Here we go again! With the news that the People’s Republic of China has penetrated Microsoft before we have figured out what to do with Russia’s SolarWinds attack, we roil in more hysterical media coverage, more OMGs from “experts,” more ideas about what should be done.
To which I will earnestly add mine that centers not on legislation or regulation for the society but on what our federal government should do immediately to address this sorry state of our nation’s national security posture.
On the domestic front, the White House should establish not an internet “czar” but a coordinator. A White House coordinator. That individual should designate a single point of contact in every federal agency with the same fundamental responsibilities for privacy and security institutional policies, reporting processes, and technical practices across the board.
This comprehensive approach would address two fundamental problems with the current configuration for internet privacy and security in our federal government: the absence of a White House single point of contact for the president and an uneven and poorly connected defensive cybersecurity structure within the federal government.
A White House coordinator should be the person to whom the president looks immediately for information about attacks and steps forward to establish a comprehensive defensive posture across the federal government. A person/role in Homeland Security, which is the current fallback position, is insufficient. Authority for the “internet” is spread out among almost twenty different federal agencies. That fact alone is a prescription for very mess we are in defensively on matters of cybersecurity. Too many sous cooks who each think in their domain they are the boss and no master chef to set the rules, roles and responsibilities in the kitchen. The chronic absence of this basic structure explains why the United States repeatedly demonstrates such extraordinary ineptitude in keeping its own agencies safe. Burying this critical role in one agency, even if it is Homeland Security, misses the point. White House coordination is absolutely necessary to get the job done. That coordination is best achieved not by stitching together a patchwork quilt across the federal government but by creating the quality of structure and process that clearly for everyone to see raises the priority of this matter throughout our federal government and concretely addresses the very significant cybersecurity challenges that our government must face.
How am I so sure that this is the way to go? Because I and we did it, at Cornell, and then throughout higher education, 20 years ago to protect large, research-one universities. Is it perfect? No, because nothing in cybersecurity is perfect nor does any one state of being rest long enough to allocate vacuous awards. But the challenge is as serious of a national security threat as our country has faced since the Second World War. We will only begin to rectify the problem when we genuinely understand that reality and bring to its fix the same quality of purpose, direction, and energy that our country gave in that massive endeavor. Tested in smaller scales of large universities, this basic structure and process has proved to be good practice and the most practical of starts that can be exported to scale in our federal government.
On the international stage, the president must engage our diplomatic corps in the work of global internet governance. President Biden should delegate the heavy lifting to the State Department. The State Department should take the lead in crafting an approach that incorporates global stakeholders into responsible mechanisms that bring a rule of law to international challenges of cybersecurity specifically and global internet governance generally. That will mean dealing with the National Security Administration’s addiction to covert actions. It will very likely signal the termination of the NSA’s zero-day policy approach, one inefficiently and ineffectively mimicked by agencies throughout our federal government. Let’s also be clear that this approach was not thoughtfully taken by a presidential administration, or Congress, and discussed with the American people so that we could understand its implications or receive the benefit of expertise outside of the NSA itself. Our country has functionally adopted it without a vote and without democratic process. It is failing us miserably but because it is not really transparent, because it is not understood by most people in the United States, it is exceedingly difficult to get out of it.
The zero-day conundrum arises out of a cultural hubris. Hubris impedes recognition of the gravity of our challenges and the need to shift our current cyber orientation away from sotto voce offensive actions and towards an above-board defensive posture. So long as we continue to fashion ourselves as the biggest cowboys of the internet’s wild west we will be unable to act in the ways that will protect our country best or to reassert the quality of global leadership we once exercised on the international stage with an earned measure of pride.
Again, I take history as my guide. In the aftermath of the Second World War the United States not only led the Nuremberg Trials with dignity, but by that very process our country infused humanity back into a world so largely devoid of it under the Nazi regime. The Marshall Plan turned enemies into friends and lifted millions of people within our own county to a better place materially that also allowed for a flourishing of everything from an expansion of civil rights to a flourishing of art and culture among us. The notion that the U.S. is the unequivocal leader in internet war games was a fleeting, momentary glory of the past. Now the United States is the target. International diplomacy is the only card the United States has left to play with any strength. And it is the one to play that is in fact not a game but would be an expression of values that made us truly, and not foolishly or superficially, a great nation.
We can make these critical shifts both domestically and internationally. We must make them if we want to lead again with respect and not just incremental blips of power punches matched by the death of a thousand cuts. We owe it to the generations before us who fought with everything they had to give us the opportunities they would not want us now to squander but to regenerate for those who come after us.