I have had the pleasure of working with the U.S. military on and off for almost thirty years. They are a disciplined group, though sometime slow bureaucratically. And they are built to take action – when sometimes it is simply best to let things alone. Still, the U.S. military’s ability to think is second to none. They review their actions and account for their mistakes and attempt to correct them. They also have a strong belief in doctrine to guide them.
So what’s a doctrine? I always liked the short and sweet NATO definition of doctrine – “Fundamental principles by which the military forces guide their actions in support of objectives. It is authoritative but requires judgment in application.” In other words, figure out what you are going to do, what you are not going to do, and use your judgment about both. America does not have a doctrine for cyberspace, and it shows.
The last several months in D.C. have witnessed a series of Executive Orders, proposed legislation, bureaucratic action and public bickering over how to “defend” cyberspace. Sadly, the philosophy seems to be one of “I will defend my space totally.” Oh, and you guys (the not me’s of the world), you need to take care of yourselves and do it fast.
The military is going to take care of the military proposing both defensive and publicly for the time first time, offensive actions also. It is holding the potential offensive actions tight and rightly so.
The other parts of the Federal government seem to be trying to “harden” themselves from attack separately. And the private sector, where 90 percent of cyberspace is located, is being told by Washington to get “frosty” and up their security. Some unspecified help will be provided and if they foul up, reports must be filed with the SEC. I assume nasty memos to follow. The private sector reaction so far is “mind your own business.”
This dividing up of provinces of responsibility in cyberspace is interesting. It is a lovely 20th century way of dealing with a 21st century problem. Setting boundaries in the boundless frontier. Those seeking to harm cyberspace must be laughing up their collective sleeves or Guy Fawkes masks.
The cyberspace doctrine of the United States must be a unified one using judgment based on joint public and private sector interests. The one thing government should do well is provide social goods – like the military. These are goods that no one else in the private sector has the slightest interest to provide. A comprehensive cyber doctrine from Washington is the 21st century equivalent of the 20th century concept of civil defense. Only Washington can provide the framework and incentives to make it work.
First principle – Our security stinks and must be improved/hardened. The Internet was designed as a place of sharing – scientists and computer geeks firing e-mails back and forth to each other. No one expected it to carry vast levels of secret or proprietary information, and we certainly did not anticipate the growing level of commerce on it.
We have done security on the cheap. It is an expensive item that cannot show a rate of return in the private sector nor tangible results in the public sector – until something goes horribly wrong. It is up to Washington to set security standards for the public and private sector. We need to harden the net and few are going to volunteer to do so.
Second principle – We must be willing to share threat information between the public and private sector. Everyone is playing hide the ball on this one. The public sector is fearful of violating legal standards of sharing information to one company versus another. They are also afraid of spilling secrets to untrustworthy members of the private sector. The private sector is worried exposing losses to stockholders will damage their reputations and opens them to legal actions.
As Mom would say, we need to get over it. These laws we put in on public-private sharing were not executed on Mount Sinai. They can be changed to fit the needs of the 21st century. And the private sector can be protected under law to provide them safe ways to share these intrusions and losses without bankrupting their firms.
Third principle – We must begin to synch up police action and military action against violators of the “cyber peace.” There is no separation in cyberspace, and these important elements of our protection must be able to talk to each other. Granted, we need transparency in their relationship, but, the American political discomfort over local and national cooperation has to cease. The stakes are getting too high.
And the Fourth principle – As for when to take action, that will always be a judgment call, but we cannot and should not try to protect everything. And we cannot attack everyone who violates our cyberspace. If the “broken window” is the standard to police and military action, we are going to spend a lot of time and money chasing everyone from the Chinese Army through a group of fun-loving miscreants in Bangalore or Boston.
The sooner we adopt these principles across the board, the better off we will be. This allows for a concentration of resources – manpower, money and time. We need this doctrine to live in the borderless 21st century. Without it, America will keep fumbling under attack in the dark.