In his recently released Presidential Policy Directive No. 41 (PPD-41) on cyber incident response, Barack Obama makes two big points that resonate:
- "Networked technology" feeds prosperity and national power, but increases vulnerability; and
- Security strategy "relies on and furthers the implementation of existing policies."
The first point highlights the fundamental difference between the industrial and information eras. While profit and power went happily and securely hand-in-hand with increased production in that earlier time, today’s advances can all be held hostage to threats of cyber disruption.
The second point, equally troubling, is that strategies for dealing with the double-edged nature of networking technologies have become quite path-dependent — i.e., quite stagnant — with far too much fidelity to initial choices made years ago.
Both of these points are chilling, particularly in light of the rise in major cyber incidents worldwide in recent years. From the economic realm, where exploits from Sony to Shamoon have demonstrated how heavy costs can be imposed by cyber attack, to quasi-military preventive cyber strikes, like use of the Stuxnet worm, it is clear that we live in a time when real effects in the physical world can be achieved by actions in the virtual domain. When one adds the political/propaganda uses of cyber attack, ranging from the Snowden disclosures to the recent hack into and outing of the Democratic Party’s embarrassing and disrespectful communications about Senator Sanders, it grows ever clearer that just about all cyberspace-based activities can be turned to dark purposes.
Which should make the last paragraph of PPD-41 — where President Obama makes his second point about doing nothing new — even more vexing. How can one of the world’s leading heads of state act in such a complacent manner, given that the policies that have been in place have done so little to deal with the threats emanating from cyberspace? It is important here to note that Obama’s decision to continue existing cyber policies—which focus for the most part simply on encouraging better interagency information sharing — is similar to national-level policies of many, if not most, other governments around the world. This is one key area where American global leadership should not be followed.
Indeed, this document’s almost complete absence of a wider perspective on the problem is damning. There is but one brief mention in this long directive that speaks about the need "to coordinate with international partners, as appropriate." The point being that cybersecurity is integral in nature in a very connected world; the insecurity of some contributes to the vulnerability of all. The impediment to internationally networked cybersecurity efforts, however, is the general unwillingness of nations to share sensitive information about incidents and their responses to them. It is a truly daunting challenge to foster the kind of trust required to act globally against this transnational threat — but there are examples of such levels of cooperation on issues like global warming and counter-terrorism. So PPD-41 should have taken the matter of how to build a globally networked response head-on.
Obama’s insistence on "relying upon and further implementing existing policies" — which are largely tied to incident response procedures — can also be critiqued for its apparent unwillingness to encourage innovative approaches to improving cyber security. This should include ideas that focus on prevention more than incident response. For example, a leader might use his/her bully pulpit to foster the more ubiquitous use of very strong encryption. In the U.S., a brave presidential statement along these lines might help silence criticism from law enforcement and intelligence agencies, both of whose habits of mind and institutional interests lead them to oppose the very idea of giving corporations and individuals the means to make themselves virtually hack-proof. Then there is the Cloud to be considered, which offers the opportunity to encrypt data, break it into parts, then place the pieces in different parts of the Cloud. This is far superior to storing data in one place on one’s own system. Indeed, as I like to say, "Data at rest are data at risk."
No doubt there are several other security concepts that can help work to drive down the number of hostile cyber incidents. Government brain trusts — American and other — should be actively data mining academic institutions and commercial enterprises for creative ideas that will give cybersecurity practices the chance to leap ahead of the malefactors out there. Hackers have held the initiative for far too long and PPD-41, by focusing on incident response, continues cede the initiative to them. Now is the time to seize the initiative from them. But doing so requires a willingness to introduce fresh paradigms — not just to "rely upon and further implement existing policies."