President Obama’s Friday appearance announcing the creation of a cyber-security coordinator was not the smoothest rollout of a presidential initiative. But if a broken clock can be right twice a day, a Democratic president can be right once in a while, and when thinking about the new cyber czar, conservatives ought to keep four points in mind:
(1) The threat is real. It is fair game for folks on the right to question some of the rhetoric Obama used in describing the need for this new position. But cyber-warfare is, generally speaking, more controllable than a biological weapon, doesn’t run afoul of as many established treaties as a chemical weapon, is nowhere near as expensive and visible as a nuclear weapon, and is much harder to attribute than conventional terrorism. It is another asymmetrical tool that allows weaker countries and groups to play on the same field as the big boys.
The good news is that a lot of what can be done through cyber-attack is often less lethal than the traditional terrorism of car bombs and hijacked planes. The bad news is that the lower body count and vaguer economic and psychological consequences make cyber-warfare a more tempting form of attack. A country that fires a missile at a U.S. military base has effectively declared war and can expect severe consequences; but a country that causes intermittent communications disruptions at that base is in a murkier area. Would the U.S. make a non-cyber response to a strictly cyber intrusion? Do you drop a bomb on a target if they’ve only broken into your computer?
Beyond that, cyber warfare represents a force multiplier for other traditional forms of attack. When Russia invaded Georgian territory in 2008, a cyber attack against the Georgian VoIP phone system initially prevented President Saakashvili from being able to conduct an interview with CNN’s Wolf Blitzer, and the Georgian Ministry of Foreign Affairs website was hacked to show an image of Adolf Hitler beside the image of Saakashvili. Multiple Georgian government websites were down or inaccessible for hours.
Recently, someone stole private patient and prescription data from Virginia’s Department of Health Professions’ computer system and is now demanding $10 million in ransom. The FBI is investigating, and the state has pledged that no ransom will be paid. If tech-savvy computer professionals can acquire such capabilities, imagine the damage that could be caused by a hostile group or nation.
(2) The position is needed. John McCain can chuckle that Obama has more czars than the Romanovs, and if citizens of a republic object to the title “czar,” fine. But there needs to be someone focused specifically on this issue who isn’t impeded by the traditional jurisdictional wrangling.
The varieties of attack mean that no current position in existing government agencies is perfectly situated to coordinate a response to cyber attacks. An attacker could go after any one of many vulnerable systems, but probably the “crown jewels” of our infrastructure are finance and banking, energy and power, telecommunications, and air-traffic control (ATC). If suddenly bank records are erased or trading-floor systems crash, responsibility for addressing the problem falls to the Treasury Department and perhaps the Securities and Exchange Commission. If the power is knocked out, the Department of Energy would have a central role in the response. The Department of Transportation would be dealing with any ATC disruptions. The Department of Homeland Security has a Computer Emergency Readiness Team. If the attack comes from domestic sources, the proper response comes from the Department of Justice and the FBI; it if comes from sources abroad, the CIA, the NSA, and perhaps the DIA would respond, with the State Department coordinating with the relevant foreign government. If military systems are targeted, it’s a Department of Defense issue. While the director of national intelligence, national security adviser, and chairman of the Joint Chiefs could probably all take roles in a crisis, none of them has the time or ability to focus entirely on the cyber element of potential threats. The problem is big enough to require one person in the White House Situation Room who knows the topic backwards and forwards.
(3) Current policymakers are not fluent in this world. President Obama may use a special Blackberry, but the world of cyber security is as new to him as it is to most of us. You could see this in his expression as he discussed the “whole new vocabulary” required “just to stay ahead of the cyber criminals who would do us harm — spyware and malware and spoofing and phishing and botnets,” and also in his gaffe (or Freudian slip?) that the CIA handled the response when “hackers gained access to [his campaign] e-mails and a range of campaign files, from policy position papers to travel plans.”
Lawmakers have tough jobs — they have to be on top of a lot of complicated and ever-changing topics, from good places to organize a photo op of Air Force One to the level of danger presented by international air travel during an outbreak of swine flu. But very few lawmakers attain their positions at the highest levels of the executive branch or Congress due to their familiarity with computer networks and cyber-security issues.
Picture being the official at the Pentagon, the CIA, the NSA, or some other agency with the responsibility of explaining the impact and method of a cyber-attack, as well as the response options, to a lawmaker who barely touches a computer. Hopefully our political leaders are smart enough to get up to speed on the topic, but the time to be familiar with it is now, before the crisis hits, instead of at an emergency meeting convened after cyber-attacks on water treatment plants, or the New York Stock Exchange, or the power grid, or because network television signals are being jammed and overwritten with propaganda. (That last scenario is not science fiction, by the way. In 1987, before there was the modern Internet, a “signal hijacker” was successful in interrupting two Chicago television stations within three hours. The perpetrator was never found or identified.)
(4) The cyber-security adviser doesn’t have to be a “big name.” One of the safest comments in response to Friday’s announcement was that the new cyber-security coordinator ought to be a figure with “national stature.”
Most Americans would find it difficult to name one cyber-security expert, much less the one who is at the top of the field, and that’s fine. They’ve never heard of the people who are most knowledgeable on these issues — and in a perfect world, they never would.
Whether or not the person knows their stuff and is well-regarded in the field is a much higher criterion than whether or not they’ve appeared regularly on Meet the Press. This figure would, however, hopefully be able to explain the threat, the preparation options, the tradeoffs, and the consequences, all in layman’s terms, to a public that isn’t computer-savvy.
More than five years ago, a writer in this space, assessing former White House security adviser Richard Clarke, wrote, “not all of the threats he warned about came to pass. Before 9/11, Clarke’s most prominent public statements were calls for greater cyber-security and warnings of ‘a digital Pearl Harbor.’” We haven’t quite had that digital Pearl Harbor, but the threat seems more real now. Perhaps in four years, we will have had no major cyber-attacks, and the new position will seem like a waste of time and money. But that’s a happier scenario than waking up one morning and finding that those who seek to harm Americans have scored a major victory without getting up from their keyboards.
– Jim Geraghty writes the Campaign Spot on NRO.