). The U.S. should focus on supporting those local actors who have expressed a will to see ISIS pushed back, rather than attempting to coerce uncooperative nation-states to adopt positions that the U.S. favors in a vain attempt at recreating Cold War era stratagems.

On Pacifism

I wrote this piece during my final term at New College in Oxford last year. Since it represents well my desire to use this blog as a place to discuss the ideas that shape our interaction with the world, I decided to use this as my first post. Hope you enjoy it!

—

Pacifism remains one of the more controversial debates in contemporary discussions of international politics, particularly within Christian communities. One of the main proponents of a Christian pacifist ethic is Stanley Hauerwas. Hauerwas’ main text on the subject, The Peaceable Kingdom: A Primer on Christian Ethics, is not entirely devoted to pacifism as an ideology, but instead to an explication of the Christian’s call to non-violence. Hauerwas bases this ethic of non-violence on the life of Jesus and takes Jesus’ denial of violence in particular instances to include denial of acts violence in general. He also focuses on the Christian call to mercy and forgiveness and the inseparability of true non-violence from a Christian ethical framework. Finally, he expresses the belief that non-violence is necessary because it is the only ethical system that expresses complete reliance upon the faithfulness of God. For this reason, he contends that non-violence (I will refer to this as pacifism from here on out) is the only morally acceptable position for Christians to hold, and that Christians are the only ones capable of holding such a position. I will challenge each of his points with reference to works by Nigel Biggar and Reinhold Niebuhr. I will also set the debate against the backdrop of the Second World War in order to argue for both the infeasibility of a pacifist ethic and for the position that pacifism would have been a morally bankrupt response to the war.

Several of Hauerwas’ points deserve particular attention. The first is his assertion that the biblical justifications against particular instances of violence constitute a denial of the ethical use of violence in general. The second is his focus on the call to mercy and forgiveness concerning one’s enemies. The third is his claim that pacifism is the only morally tenable position for a Christian. I hope to show that each of these are problematic and ultimately untenable views.

Hauerwas uses the example of Jesus’ second temptation in the desert and says that the devil is offering Jesus dominion, and that this is a dominion brought about through force. Jesus rejects this dominion. “God’s kingdom, it seems, will not have peace through coercion.”[1] Yet it is not clear that this is what is happening in this instance, nor is it clear that denial of a particular use of force makes all aggression illegitimate. To choose, as Hauerwas does, a single instance and extrapolate an entire ethic from it is less than compelling. There are numerous stories throughout the Bible, both Old and New Testaments, that seem to be difficult to reconcile with a universal ethic of non-violence. Three in particular are worth mentioning. The first can be found in the gospel of Mark. “And they came to Jerusalem. And he entered the temple and began to drive out those who sold and those who bought in the temple, and he overturned the tables of the money-changers and the seats of those who sold pigeons. And he would not allow anyone to carry anything through the temple.” (Mark 11:15-16) In this instance, Jesus enters the temple and begins to drive out those who are using it as a marketplace. One who would argue for a pacifist ethic based on the life of Jesus ought to reckon with this passage, yet Hauerwas does not. The second story comes from Matthew 8:5-13. In this instance, Jesus heals the servant of a Roman Centurion. This centurion is held up as an example of faith. What is intriguing is that while Jesus commends him for his faith and tells him that his servant will be healed as he believed he would, he makes no reference at all to the centurion’s occupation as a soldier, nor does he rebuke him for the violence he has doubtlessly been involved in. It would seem that faith can coexist apart from a pacifist ethic. The final example is not a story, but a repeated injunction for the people of Israel to follow. It occurs many times throughout the psalms and the prophets. One of these passages from the psalms reads, “Defend the weak and the fatherless; uphold the cause of the poor and the oppressed.” (Psalm 82:3) While it would certainly be possible to do this in many instances without the use of force, there are some instances in which aggression would be required to fulfill such a command. Consider the Second World War. In order to free the people of France and Europe from German invasion, it was necessary for the Allies to use aggressive force to engage the enemy. It would be difficult to argue that the biblical injunction to defend the weak and uphold the cause of the oppressed could be fulfilled through the use of non-violent means in this instance.

One could argue that the pacifist ethic Hauerwas presents as derived from the life of Jesus is incomplete, and therefore less compelling than it could be. It does appear that a robust view of Christian pacifism as intended by Hauerwas has many more challenges than he gives credit to. One of these challenges derives from his assertion that one must encourage mercy and forgiveness above all else in order to fulfill a truly pacifist ethic. In examining this we will be able to draw some parallels to the Second World War in order to make the weakness of such a position clearer.

Hauerwas claims that an ethic deriving from Christian principles must come from the life of Jesus. He says, “It is only from him that we can learn perfection – which is at the very least nothing less than forgiving our enemies.”[2] He takes the point even further than forgiveness to say that there must be an underlying attitude of love. “God wills nothing less than that men and women should love their enemies and forgive one another; thus we will be perfect as God is perfect.”[3] But can mercy exist on its own apart from anything else? Mercy is not so much a thing in itself, but the tempering of another: justice. Hauerwas ignores this as a concern. Also, is it enough to simply assert that the essence of Christ-like perfection is forgiveness? As Nigel Biggar puts it, “[T]o believe that Jesus’ teaching and life show how human beings should behave… is to make normative a certain kind of forgiving love for others. None of this, however, entails the pacifist repudiation of violence always and everywhere.”[4] Mercy can, and ought, to be a consideration when engaging in violence. Yet, as Biggar argues, violence can be meted out in love with a desire for peace and reconciliation. It could be argued that Hauerwas’ focus on forgiveness, while admirable, denies a core obligation to preserve peace. He argues that “[W]e are free just to the extent that we learn to trust others and make ourselves available to be trusted by others.”[5] But it would be foolish to trust someone who has demonstrated themselves to be untrustworthy. In regards to World War II, one could argue that a similar pacifist ethic encouraged Germany in its invasion of other countries. Germany repeatedly violated the Treaty of Versailles and expressed military ambitions. This can be seen in its reinstatement of conscription, development of an air force, its occupation of the Rhineland, the mobilization of its military, its occupation of the Sudetenland, its overpowering of Czechoslovakia, its military pacts with both Italy and the Soviet Union, and finally its invasion of Poland. At every point along the way they claimed that each step was their last and that they were simply regaining what was rightfully theirs. Germany did not show itself to be trustworthy, and the other European powers were foolish to extend a trust that was not warranted. With this in mind, it would be difficult to argue that pacifism is morally defensible, particularly when it entails the offer of forgiveness at the expense of the fulfillment of justice or the expression of trust in an untrustworthy object.

This is not to say that we do not have a moral obligation to seek peace. War is a terrible thing that should never be sought after. Yet there are times when force is the only morally appropriate response. Biggar quotes from Michael Quinlan who says, “[W]here action is possible inaction is itself a choice, with its own consequences, its own responsibility and its own problems of unsure prediction.”[6] To claim that one cannot respond with violence for any reason to any sort of violent actions could be argued to be a morally untenable position, especially for those who hold to Christian principles. Reinhold Niebuhr wrote in the context of the Second World War that, “American Christianity is all too prone to disavow its responsibilities for the preservation of our civilization against the perils of totalitarian aggression.”[7] Yet Christians are called to protect, to preserve, and to defend those who are incapable of defending themselves. Niebuhr presses the point by saying, “We think it dangerous to allow religious sensitivity to obscure the fact that Nazi tyranny intends to annihilate the Jewish race, to subject the nations of Europe to the dominion of a “master” race, to extirpate the Christian religion, to annul the liberties and legal standards that are the priceless heritage of ages of Christian and humanistic culture, to make truth the prostitute of political power, to seek world dominion through its satraps and allies, and generally to destroy the very fabric of our western civilization.”[8]

This is strongly worded, and perhaps rightly so. Niebuhr is making the point that we have an inherent responsibility to steward well the world that we inhabit. Biggar writes, “[H]uman beings are made in the image of God to tend the world. We are made to care for what deserves to be cared for, and to flourish in its service. We are made to take responsibility under God – to take responsibility while being responsible…. [W]e must do what we can to defend and promote what is good – but within the limits of what we may.”[9]Responsible and justified uses of violence are permissible as long as they are not undertaken for purposes of revenge or done out of proportion to their inciting offences. One could argue that to trust God in the way that Hauerwas does would constitute a morally untenable position because it places the emphasis on the wrong person. Instead of relying on our God-given capacity for reason, we rely instead on Him to fix our situation, citing our supernatural faith in His providence. That would be akin to an architect giving builders tools and telling them to build a building only to have the builders throw away the tools and wait expectantly for the architect to intervene on their behalf. One may not simply ignore moral evil that one has the ability to stop in the hope that one will not be morally culpable for it. As Biggar says, “[I]f war usually causes terrible evils, peace sometimes permits them.”[10] When one compares this to World War II the point becomes even clearer. Niebuhr writes that, “We cannot, of course, be certain that defeat of the Nazis will usher in a new order of international justice in Europe and the world. We do know what a Nazi victory would mean, and our first task must therefore be to prevent it.”[11] To do nothing would likely have lead to the spread of a tyrannical empire over most of the world. In light of this it would be difficult to argue that pacifism would have been a morally appropriate response in World War II.

If that is true, then why would pacifism be appropriate in other places? Where we have an ability to stop moral evils, should we not do so? Hauerwas would argue that to do so does not constitute an expression of love. While this focus on love from Hauerwas is appealing, I would tend towards Niebuhr’s position. “The profoundest insights of the Christian faith cannot be expressed by the simple counsel that men ought to be more loving, and that if they became so the problems of war and of international organization would solve themselves.”[12] This, however, does not do full justice to the Christian belief that one must love one’s neighbor and one’s enemy. For a war to be just, love must have a place in that war. Where does such a love arise and is it even possible for love to spring up amid violence? I argue that it is. The pacifist tradition extending from Hauerwas would hold that loving enemies is incompatible with killing them.[13] Yet Biggar argues there are legitimate reasons to assume we may act lovingly despite having to use force, even lethal force:

I might deliberately kill an aggressor, not at all because I hate him, nor because I reckon his life worth less than anyone else’s, nor because I want him dead, but because, tragically, I know of no other way to prevent him from perpetrating a serious injury on an innocent neighbour. My deliberate killing is loving, therefore, in two respects: first, its overriding aim is to protect the innocent from serious harm; and second, it acknowledges the aggressor’s equal dignity, it wishes him no evil, and it would gladly spare him if it could.

In the end, it comes down to stewardship. If one is in a position to defend those who cannot defend themselves, then one must fulfill that responsibility, even if doing so requries the use of lethal force. To do anything less would be unjust because it refuses our responsibilities. For this reason, I find Hauerwas’ critique of violent force unconvincing. To say, on the one hand, that an individual must not use force is problematic enough. To extend it further, however, to say that no one may use coercive force for any reason could be argued to be exceedingly problematic. It would seem that states have an obligation to defend their citizens. To extrapolate from an individual ethic of non-violence to a national ethic would be to open a country up to violent and rampant abuses against its citizens. Reinhold Neibuhr, speaking about the Second World War, summed it up well when he said, “Yet there are times when hopes for the future, as well as contrition over past misdeeds, must be subordinated to the urgent, immediate task. In this instance, the immediate task is the defeat of Nazi tyranny. If this task does not engage us, both our repentance and our hope become luxuries in which we indulge while other men save us from an intolerable fate, or while our inaction betrays into disaster a cause to which we owe allegiance.”[14]

To choose inaction when action is possible is to make a choice that comes with its own consequences. While Hauerwas contends that pacifism is the only morally acceptable approach for a Christian to hold, I would argue that pacifism is a morally unacceptable position for a Christian. To deny one’s responsibility to steward well one’s life and those over whom one has a responsibility is to deny a core aspect of Christian thought – that of loving others. Love may require legitimate defense, and it is not enough to simply say that we are unjust in using violence. Violence, one can argue, may be meted out in genuine defense of others in a way that shows love without hatred or vengeance. It is this sort of violent action that, while never sought, may be permissible. “Love can be active in the making of war. Augustine was right: belligerent harshness can be kind.”[15]

Note: Future pieces will focus more on current events – particularly those relevant to discussions of foreign policy. However, I was so pleased with this essay that I decided to post it here.

[1] Hauerwas, Stanley. The Peaceable Kingdom: A Primer in Christian Ethics. Notre Dame, Ind.: University of Notre Dame Press, 1983. – pg 79

[2] Ibid. – pg 76

[3] Ibid. – pg 85

[4] Biggar, Nigel. In Defence of War. Oxford: Oxford University Press, 2013. – pg 20-21

[5] Hauerwas, Peaceable Kingdom. – pg 46

[6] Biggar, In Defence of War. – pg 33

[7] Neibuhr, Reinhold. “Christian Faith and the World Crisis.” Christianity and Crisis, 1941. http://www.religion-online.org/showarticle.asp?title=381.

[8] Ibid.

[9] Biggar, In Defence of War. – pg 31 (original emphasis)

[10] Ibid. – pg 5

[11] Niebuhr, Christian Faith.

[12] Ibid.

[13] Biggar. In Defence of War. – pg 49

[14] Niebuhr, Christian Faith.

[15] Biggar. In Defence of War. – pg 91