The rites of post-election spring in D.C. are constant. Newly elected politicians struggling to get a handle on their job. The blooming of new rumors with regards to who is taking what undersecretary job and who is against them. Like the cherry blossoms bursting forth here in April, it is a dependable ritual.
Another cherished ritual is trying to figure out exactly what kind of policy direction the new Administration needs to pursue on infinitely complex matters – ones that seemed so easy in the campaign. In the case of cyber space and the U.S. intentions and actions therein, it is extraordinarily complicated.
New issues – 21st century issues – are hard to deal with in D.C. This town was born in World War II and its bureaucratic structure is a tribute to mid-20th century organization charts – layered and stove-piped. And they certainly not meant to deal with private sector issues beyond taxation and regulation. But, the cyber world we live in today hardly fits the U.S. Government model.
President Obama was the first to experience cyber space – and its connecting systems of the internet – full blast. Within his eight years, Obama was whipsawed by a world-wide social media explosion, the rapid decline of “old media” information providers, an acceleration of the decline of traditional “brick and mortar” business replaced by virtual offices, and a rapidly expanding “gig economy” for a new generation of young people.
The Obama Administration also experienced a domain in which America lost its position as the dominant player – with less than ten percent of the world’s users and shrinking — that could be outmatched and outwitted by smaller, more agile players from North Korea to groups like Anonymous and WikiLeaks. They exposed our public and private secrets. They reached into our inadequately secured systems. And they did it with relative impunity.
Other larger nation states sensing our vulnerability – particularly Russia and China – have used cyber space to their advantage. While controlling its use over its own population, Moscow and Beijing have gleefully used it to steal our secrets and to exercise power in our elections. They have literally built armies to exploit this new domain. America might be powerful on land, sea, air, and space. But we are more than equaled by them in cyber space.
At home, complicating our actions has been the development of a huge cyber culture. Eighty-five percent of cyber space is held in private hands. Five of the six top U.S. companies by market worth are tech firms ranging from Apple to Facebook to Microsoft. Mark Zuckerberg, Steve Jobs, Jeff Bezos, and Bill Gates are household names. And with them has come a libertarian generation who view all government as inept, and value information security above issues of national security.
So, What Is a Government to Do?
The Obama Administration did what governments traditionally do. They reacted big time. They set up “public-private partnerships.” The cleaved a Cyber Command out of the body of the NSA. They engaged in a series of meetings with international players – governments and corporations – to establish rules of the road in cyber space. And they set up department functions at FBI, DHS, and elsewhere to address specific issues with another in a line of relatively powerless White House czars – always forgetting what happened to the last czar of Russia.
And after all that effort, how is the USG doing? Well, the Russians stuck their noses deeply and freely into their first American election. Security in cyber space remains somewhat of a joke with endless breaches and continued thievery of information. The public-private partnership is a morass of disappointment for both the public and private sector. The internal USG bureaucratic struggles march onward over who is in charge of what and can reach out to whom. Mark Zuckerberg, further solidifying America’s cyber culture, wants to run for President. And we have a President who tweets.
It seems to me the time has come to establish a clear U.S. based doctrine for cyberspace. What does the USG want for our country from cyber space? In the Cold War, we pursued a series of strategies around a doctrine of Containment. We did not want the USSR to make the world communist. We would not allow another country to become communist. We would try to change over the ones that were. And we wanted to tip over the USSR. Not easy. Lots of failed strategies and some pretty successful ones. Took nearly 45 years. But we did it.
So, what about a Cyber Doctrine that simply says America needs to protect itself and its interests at home to maintain a free and secure internet for Americans – a National Cyber Security Doctrine.
First of all, recognize it’s going to take time to build success and we need to be flexible. We are in the earliest stages of cyber world. It’s like trying to determine air power strategy in 1914. In 20 years, we’ve gone from dial-up modems to the Internet of Things. Artificial intelligence is just in its infancy. We don’t know what we don’t know.
Second, understand that we are simply internationally outgunned on this one. There are four billion users of cyber space and the number continues to rise every day. There are 325 million Americans. We are big. But China and India are bigger. And so are the populations of the Middle East, Latin America, and Africa. And most of them don’t have a libertarian viewpoint of the world. We can continue negotiating internationally, but it is going to do little good for now.
Third, the White House needs to ask what can government do to make a secure and free internet at home. Follow the money. Appoint a National Cyber Director based in the Office of Management and Budget and as part of the National Security Council who will direct with money and program control over what the USG will do and will not do. That money and program power is crucial. Otherwise, no one in the USG will pay attention to them one bit.
Fourth, and finally, stay out of the direct intervention business with the private sector. Stay above the fray. You set standards. Provide tax breaks to get corporations and people truly interested in developing security for cyber space. Set legal penalties for when they don’t. For instance, the Internet Service Providers have been lax regarding security practices by their customers. (When is the last time you changed your password into something secure, not 123546 or password.)
A USG focused on security and access to cyber space at home is the best approach in a domain over which we have little practical control. Sometimes doing a little is the hardest thing to do. But a restrained National Cyber Doctrine is much better than doing too much.