With increasing reports of cyber attacks on US banks, oil facilities, power plants, and even military systems, it comes as good news that the Obama administration is crafting policy on cybersecurity. In Tuesday's State of the Union address, the President said that "America must … face the rapidly growing threat from cyber attacks," and urged Congress to pass legislation that would help it do so.
What is not encouraging, however, is that the policy debate is taking place behind closed doors. As in the early days of nuclear weapons, the phenomenal new technology of 1945, a veil of secrecy is being drawn that prevents the public from participating in the formulation of fundamental national security policy. But like a nuclear attack, successful cyber attacks on US electrical grids, water suppliers, air traffic systems, and nuclear weapons command centers will cause massive destruction that affects all of us, military and civilian alike. So we shouldn't wait until an attack is upon us to get involved. As citizens in a democracy, we have a right to be informed about the government's plans and to participate in creating the principles and framework designed to protect us.
Who's in charge? One of the first issues we need to consider is who should respond to what. The digital age is blurring the line between civilian and military operations. For example, a cyber attack on an electrical grid that disrupts the power source for an entire region of the United States would result in untold damage to industry and commerce and even to human life. In deciding who responds, should such an attack be considered a matter of national security or more like a natural disaster? The answer could well depend on the source of the attack. Current US policy states that such an attack by another government or its agents would be considered an act of war, in which case, the United States could use military force, as well as cyber operations, to counter attack. If, on the other hand, a nongovernmental group or individual conducted a cyber attack on critical infrastructure, the hostile act could be treated as a criminal matter to be investigated and punished by civilian law enforcement agencies.
Whoever the attacker, however, it is abundantly clear that cooperation between privately-held utilities, transportation, and power companies, on the one hand, and public authorities -- including intelligence, military, and law enforcement agencies -- on the other, is essential for robust protection from cyber attacks. Effective cooperation, in turn, requires clear definition of responsibility and assignment of liability -- whether to private companies or public authorities -- to provide positive incentives for protecting critical infrastructure. As yet, there is no consensus about how these responsibilities should be assigned and to whom, and thus, the United States remains highly vulnerable to cyber attack.
As the administration develops measures to defend against cyber attacks, industry and civic groups, as well as independent experts, should participate to ensure that responsibility for prevention and defense is clearly assigned, and that civilians are adequately protected.
Offense as well as defense. As the US and Israeli Stuxnet attack on Iran's nuclear enrichment complex showed, the United States is developing cyber weapons for use in attacks against infrastructure in other countries. These weapons can, for instance, attack adversaries' systems by injecting them with destructive code; Stuxnet sped up the spinning centrifuges used for uranium enrichment, leading to centrifuge malfunction and a slowing of Iran's nuclear program. While some may argue that such military uses of cyber technology produce less risk of destruction to civilian populations than traditional physical attacks, the consequences of conducting cyber war require much deeper deliberation and broader participation than has taken place so far.
For example, it would be useful to have public hearings and discussion of ways US cyber war strategy could compromise international security. Studies conducted by the US National Academies of Science in 2009 observe that the best defense against cyber attacks is often the elimination of the attacker. In a parallel to nuclear weapons strategy, then, the best deterrent to cyber attack is the demonstrated capacity to destroy the would-be attacker's cyber operations first. If this is true, then the appeal of preemptive attack is fairly obvious, but might lead to cascading and perhaps unintended harmful effects. We could end up, for example, in a cyber arms race in which attacks escalate to overcome counterattacks, ending in the possibility that nearly all cybercommunications are destroyed.
As US national security officials begin to articulate the strategic options for the use of cyber weapons, the public needs to be engaged in these policy developments. The damaging consequences of cyber warfare will go well beyond military installations and assets, and the public has a right to know how cyber attacks and counter attacks might affect the financial, power, and transportation systems that they depend on every day. It makes no sense to leave them in the dark when cybersecurity logically requires participation by everyone who uses the Internet. For example, banks today do not disclose attacks as they are occurring, fearing that customers will flee in panic, but this failure to disclose can put the unaware customers at higher risk. If citizens were included in protection strategies at the outset, they could help identify unusual activity, report it to officials, and become part of a sophisticated cyber defense system, all while avoiding panic.
Finally, it would be a mistake to allow any one country's government authorities, especially military and intelligence agencies, to come to dominate cyberspace. The advantages of a distributed, decentralized cyber network for democracy and markets have been well-demonstrated, and indeed were recognized in the Obama administration's earlier cyberspace policy review of September 2011. The encroachment of government surveillance and military action could very well do more damage to open societies than even a cyber attack. Even as new instruments for protecting cyber infrastructure from malevolent acts are put into place, the US administration, as well as the international community, should ensure that cyberspace remains widely available for open communications, political speech, civic discourse, and legitimate financial transactions without fear of secret government surveillance or control.
It can be difficult to arrive at a consensus about trade-offs between security and human rights. That's why deliberations about cyber policy should be conducted in open international forums with representation from civil rights organizations and independent experts, as well as from private commercial interests and public authorities. The major purpose of such forums should be to develop common understandings for governing actions in cyberspace, while protecting political, social, and economic expression, as well as life and property.
It was often said in the early days of the nuclear age that nuclear weapons policy was too important to be left to the generals. The same could be said today about cyber policy -- this new technology is far too entwined with our daily lives to leave policy decisions to the military and the experts. When it comes to cyberspace, national security is human security, and policymaking belongs to all of us.