When Kim Jong-un launched an unprecedented cyberattack against the Sony Pictures Entertainment in November, a White House spokesman called it a “national security issue” that compelled President Obama to consider “a range of options.”
The president quickly assembled his war cabinet: the intelligence community to tell him the what, why, and how; departments of State, Defense, and Treasury to review response options; and the FBI and Department of Homeland Security to assess whether the attack to be part of a larger threat that could put the nation’s critical infrastructure in danger.
But something was different with the Sony hack than any previous conflict. For perhaps the first time in our nation’s history, our commander-in-chief needed real-time input from the private sector to develop appropriate countermeasures and convey a coherent message to the American people.
After all, a nuclear-armed state committed an act of cyberwarfare against a private company that owned and managed its own networks. While many debate the exact definition of cyberwar, there is no debate that North Korea used a virtual weapon to cause damage on American soil, and did so with political intent. This was not an act of vandalism, theft, espionage, or crime.
Sony did its own damage assessment and made its own decision about how to respond. It conveyed in official press releases that anyone attending the movie premiere would be “risking their lives.” Similarly, Motion Picture Association of America Chairman Chris Dodd – not a government official – was the most instrumental person in determining whether movie theater owners would defy North Korea and show “The Interview” on Christmas Day. Remember, the hackers threatened to conduct mass causality attacks against any cinemas that played the movie.
The response wasn't perfect, but there was no playbook for a breach of this magnitude. The president and his team of government officials struggled to define the attack on Sony as anything more than cybervandalism, attribute it to North Korea, or provide a clear message to the nation. Eventually, the president correctly labeled the attack as state-sponsored and imposed new sanctions on North Korea.
It is unclear what government would do if, say, North Korea had threatened to take control of passenger train switches or hydroelectric dam operations unless the US military pulls out of the Korean Peninsula. Would government seize control of these private-sector operations during such a crisis or order its owners to keep operating? Could government officials even make informed decisions without real-time input from system owners?
The American people place great trust in their military, intelligence, and homeland security personnel to keep them safe against foreign enemies. But the Sony hack demonstrates the ways in which the 21st century battlefield is defined as much by circuits and networks in the homeland as it will be by missiles and guns, and we must ensure the right “generals” are at the table formulating our response.
This is our cybersecurity playbook wake-up call. We need a national response structure designed for the nature of a threat unlike any other we have faced before. The next attack could involve the energy grid or the air traffic control network, and we can’t afford to be making the rules as we go.
That’s why Mr. Obama should create a cyberwar cabinet comprised of leaders from both government and the private sector, so we’re ready to respond in real time the next time a breach happens.
As a former senior administration official at both the Pentagon and Department of Homeland Security, I know the national security community will wince at the idea of giving voice to the private sector during crises. Our military, intelligence, and diplomatic institutions are central and sovereign in executing the president’s policies beyond our borders, while state and federal law enforcement expect sovereign domain in domestic counterterrorism and counterintelligence.
However, these institutions will always be slow to grasp how central states and the private sector are during homeland emergencies. This reality compels us to create a fundamentally different cyberwar cabinet for the homeland, which institutionalizes a direct, coequal role for non-federal and private sector partners.
It’s the only responsible course. The private sector owns and operates most of America’s critical infrastructure, spanning telecommunications, manufacturing, energy, hospitals, transportation carriers and financial institutions. These industries must have a formal role in national cybersecurity decision-making, as they are most likely to absorb the physical effects of cyberattacks. Recovery takes place on their operating systems. Often, they see intrusions first, understand their impact, and possess unique options for rapid recovery.
The president’s cybersecurity summit in February at Stanford University, brought critical attention to an issue that seldom makes the front page until we’re in crisis mode. He has issued new executive orders to increase public-private information sharing about threats and to improve government’s ability to identify downstream impacts. These actions, while important, do not go far enough.
America’s decision-making framework on attacks remains one where industry informs government, and government develops response options for the president. We do not have time for a two-step approach for managing domestic cyberevents. Government must move beyond the mindset that it alone can make informed, timely decisions.
The president needs the right voices at the decision-making table at the right time. Government cannot rely on itself the way it does for managing crises beyond our borders. The next firewall breach could jeopardize more than private information held by a single American media company. It is time the private sector be given a formal seat at the cyberwar table – and a big one, at that.
Todd Rosenblum is president of National Security Outcomes. He previously served as the Pentagon’s acting assistant secretary for Homeland Defense and deputy under secretary of intelligence at the Department of Homeland Security from 2009 to 2015.