An inconvenient truth about relying on technology to solve complex problems is that technological innovation is never sufficient, and sometimes not even necessary. In the national security realm, cybersecurity is the clearest example of this caveat, because preventing information theft or corruption is as much about organisation as it is about technology.
The Obama administration’s recent creation of a military cyberspace command is well intentioned in this respect, but it is a very modest beginning. The battle for cybersecurity will be won or lost in the trenches, where who does what takes a back seat to doing it well.
From culture war to cyberwar
In June, US Defense Secretary Robert Gates authorised the creation of Cyber Command, the first military organisation specifically charged with coordinating the security and operations of computer networks belonging to the armed services and the Pentagon. Gates plans to appoint Lt. Gen. Keith Alexander as commanding officer of Cybercom. Alexander currently heads up the National Security Agency, the main communications intelligence entity in the US national security structure.
The choice of Alexander as the military’s ‘cyber tsar’ has drawn criticism from observers and some officials concerned about privacy and legal issues. In this respect, a well-publicised criticism came from from Rod Beckstrom, former chief of the National Cyber Security Center, who resigned in March.
Although citing funding and administrative roadblocks as the primary reason for his resignation, Beckstrom complained that the NSA ‘currently dominates most national cyber efforts’, specifically criticising what he termed NSA’s ‘effective control’ of the cyber efforts of the Department of Homeland Security, under which the NCSC operates.
In theory at least, DHS coordinates the protection of the US from foreign threats, and the NCSC coordinates all government cybersecurity efforts.
Beckstrom, a Silicon Valley entrepreneur before coming to Washington, asserted that NSA primacy in the cyber arena was ‘a bad strategy on multiple grounds’. The ground that received the most press was the potential handling of all government cyberactivity by a single organisation, which inherently poses threats to democratic processes.
Attracting much less attention was Beckstrom’s observation that the intelligence culture is very different to a network operations or security culture. This is a critical insight, because it may be true not only for culture, but also for organisation and mission – and thus technology.
Reorganising the bureaucracy
In principle, some degree of centralised management is clearly desirable. The Department of Defense (DoD) currently operates over ten thousand separate networks and more than seven million discrete computing-capable devices, according to Pentagon sources (which might be significantly underestimating numbers for secrecy purposes). If central technology staff organisations and chief technology officers are helpful to large corporations, they should be even more helpful to the government.
Equally, the monolithic cyberagency feared by Beckstrom is not yet reality. Within the Defense Department alone, the NSA splits cyberspace activities with entities such as the Defense Information Systems Agency, which essentially serves as an IT support staff for the military’s ‘line’ divisions. The individual services also have their own cyber initiatives. In particular, the USAF has an active data warfare (DW) unit with a more offensive focus.
Yet responsibility for DoD network security as such is highly centralised, at least in principle. At least initially, Cybercom will function under the aegis of Strategic Command, which is already officially responsible for computer security. Stratcom generally directs military activities in areas that transcend service and geographical boundaries such as nuclear deterrence and space utilisation.
Ironically, the NSA itself has statutory responsibility for government cybersecurity. The NSA has two major branches: the Signals Intelligence Directorate, which eavesdrops on foreign communications, and the Information Assurance Directorate, which protects US information assets and transmissions. The Homeland Security Presidential Directive 23 (NSPD 54), signed by then-President Bush in January 2008, designated the NSA as the lead agency for monitoring and protecting all of the federal government’s computer networks from cyberterrorism.
So is the problem (if there is one) too much centralisation, or too little? Or something else entirely?
Money or ideas: which comes first?
Political regime change can disrupt actual work, but nuts-and-bolts policy continuity across administrations is fairly common in national security. For geopolitical reasons, consistency is generally desirable, but flawed implementation constitutes foolish consistency, which is not only the hobgoblin of little minds, but of real security as well.
The idea of a unified cyber command first arose in autumn 2008, after Bush’s top intelligence adviser, Mike McConnell, argued that the government needed greater powers to prevent what he characterised as a potential ‘cyber-9/11’. Subsequently, the Bush administration launched an initiative to protect government networks from cyberattack. This effort is estimated to cost at least $6bn in 2009 and up to seven times that over the next few years.
Major defence firms thirst after this kind of revenue flow but according to some national security officials, whether or not the government will get what it pays for is far from certain.
In a piece on the defence industry, the Wall Street Journal quoted a senior intelligence official as saying, “…are we going to dump money like we did after 9/11, or are we going to get something for the money we spend?” As demonstrated by the US weapons-buying spree this decade, sharp spurts in spending lead to waste and inefficiency.
Having made an issue of this during the campaign, President Obama ordered a 60-day review of US cyberpolicy in February. The review, which was headed (perhaps ironically) by Melissa Hathaway, one of McConnell’s top cybersecurity advisors, ultimately deferred judgment on specific security measures, particularly regarding private-sector areas such as the nation’s power grid.
For his part, Alexander has expressed reluctance (at least publicly) to act as the cyber tsar that would implement such measures.
At an April security conference in San Francisco, Alexander stated that the NSA ‘did not want to run cybersecurity for the US government’. Instead, Alexander espoused a ‘team’ effort under which DHS would protect all civilian government networks and the NSA would guard military and intelligence networks. Alexander did not specifically tackle the question of protecting defence contractor computer networks—although in fairness, this was before hacker penetration of the F-35 JSF programme hit the front pages.
Management wisdom first, technological brilliance later
Giving missions to those who already have related expertise can be a mistake because the experts won’t always embrace the same priorities as the top executives. The USAF has focused on cyberwarfare more than other services because DW is highly useful in defence suppression during discrete tactical offensive missions (e.g. the Israeli air raid on Syria’s nuclear facility). However, guarding DoD infrastructure against hackers is defensive rather than offensive, ongoing rather than discrete—in short, a different mission altogether.
By this reasoning, early plans to centralise cyber efforts within the USAF were conceptually flawed. Even from a purely military perspective, cyberattacks are more likely to impact all services collectively (e.g. an attack on satellite communications) or in conjunction (e.g. spoofing IFF responses) than any service individually. This indicates that requires a non-parochial response.
Conversely, having the NSA-run cybersecurity is better – but the NSA has mission biases of its own. In particular, the NSA’s bread and butter has been intercepting and protecting signals; in other words, the transmission rather than the actual computer or network repository. However, attacks on US information networks have (as far as we know) overwhelmingly targeted the data banks themselves, through malware that creates its own clandestine communication channels. Granted that any security is better than no security, making the NSA responsible for ‘base security’ is therefore a bit like expecting your car alarm to foil a home break-in.