Smart Steps to Prevent a Cybersecurity 9/11
In laying out his policy at the end of May, President Barack Obama rightly emphasized the need to make cybersecurity a higher priority for the country. America’s digital infrastructure is indeed the backbone that underpins a prosperous economy and a strong military, and as Obama said, without it, we can’t get the job done. But his 60-day policy review merely posed the tough questions. Coming up with the right answers will be one of the key challenges of his presidency.[IMGCAP(1)]While Americans have integrated cybertechnology into virtually all aspects of their business and personal lives, they remain ignorant of just how vulnerable that system is. We just got a big wake-up call with the greatest security breach in our nation’s history — computer hackers just tried to steal some of the plans for the nation’s most expensive weapons project, the $300 billion Joint Strike Fighter. Our intelligence officials are already warning that terrorists could use technology to attack us. Our nation’s electrical grid, air traffic control system, our energy supply and our ability to communicate and do business could be shut down by criminals and terrorists. The damage from such attacks on our infrastructure could be an economic 9/11 for this country. Yet, we are not on a war footing to protect us from this danger.Preparing a 21st-century defense against this threat will require Americans — and the world — to change the way that we run the cyberworld. That means the U.S. government must take the lead in changing the current business model for the cyber industry. That will require a new partnership between business and government, and yes, some compromises on privacy. Certainly, it will require the new White House cyber czar proposed by Obama. What it should not require is a new bureaucracy and regulatory stranglehold that will prevent our private sector from maintaining the competitive edge to keep our economy strong. As Obama begins to implement his review findings, he must keep four important goals at the forefront.First, the government must take the lead in making cybersecurity a successful business component of the industry. With around 6 percent of the market, the U.S. government is the country’s largest information technology consumer. If it can set new standards and create the right incentives, it can lead the private sector — almost half of the market — to adopt similar security standards. What that means in practice is the U.S. government must insist on more secure technologies for our cyber infrastructure — and provide tax breaks, link liability to improved security and give other incentives to encourage companies to meet that demand. Certainly, some new regulations and standards would accompany the changes — but they must not be overly burdensome, bureaucratic or inefficient.Second, the process cannot be overly secretive. Former President George W. Bush began the process in January 2008 when he initiated the Comprehensive National Cybersecurity Initiative, which set guidelines to secure federal systems. But too much of the effort remains classified and thus off limits to the very companies that must provide the government with the tools to meet those goals. That makes no more sense than leaving the architect of a building ignorant about where the safe will be located. Obama must develop a more open partnership with business about its needs. Then, American business can respond — while protecting America’s secrets.Third, Obama must strike the right balance between protecting Americans’ security and their privacy. Americans are understandably reluctant to permit the government to roam around their personal computers. But as we have in the past, Americans are willing to cede a small amount of privacy if they understand it is in their own security interests. We allow airport officials to search all our belongings and even to do body scans. There has been no outcry over the fact that credit card companies track our spending. Most of us at some point have received a call of “unusual spending activity— on our credit cards while traveling. It is not much of a leap to permit the government to track communications patterns to ensure our computers are not being hacked by criminals and terrorists, while assuring the public that the government will not be reading its e-mails or inappropriately sharing the pattern information. But it is up to the government to make the case. Lastly, Obama can only succeed if he establishes an international system in the United Nations to oversee a global early warning system to protect our cyber industries. Efforts to date are wholly inadequate to the challenge. The international 24/7 network of cyber investigators established by the G8 nations in 1997, in which 55 countries now participate, has enabled crime investigators to “fast freeze— e-mail traffic and other stored electronic data to preserve the digital footprint of criminals and terrorists. But we need a global system to identify and isolate these threats as quickly as possible. Creating new international rules of the road will not be easy and poses difficult decisions regarding how much information we can share with certain difficult countries. But just as the UN already runs the international air traffic control system, we must develop an international system that sets standards of information sharing to detect trends and potential threats against our 21st-century way of life.Unless we take these steps now, we will regret failing to protect the country from a global economic 9/11.Nancy Soderberg is a former ambassador to the United Nations and deputy national security adviser.