On Tuesday, President Obama announced a series of new cybersecurity measures to improve information sharing between the private sector and government, modernize law enforcement’s approach to tackle cybercrime, and require national data breach reporting. These are all important steps towards what it’s increasingly clear is really needed: a comprehensive policy playbook to guide U.S. and other governments’ response to serious cyber incidents, like the recent hack of Sony Pictures. The United States can no longer afford to respond in an ad hoc and uncertain manner to serious cyber incidents because the Internet plays a critical role in the lives of millions of Americans and billions of individuals worldwide. Instead, it must work with cybersecurity experts in the private sector and civil society, as well as other nations, to put in place robust policy frameworks and doctrines to guide both offensive cyber operations and responses to cyber-attacks. Failure to do so will leave both public and private assets unnecessarily vulnerable to future attacks.
According to former NSA Director and U.S. Cyber Command chief Gen. Keith Alexander, the U.S. lacks “…the norms, the rules of engagement, the rules of the road for how [it] and other countries should operate” in cyberspace. The same is undoubtedly true of other governments, many of which dedicate far fewer resources to cybersecurity than the U.S. does. There are several reasons for this dangerous dearth of strategy.
First, government is ill-suited to keep up with the rapid pace of technological change in the cybersecurity realm, which challenges even the much nimbler private sector. What policies, laws, and regulations that do exist are almost always out of date. Moreover, technology can easily mask the identity and location of online actors or falsely implicate innocent parties, making attribution of cyber-attacks nearly impossible (which is why many cybersecurity experts question the FBI’s assessment in this case). Not knowing who is responsible for a cyber-attack makes it very difficult to assess the attack’s seriousness, justify an appropriate response, and settle upon the right legal standard for it (i.e. criminal theft vs. an act of war).
Second, U.S. government cybersecurity policy decisions—like those of many other nations—are dominated by the military and intelligence communities, thereby relegating civilian agencies, such as the U.S. Department of Homeland Security, to secondary roles. This causes confusion regarding agencies’ responsibilities because it is the civilian agencies that typically control primarily civilian areas like the Internet. The end result is often a muddled, uncoordinated policy response. Cooperation with private sector and civil society cyber experts is also undermined by elevating national security concerns over their commercial, personal, and other legitimate interests.
Finally, legislatures and general populations tend to be kept in the dark because of excessive secrecy surrounding each country’s cyber capabilities. According to former CIA and NSA Director Gen. Michael Hayden, information regarding U.S. cyber policies “is horribly over-classified.” Edward Snowden’s revelations galvanized public interest in cybersecurity by providing a window into certain governments’ cyber capabilities, but also reinforced their extreme aversion to publically discussing them. Absent greater transparency, the U.S. Congress cannot meaningfully exercise oversight of current U.S. cybersecurity activities or explain them to the public.
Although the U.S. government has yet to develop robust cyber policies and doctrine, it has taken the first steps to create such policies via a series of primarily classified directives and memoranda. One leaked Top Secret document for example explains that the use of a cyber-weapon outside of a declared war requires the President’s personal authorization and that before conducting a cyber-attack, the U.S. military must take into account its potential impact on the security and stability of the Internet (as a whole) and whether it would promote negative international norms. Enhanced information sharing between companies and government, new mechanisms to combat cybercrime, and improved data breach notification are three additional policy areas on which the U.S. government is currently focused.
But large gaps remain in this policy patchwork. For starters, it covers only military cyber operations, ignoring those carried out by the NSA, CIA, or law enforcement agencies. Second, it does not establish ground-rules for responding to cyber-attacks once they occur. For example, it is unclear how the U.S. will respond to cyber-attacks against critical infrastructure, U.S. government networks, or private sector entities like Sony.
In the aftermath of an attack—even one that does not cause any bodily harm—a government faces immense pressure to make quick decisions often based on incomplete information. The lack of clear doctrine forces governments to invent a new, rushed policy responses every time a major attack happens. This risks unpredictable and dangerous policy decisions being made, such as the U.S. Defense Science Board’s recent recommendation that the U.S. government reserve the right to use nuclear weapons in response to a cyber-attack. In fact, the current lack of cyber rules of engagement arguably resembles the 1940s when the U.S. rushed in secret to develop a nuclear weapons capability without first thinking through the devastating impact of a nuclear arms race.
The U.S. and other governments must move quickly to put in place clear and comprehensive doctrine to guide their cybersecurity policies. Ad hoc responses are dangerous and short-sighted. Along with the private sector, civil society, and partner nations, Washington must develop comprehensive policy frameworks that balance national security, private sector, and other international interests. It is possible for government to have a transparent conversation about how it would deploy cyber weapons or respond to certain types of cyber-attacks without compromising classified cyber operations and capabilities. Such a conversation is absolutely critical both domestically and globally in the aftermath of the Sony cyber-attack. The upcoming Cybersecurity Summit at Stanford University is the perfect opportunity for the U.S. government to start working with domestic and international stakeholders to develop a comprehensive cybersecurity doctrine.
This article was written by Eli Sugarman from Forbes and was legally licensed through the NewsCred publisher network.