Obama Adviser on Cybersecurity: Limit Cyber Capabilities, Regulate Sometimes
Posted at 3:42 p.m. on July 21, 2014
By the reckoning of a new report by the left-leaning Center for New American Security, we screwed it up from the start when designing the architecture of digital computing — security just wasn’t drawn into those original blueprints. Now we have to live with it. The report, helmed by Richard Danzig, a former Navy secretary who currently serves as a member of the Defense Policy Board and The President’s Intelligence Advisory Board, makes recommendations on how.
Among the recommendations is adopting the following national security standard for cyberspace: “The United States cannot allow the insecurity of our cyber systems to reach a point where weaknesses in those systems would likely render the United States unwilling to make a decision or unable to act on a decision fundamental to our national security.”
The report continues: “The suggested standard implies, for example, that if we thought an opponent could use cyber tools to render the U.S. nuclear arsenal impotent, or to turn the country’s missiles back upon the United States, then we would be unable to act to protect our interests. In this case, we would judge ourselves to be intolerably insecure in cyberspace.”
That could mean “stripping the ‘nice to have’ away from the essential, limiting cyber capabilities in order to minimize cyber vulnerabilities… We can protect ourselves by forcing attackers to cope with system attributes that are outside the reach of computer code,” among other approaches.
Other recommendations in the report include identifying the privately owned computer networks — such as those that govern the electricity grid — that might need to fit the recommended national security standard for cyberspace, and adopt a mix of regulations, incentives, standards and attack data to protect them; accept the risks to less critical systems; avoid relying on regulations where possible; and conduct socioeconomic research into the nature of cyber attackers.
(Efforts to regulate cybersecurity in the private sector have proven a thorny subject in Congress and with businesses, but the U.S. Chamber of Commerce has endorsed the latest cybersecurity bill to provide some incentives to industry, per Anne Kim at CQ Roll Call’s Technocrat.)
One swath of recommendations includes working with foreign governments, including one, Russia, with which the United States is at a particularly tense juncture.
Initiate efforts to buttress a fragile norm that appears to exist between Russia, China and the United States: Apparently, we have not used cyber as a means of physical attack against one another. Articulate a norm of renouncing cyber attacks on civilian infrastructure and discuss this goal with China and Russia even if other kinds of cyber conflict with these countries continue or intensify…
…if these three specially strong cyber powers can identify unacceptable behavior against one another, it may dampen third-party engagement in this behavior by making misattribution less likely and by prompting a broader norm against this misconduct.
The report is called “”Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America’s Cyber Dependencies.”