What a pity that senior leaders in the American government and intelligence community have decided to play political football with the alleged Russian hacks of John Podesta’s and other Democrats’ emails. By using these intrusions to gin up fears about the “integrity” of the electoral process—which is already befouled by the focus on finding and spreading dirt on the opposition—the real story is being neglected. And what is that real story? It is that, despite more than two decades of consistent public warnings that have reached the highest levels of government, cybersecurity throughout much of the world is in a shameful state of unpreparedness.
Take the United States, for example. Since the mid-1990s, there have been approximately 200 cybersecurity bills brought before Congress. Only one has passed, quite recently at that, and it only calls for voluntary information-sharing about cyber incidents. Legislation aside, there have also been several government-sponsored commissions and top-level exercises focused on understanding and illuminating the cyber threat. Each of these has signaled that “the red light is flashing;” that is, American cybersecurity is in very poor shape. Indeed, former cyber czar Richard Clarke and Robert Knake, in their book, Cyber War, list the U.S. as having the poorest cyber defenses among the leading developed countries.
The situation around much of the rest of the world is not much better, as the cost inflicted upon societies—not to mention the wide social and political disruption caused by hack attacks—is staggering. In a speech at the American Enterprise Institute in 2012, General Keith Alexander, then head of the National Security Agency and the Cyber Command, reckoned annual global losses at more than $1 trillion. As he put it, this was the “largest [illicit] transfer of wealth in human history.” [Full disclosure: I have worked for General Alexander, and continue to do so for Cyber Command.] The situation has only become worse.
Whatever the American role in global leadership in other areas might be, when it comes to cybersecurity, Washington has been sadly lacking. Even now, in the wake of the alleged Russian hacks, leadership, right on up to the President, has decided to focus upon retaliatory action, rather than on beefing up security. My previous post here made the point that deterrence based on punitive threats and actions will simply not work, so I won’t repeat my lines of argument. But I will reiterate that the failure of the deterrence paradigm, when applied to cyberspace, means that the world must move decisively toward an emphasis on improving defenses. And it’s not rocket science; better use of strong encryption, moving data around in the Cloud, and increasing use of the Fog, all these can make the situation much better.
But the most important lesson to be learned from the hapless John Podesta is that you can’t wait for government policy to protect you. Cyberspace is not just the world at your fingertips; it is also a wilderness, and a dangerous one at that. Much as major commercial firms and governmental bodies must improve their own cybersecurity, individuals, too, must bear responsibility for their own security. The situation is somewhat like that described by the historian Frederick Jackson Turner, who thought of the U.S. as a society defined by its long “frontier experience.” Americans were always pushing on into the wilderness, and developed a great deal of self-reliance when it came to sustenance and security. So it may be now in the virtual wilderness of cyberspace.
The alternative, reliance on government, is likely to be fraught with political bickering, endless delays, and unsatisfactory results; in the world’s most democratic countries, at least. Authoritarians, on the other hand, have quickly adopted strong cybersecurity policies. As Clarke and Knake see such matters, they list North Korea as having the best cyber defenses in the world, with China and Russia not far behind.
Perhaps, then, the true lesson of the election hack kerfuffle is not to keep making hard-to-prove charges against President Putin, but to look more closely at how he, and others of his ilk, have crafted their countries’ cyber defenses.
John Arquilla is professor of defense analysis at the U.S. Naval Postgraduate School. The views expressed are his alone.