|
Wednesday, July 22, 2009; Posted: 10:46 AM - by David Ronfeldt
 The last time I tried to be current on cyber security was in 2003-2004, while preparing an epilogue to update an article for publication in Japan. By then, in writings with John Arquilla about cyberwar and netwar that began in 1992, we had elaborated on our basic maxims that: "Institutions can be defeated by networks. It may take networks to counter networks. The future may belong to whoever masters the network form." (1993, p. 40) And these maxims seemed as applicable to cyber security as to other matters that concerned us back then.
In particular -- and I will stick to the following three themes throughout this post -- we had urged that the U.S. government needed coordinators more than czars (see Appendix A below). We had recommended hybrids of hierarchies and networks to improve interagency coordination (see Appendix B). And in 2003 I optimistically thought that the networks taking shape for cyber defense would continue engaging a range of skilled specialists outside the government, exemplifying public-private partnership (see Appendix C):
"In sum, the United States is evolving a rich, diverse, internetted organizational ecology. Government offices and agencies keep growing, but for-profit and non-profit firms and civic-minded NGOs keep growing as well, even faster -- and all are engaged in formal and informal efforts to build webs of cooperation. And that organizational evolution, as much as technical expertise, may prove the best defense against attacks on computer systems, and the best promise for assuring freedom and privacy along with security." Thus the actors involved appeared to be well on their way to coming up with multi-tiered, nimble, resilient, adaptive, robust mechanisms for dealing with attacks. A kind of collaborative community seemed to be growing for cyber security.
* * * * *
Today it's not clear that cyber defense has advanced well in this direction. It's not my area of expertise; and despite some new reading and chatting, I remain barely updated. But I've learned enough to become pessimistically perplexed. Organizational dynamics -- formal and informal, governmental and beyond -- appear to be more bollixed up than ever.
First, all parties seem to understand that Washington needs a coordinator more than a czar. Yet, we continue to seek czars and czarist solutions. Many officials and analysts -- especially the media -- can't stop using the term, reinforcing the tendency. "Where is our cyber-czar?" wails a recent Washington Post editorial! When pressed, all actors may admit that what's needed is a chief coordinator, not a czar. But a longing for hierarchy and centralization -- and hence the czarist lingo -- keeps reasserting itself. It's understandable, but not a good sign.
Second, all parties agree that better interagency cooperation is essential. And efforts to achieve that are repeatedly made, or at least talked up. But turf battles, agency mismatches, classification and other information-control issues, and communications-technology incompatibilities keep getting in the way. And of course, it's difficult to make progress when it remains uncertain where the key coordinator may be located.
Third, all parties agree that greater public-private cooperation is essential. And mechanisms like US-CERT and the CERT Coordination Center, as well as the SANS Institute's Internet Storm Center (ISC), help meet this challenge, perhaps better than I realize. But "public-private" appears to refer mainly to "industry," to large businesses more than small ones who could be helpful in an emergency response, and to subcontracting more than networking. It's not clear that collaborative networks are still being developed that include an array of specialists from all sectors.
A result of these dysfunctional twists and turns has been to locate the key cyber-security center -- lately, the National Cybersecurity Center (NCSC) --in a suboptimal place, first DHS and next (almost) the NSA. If constructing a broad-based collaborative community is desirable for cyber defense, moving the key center from DHS to NSA is inadvisable -- as former NCSC Director Rod Beckstrom's resignation letter indicated in March.
As befits a change of administrations, a new round of initiatives is underway to rectify these matters. They call for creating a new key office -- led by a Cybersecurity Coordinator -- in the White House, along with new mechanisms for interagency and public-private cooperation. This latest round gained impetus from a CSIS commission report last December, and a draft bill proposed by Senators Rockefeller and Snowe this April. It progressed with the release of a "Cyberspace Policy Review" by the White House, along with remarks by President Obama, in May. Then, in June, the Defense Department created a new command for cyberspace -- Cybercom -- inside Strategic Command. Next up, later this month, should be a revised bill from Senators Rockefeller and Snowe that takes interim comments and criticisms into account. Thus, a lot of striking organizational changes are underway, with more to come.
* * * * *
Meanwhile, a curious new trend in strategic thinking is growing, parallel to these developments: a claim that cyberspace is as much a part of the global commons as air, sea, and outer space. This means that cyberspace is a kind of collective good, even a global public good. It also means that access to, if not command of, this new commons is essential for America's power in the world, and that cyberspace must be defended against state and nonstate threateners. According to its early proponents, Michèle Flournoy and Shawn Brimley (2008, p. 136), "America must take a leadership role to ensure that access to the global commons remains a public good." They have recently expanded on this theme as Pentagon officials.
Declaring a domain to be strategic commons eases the way for asserting public over private interests. And that may have all sorts of implications. It might help with efforts to foster a "multi-partner world," as Secretary Clinton urges. But it might also lead to a "cyber Monroe doctrine" or help justify unleashing an "af.mil botnet" (insensibly?) under other circumstances. Whatever the circumstances abroad, declaring cyberspace a strategic commons would surely bolster the organizational clout of cybersecurity officials within the U.S. government and over the private sector.
If/as this notion gains sway, it will surely generate controversy. Adam Elkus sees some Mahanesque qualities, but also that the "fluid and dispersed nature of cyberspace makes it impossible for one power to dominate." Tim Stevens urges that cyberspace is too social to be viewed as a military commons : "cyberspace is not simply a strategic ';domain' like the sea or the air." More to the point, a social movement is taking shape that views the information commons as a new realm for peer-to-peer social development; and it is sure to raise objections to a strategic military concept of this commons.
* * * * *
While my main concern is organizational, I don't mean to disregard the many interesting technical fixes that experts recommend: The GAO has long pointed in this direction, as did an earlier commission on critical infrastructure protection. Moreover, Bruce Schneier has often pointed out that attending to "the boring network security administration stuff we already know how to do" would vastly improve our defenses. Sam Liles has offered his own list of what-to-dos for securing the Internet; he even proposes installing a system of "sentinel and centurion nodes around the world." Ethan Zuckerman has suggested that ISPs exclude compromised computers that the ISPs known to be on their network. And elsewhere, Dorene Kewley, John Lowry, and others with the DARPA Information Assurance Program have raised innovative ideas for "dynamic network defense" and "defense in breadth" for protecting computer systems.
Other ideas I've encountered are more in keeping with my organizational concerns. For example, John Robb says that "the US should be building a ';Network Command' and not a Cyber Command." Evgeny Morozov warns, "The problem with the current approach to cybersecurity is that by miring it in unnecessary secrecy, we are shrinking, rather than growing, the number of eyeballs that can find and fix those bugs." Peter Hodge, criticizing a recent U.K document on cyber strategy for being too top-down, suggests organizing "networks of small and ad hoc groups of experts, loosely tethered to government but operating autonomously within a general framework, which come together for particular aims and dissolve or reconstitute once the aims have been achieved." And Michael Tanji insists, "We don't need a czar, we need someone with a lot of betweenness and closeness (in social networking terms) to make sure that people who need to are talking, sharing, and collaborating as they best see fit." Indeed, new approaches, like "social software" for "collective intelligence," are under construction that could help organize such collaborative attention.
I like all these ideas. There is no dearth of ideas worth heeding. [UPDATE: And today (July 21) I see that Gene Spafford has a lot of interesting posts where he blogs on cybersecurity, including on legislative matters.]
* * * * *
These efforts to update my sense of cyber security have not led me to come up with new proposals of my own. But they have reassured me about the enduring value of this post's starting points: We need a central coordinator, not a czar -- and the sooner we drop czarist lingo, the better. We need new, better mechanisms for interagency and intergovernmental coordination -- and at least there is ferment in this direction. Third, of most concern to me, we may need to rethink public-private collaboration, so that it grows as a kind of far-reaching collaborative community.
I say "may" because, so far, I've not been able to gain a good understanding of what is the current nature and status of public-private cooperation in this area. If it mostly amounts to government, plus selected industry, and not much else, I'd suppose there are grounds for concern about our being able to defend against a sophisticated cyber attack. The kinds of threats I have in mind -- I've not spelled them out in this post, for others have contributed plenty of scenarios -- would surely require lots of "eyeballs" to dissect, etc. And coming up with a good response might also require a bit of serendipity. Indeed, responding to a sophisticated cyber attack may require something of a stochastic process. And the likelihood of that being successful should increase by making sure we have a broad-based collaborative community in place that reaches into all sorts of sectors, ready to be mobilized. Surely this is not a novel notion (see Appendix C for past examples).
These challenges are not unique to cyber security. Washington has steadily acquired -- and evidently required -- more "czars" than ever. Each is a function of some bureaucratic dysfunction, in one complex issue area after another. Similar concerns about interagency, intergovernmental, and public-private collaboration afflict them all. However, one notion may make cyber security unique in comparison to these other issue areas: the notion that cyberspace is a strategic commons. That line of thinking may bear a lot of watching and maneuvering, for it could have negative as well as positive consequences.
In sum, cyber defense is important on its own merits -- right now. But it's also interesting as a long-term challenge because it may well be one of the pivotal proving-grounds for America's evolution to developing a cybercratic nexus state that will rule through "government by network" as well as by tribe, hierarchy, and market. Hopefully, this next stage in the nature of the state will be characterized by "guarded openness" and "collaborative community" -- but that's likely only if we get cyber security right.
Onward.
|
Author Bio:
 David Ronfeldt is a retired theorist and strategist who now uses his blog at twotheories.blogspot.com to advance his ideas. He is best know for co-authored writings with John Arquilla on cyberwar, netwar, swarming, and noopolitik.
|
Past Articles by This Author:
|
Feed
Feedback
Author Bio
Printer-Friendly
E-Mail Article
