Obama's strategy for countering cyber attacks

He will appoint a 'cyber czar' and bring government and industry together to work on the problem. But is cooperation possible?

President Barack Obama delivers remarks on his new cyber-security plan on Friday, in the East Room of the White House

Gerald Herbert/AP

May 29, 2009

President Obama will appoint a "cyber czar" to lead his administration in combating the worrisome number of cyber attacks against US government and private networks.

The problem posed by cyber attacks permeates American society. Mr. Obama, in announcing the new administration position Friday, referred to one incident last year in which cyber thieves used stolen credit-card information to take millions of dollars from 130 ATMs. "And they did it in just 30 minutes," he said.

Obama also said that during the presidential campaign last fall, hackers broke into his campaign's computer system to obtain sensitive information about campaign travel plans and policy positions.

"It was a powerful reminder, in this information age, one of your greatest strengths – in our case, our ability to communicate to a wide range of supporters through the Internet – could also be one of your greatest vulnerabilities," he told a group of government and industry officials in the East Room of the White House.

The president noted, to laughter, that no information about campaign contributors was stolen.

There were some 37,000 cyber attacks in the United States in 2007 – up 800 percent from 2005, according to a recently published estimate that cited data from the Department of Homeland Security. And the Pentagon is routinely fielding cyber attacks – some with success. Last year, hackers thought to be with the Chinese military broke into an unclassified e-mail system in Defense Secretary Robert Gates's office, which forced thousands of military officials to stop using so-called thumb drives or memory cards in their government-issued computers.

Obama, the first US president to insist on access to his own e-mail system, did not say who he would pick as cyber czar. But he sketched his approach to the problem in broad-brush strokes, bringing government and industry together to develop a strategy that would aim to "deter, prevent, detect, and defend" against attacks and prevent "weapons of mass disruption" from bringing the US digital infrastructure to its knees.

But in doing so, he will be arranging a marriage between government and private industry when each might be happier staying single. Industry efforts to counter cyber attacks tend to be more effective than public efforts. And companies are wary of sharing their information with one another, let alone the government.

"We've developed an environment in which there is cooperation, but I think there is still a lack of trust," says Neill Sciarrone, who was special assistant to President Bush for cyber security and information sharing.

Obama said he will develop a strategy without pushing onerous regulations on an industry wary of such intervention. He also sought to assure Americans that he does not support violating their own privacy to achieve his ends.

"Our pursuit of cyber security will not, I repeat, will not include monitoring private-sector networks or Internet traffic," he said. "We will preserve and protect the personal privacy and civil liberties that we cherish as Americans."

The administration will walk a fine line, says Mark Gerencser, senior vice president with Booz Allen Hamilton, a consulting firm in Washington, who participated in a cyber-attack "war game" in December with top Pentagon and Homeland Security officials.

"One of our clear findings was balancing privacy and security, and that has to be kept in mind," he says. "Given our freedoms and liberties that we value so dearly, some security measures just won't work."

The answer to cyber-security problems also lies in creating a policy in which offensive and defensive operations work together, experts say.

The US, Mr. Gerencser says, should be playing soccer – one set of players for both offense and defense. But instead, it's playing football, using different players for different operations.

"The real problem is that cyber is one of those issues that affect private and public sectors," he says. "The government can't do it by itself."

Yet the government has problems sharing information, raising questions about just who's in charge, Ms. Sciarrone says. For example, the Pentagon protects all "dotmil" websites and e-mail networks, and the Department of Homeland Security is charged with protecting all "dotgov" entities. But for the most part, the two agencies aren't well integrated to confront the problem.

Sciarrone is studying the issue for the Project on National Security Reform, which aims to restructure the antiquated national-security infrastructure to make it effective against the kinds of enemies the US now faces.

"We need to understand our adversaries," she says.

Part of the administration's strategy will be to create a new "cyber command" within the Defense Department. Details on that will emerge in coming weeks, defense officials say. "Cyber Com" will probably be what's known as a sub-unified command, falling under US Strategic Command. Cyber Com is likely to be located at an Army base at Fort Meade, Md., outside Washington. It will be focused as much on defensive operations as on offensive ones.

"It's gotta be both," says one military official, who asked not to be named due to the sensitivity of the issue. "It's a war-fighting realm, so it's gotta be both."