The Challenge

Government isn’t well-organized to combat cyber threats.

Government isn't well-organized to combat cyber threats.

Any discussion of cybersecurity probably should begin by asking how our risk is unique compared to that of other nations'. The short answer is that in many countries, the government owns and controls the telecommunications industry and related cyber infrastructure. This is true to such an extent that when you pick up the phone, use a cellphone or a wireless service, transmit a fax, access the Internet, or send and receive email overseas, you're likely sending the communication to that nation's internal security or intelligence service.

Our tradition of private enterprise and limited government could make us more vulnerable to cyber threats. It also limits the federal government's ability to influence key security aspects of our cyber and other critical infrastructure.

Our gradual and delayed discovery of this reality was painful to experience, and predates many of our concerns about cybersecurity. Recall that with the many new telecommunications companies and business models emerging in the 1980s and 1990s, our intelligence and law enforcement agencies, which had long-term relationships with "Ma Bell" and AT&T, had to introduce themselves to the new companies. This was sometimes frustrating.

For example, when presented with judicial warrants, many of these new companies simply didn't know what to do with them, or they lacked the technical capability to comply with the orders.

This had to be fixed; otherwise, the breakup of AT&T would have meant a failure of the nation's law enforcement and intelligence agencies to use the limited authorities they had. The answer to this conundrum, indirect and cumbersome as it was, came in 1994. It is called the Communications Assistance for Law Enforcement Act. CALEA basically did three things: It stated that the new telecoms had to comply with warrants and other official requests for information by law enforcement and intelligence authorities.

It set aside millions of dollars for the new telecoms so that they could build the capabilities necessary to comply with warrants and other official requests. And finally, it allowed the new firms to contract out these key responsibilities to so-called trusted third-party providers (this part was added in 2007, when the law was expanded to include broadband carriers).

The CALEA approach has worked so well that we apparently are going to do it again for all our broadband and cell service providers, which suggests our government's ability to influence the security of much of our private cyber infrastructure might be limited to throwing money and regulations at the problem. What's more, this approach isn't likely to assure uniform implementation or even compliance.

The Human Factor

If we took everything we know, especially what we have learned the hard way about spies and espionage, then multiplied it by a million, billion or even a trillion (the newest measure of government spending) we might come close to the counterintelligence risk presented from cyber technology.

Any and every secret we have in digital format can literally go viral in a microsecond. The potential damage is truly catastrophic.

Perhaps the best example of this risk is the WikiLeaks dump of classified State Department diplomatic cables. All were reportedly copied by a lone Army private in a matter of seconds, and apparently without anyone the wiser that there had been a data breach. Unfortunately, we are probably going to see more and more of this kind of thing. In short, imagine the damage dedicated spies like the CIA's Aldrich Ames and the FBI's Robert Hanssen could have done as cyber spies.

Any meaningful cybersecurity framework absolutely must have a well thought out counterintelligence annex. This should apply whether a military, civilian or intelligence agency is responsible for a particular activity or mission.

This insider threat can't be emphasized too much: Probably the largest short-term risk to cybersecurity is human: people motivated by traditional reasons for espionage or sabotage who access and pass information, or who weaken, damage, infect or disable cyber systems. In the final analysis, truly effective cybersecurity depends on truly reliable people.

Institutional Barriers

Another significant challenge for federal agencies is that members of Congress are schizophrenic about many intelligence activities: They want to know about them, but they also sometimes want to deny knowledge of those activities after the fact, especially when it becomes politically expedient.

Congressional notification policies for cyber have to address everyone's equities. Also, Congress is as territorial as the executive branch, in that every committee with even a small interest in cybersecurity has drafted-and will continue to draft-legislation that applies to the whole of government, whether it makes any sense to do it or not. Congress can't help itself.

For example, having first created the Homeland Security Department in 2002 and the Office of the Director of National Intelligence in 2004-both against the desire of then-president George W. Bush and much of the executive branch-Congress will continue to enable and obligate these new entities with critical cybersecurity roles, missions and responsibilities, many of which they simply cannot and will not be able to perform for some time. This, in itself, extends the period of vulnerability we have for basic cybersecurity, primarily because of the learning curve required, and will be a dangerous period for us, whether it's acknowledged or not.

Because the National Security Agency is part of the Defense Department and there are long-standing policy objections to NSA assuming broad cybersecurity roles and responsibilities, there are massive and very expensive efforts under way to duplicate NSA capabilities in other agencies, including law enforcement agencies. Such a transition, duplication or transfer (however it's described) creates both a period of danger and an engraved invitation for a cybersecurity disaster. Accordingly, this process should be closely monitored by an independent and outside red team of technical and legal experts. In other words, this is way too important to screw up, yet it's almost bound to happen unless the process is very closely managed.

All the traditional ghosts in the intelligence collection business (and even some new ones) will also walk in the realm of cybersecurity. For example, most collection management principles and issues apply to information obtained by cyber means, as does the management of collection assets, whether human or technical. And obviously, cybersecurity issues will become increasingly important in "covert actions" and "special activities" as defined by public law and executive order, as well as military "special operations," including "information operations" and "public diplomacy," however these activities are defined or managed.

We must learn from past efforts to manage new categories of information. For example, when we entered the nuclear age in the 1940s and 1950s, we created, by statute, so-called restricted data and other subcategories for sensitive atomic energy-related information. Looking back on this, it probably caused more trouble than it was worth. It has also figured prominently in the mismanagement and compromise of some extremely sensitive information from time to time. Lesson: Let's not do this again in cybersecurity.

Finally, we must establish policies and rules for embedded technical capabilities and other inadvertent collections. Why? Throughout my federal service, some of the scariest situations I encountered involved the following: An "operator" with a military mission to destroy or disable something learns that he can also control it and learn things from it (the "operator" becomes a "collector"); or a passive "collector" sees that he has "active" capabilities against the system he is targeting.

You get the idea here: If there ever was an activity that amplified both the probability and significance of these kinds of security anomalies, it is the various cyber missions, passive or active, offensive or defensive, sensitive or routine. We need to have comprehensive plans to deal with them, as well as organized and thoughtful ways to take advantage of them and protect ourselves from exploitation and sabotage.

Where to Start

We had little choice but to start where we did with the organizations and laws we have, but we need many new or revised plans, policies and rules to guide us. And clearly, some of these, especially the ones that could possibly involve or affect citizens, should be approved and promulgated by the attorney general.

We also may discover some advantages to having a hodge-podge of dispersed private cyber infrastructure and we should think about this aspect of our risk when we contemplate structural changes. Perhaps most important, however, when we want to know where to start and what to do first, we need an accurate and objective self assessment, which includes identifying what and where our most serious vulnerabilities are.

The key recommendation here is that we should enable operational test teams (assembled from the NSA, the new U.S. Cyber Command, Homeland Security and the FBI) to actively probe our cyber infrastructure, both public and private, especially our dot-gov and internal "secure" systems, as well as our Internet nodes and service providers. These activities should be done primarily to identify our vulnerabilities and mitigate the risk.

This recommendation should be done in conjunction with enabling legislation, primarily because these teams could acquire information about U.S. citizens during such operations. For the limited purpose of assessing our nation's cyber vulnerabilities and then taking corrective action, however, these activities would be legal and politically defensible. In fact, existing limitations on the retention of inadvertently collected information should be adequate.

Such testing of our critical systems is not a new idea, and should be expanded to help guarantee our basic cybersecurity and help us assure our privacy at the same time. This is because privacy is inextricably linked to the security of the cyber systems upon which we depend.

Another key recommendation is to give someone or some agency the authority to shut down or interrupt various critical cyber systems, including the Internet.

This is nothing new, at least conceptually, and could mirror similar authorities held by agencies or officials during national emergencies. Such authority should be subject to approval by the attorney general or the president and require reporting to congressional leaders. It would be extremely limited, and could apply to an enumerated list of cyber threats.

I hope at least some of these recommendations are under way. I know many are not, however, because they require political will as well as amendments to the legal and regulatory framework that governs national security activities and intelligence operations.

In addition, we need to remember that state and local laws generally have fewer constraints on these kinds of activities. In fact, state and local legal regimes generally do not distinguish between law enforcement and intelligence activities, nor are there significant distinctions between the various uses for information collected or otherwise obtained by state or local authorities. This is an advantage that should not be ignored in the overall management of cybersecurity.

In the final analysis, while many cybersecurity issues are truly new and emerging, many others should evoke familiar (and perhaps painful) lessons from the not too distant past.

Most important, let's honestly assess the gravity of the threats against us and test our critical cyber systems by putting them under closely managed stress. It's probably the only taste of cyberwarfare reality we can give ourselves before someone or some nation or organization with malevolent motives shuts us down and watches us squirm.

Daniel Gallington was a member of the Senior Executive Service and deputy counsel in the Office of Intelligence Policy and Review at the Justice Department. He also served as general counsel for the Senate Select Committee on Intelligence and deputy assistant secretary of Defense for territorial security.

NEXT STORY: Justice Delayed

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.