Modern field guide to security and privacy

Opinion: Obama needs a cyberwar cabinet

The Sony hack demonstrated that modern warfighting will be defined as much by circuits and networks as by missiles and guns. Therefore, we need a new war cabinet comprised of cybersecurity experts from government and the private sector to ensure the US can respond in real time to the next massive breach.

|
Jeff Chiu/AP
President Obama spoke at the White House Summit on Cybersecurity and Consumer Protection at Stanford University in February.

When Kim Jong-un launched an unprecedented cyberattack against the Sony Pictures Entertainment in November, a White House spokesman called it a “national security issue” that compelled President Obama to consider “a range of options.”

The president quickly assembled his war cabinet: the intelligence community to tell him the what, why, and how; departments of State, Defense, and Treasury to review response options; and the FBI and Department of Homeland Security to assess whether the attack to be part of a larger threat that could put the nation’s critical infrastructure in danger.

But something was different with the Sony hack than any previous conflict. For perhaps the first time in our nation’s history, our commander-in-chief needed real-time input from the private sector to develop appropriate countermeasures and convey a coherent message to the American people.

After all, a nuclear-armed state committed an act of cyberwarfare against a private company that owned and managed its own networks. While many debate the exact definition of cyberwar, there is no debate that North Korea used a virtual weapon to cause damage on American soil, and did so with political intent. This was not an act of vandalism, theft, espionage, or crime.

Sony did its own damage assessment and made its own decision about how to respond. It conveyed in official press releases that anyone attending the movie premiere would be “risking their lives.” Similarly, Motion Picture Association of America Chairman Chris Dodd – not a government official – was the most instrumental person in determining whether movie theater owners would defy North Korea and show “The Interview” on Christmas Day. Remember, the hackers threatened to conduct mass causality attacks against any cinemas that played the movie.

The response wasn't perfect, but there was no playbook for a breach of this magnitude. The president and his team of government officials struggled to define the attack on Sony as anything more than cybervandalism, attribute it to North Korea, or provide a clear message to the nation. Eventually, the president correctly labeled the attack as state-sponsored and imposed new sanctions on North Korea.

It is unclear what government would do if, say, North Korea had threatened to take control of passenger train switches or hydroelectric dam operations unless the US military pulls out of the Korean Peninsula. Would government seize control of these private-sector operations during such a crisis or order its owners to keep operating? Could government officials even make informed decisions without real-time input from system owners?

The American people place great trust in their military, intelligence, and homeland security personnel to keep them safe against foreign enemies. But the Sony hack demonstrates the ways in which the 21st century battlefield is defined as much by circuits and networks in the homeland as it will be by missiles and guns, and we must ensure the right “generals” are at the table formulating our response. 

This is our cybersecurity playbook wake-up call. We need a national response structure designed for the nature of a threat unlike any other we have faced before. The next attack could involve the energy grid or the air traffic control network, and we can’t afford to be making the rules as we go.

That’s why Mr. Obama should create a cyberwar cabinet comprised of leaders from both government and the private sector, so we’re ready to respond in real time the next time a breach happens.

As a former senior administration official at both the Pentagon and Department of Homeland Security, I know the national security community will wince at the idea of giving voice to the private sector during crises. Our military, intelligence, and diplomatic institutions are central and sovereign in executing the president’s policies beyond our borders, while state and federal law enforcement expect sovereign domain in domestic counterterrorism and counterintelligence.

However, these institutions will always be slow to grasp how central states and the private sector are during homeland emergencies. This reality compels us to create a fundamentally different cyberwar cabinet for the homeland, which institutionalizes a direct, coequal role for non-federal and private sector partners.

It’s the only responsible course. The private sector owns and operates most of America’s critical infrastructure, spanning telecommunications, manufacturing, energy, hospitals, transportation carriers and financial institutions. These industries must have a formal role in national cybersecurity decision-making, as they are most likely to absorb the physical effects of cyberattacks. Recovery takes place on their operating systems. Often, they see intrusions first, understand their impact, and possess unique options for rapid recovery.

The president’s cybersecurity summit in February at Stanford University, brought critical attention to an issue that seldom makes the front page until we’re in crisis mode. He has issued new executive orders to increase public-private information sharing about threats and to improve government’s ability to identify downstream impacts. These actions, while important, do not go far enough.

America’s decision-making framework on attacks remains one where industry informs government, and government develops response options for the president. We do not have time for a two-step approach for managing domestic cyberevents. Government must move beyond the mindset that it alone can make informed, timely decisions.

The president needs the right voices at the decision-making table at the right time. Government cannot rely on itself the way it does for managing crises beyond our borders. The next firewall breach could jeopardize more than private information held by a single American media company. It is time the private sector be given a formal seat at the cyberwar table – and a big one, at that.

Todd Rosenblum is president of National Security Outcomes. He previously served as the Pentagon’s acting assistant secretary for Homeland Defense and deputy under secretary of intelligence at the Department of Homeland Security from 2009 to 2015.

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Opinion: Obama needs a cyberwar cabinet
Read this article in
https://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0311/Opinion-Obama-needs-a-cyberwar-cabinet
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe