Calling for a national-level doctrine for the cyber era

Several government actions on cybersecurity have dominated the headlines in recent months, from President Obama's October directive on preemptive strikes to the November announcement by the senate majority leader that cyber legislation was dead in the current Congress. The White House has been struggling to get interagency concurrence on a new executive order aimed at improving our response to our nation’s critical infrastructure vulnerabilities. Defense Secretary Leon Panetta recently said that the Pentagon is close to issuing its most comprehensive modification to offensive rules of cyber engagement in seven years, which is sorely needed. Yet we remain far from prepared for tomorrow’s looming cyber challenges. The modern cyber era demands a national-level doctrine that can be adopted by government agencies, armed forces, private sector organizations and individual citizens alike to establish a collective sense of purpose for our cybersecurity.

The lack of a national-level doctrine has created an environment where we are entirely reactive in our cyber posture. Panetta has referred to the potential fallout of a large-scale attack on our critical infrastructure as “equivalent to Pearl Harbor,” and the comparison is no coincidence. During the early stages of World War II, the United States maintained a largely secondary role in the European conflict – it wasn’t until the attack on Pearl Harbor devastated us on our home soil that we took a leadership role in the war effort and defeated the enemies abroad. We haven’t yet experienced the destruction of a national-level cyber attack and we have seemed content to remain in a pre-Pearl Harbor mindset with regard to cyber war as well. The assumption seems to be that there is still more time, but the truth is we are running out a ticking clock. We can’t afford to wait for such an event before putting a framework in place. Only with a doctrine can we begin to act with deliberate foresight, rather than in reactionary response, to our national defense challenges.

Revising the military’s cyber rules of engagement is important, as is the continued investment in cyber technologies within the Defense Department space. There are many areas where the DOD is leading the way in our cybersecurity posture – but this simply is not enough. America is more reliant on the Internet today than nearly any other nation. As cyber networks rapidly transition from a mere utility to the undercurrent of our entire societal infrastructure, this reliance becomes a vulnerability. Consider the disaster wrought when Sandy knocked out power to the most densely populated cities and suburbs in the country: compromised medical care, limited gas and heating oil, no access to cash and banking services, the inability to use food stamps, and the absence of other critical services. Now imagine that a cyber assault froze any of one these technology-driven services, or all of them. Imagine if the energy grid that powers them went down too. It’s not just inconvenient; it’s extremely dangerous.

National security efforts during the Cold War were shaped by the Doctrine of Containment, a guiding policy that aligned the military, private sector and the individual while establishing a framework for identifying and responding to the spread of Communism and nuclear weapons. But the world in which those guidelines were written is wholly different than the one in which we live today. Today’s battlefield transcends physical borders and boundaries. The power of a nation-state is not required to inflict widespread damage to critical infrastructure systems; a single malicious actor can wreak havoc. The starkest difference, however, is that today both the private sector and individual citizens have unprecedented access to a myriad of infrastructure systems that can provide entry into sensitive systems – yet they are largely unaware of, and unaccountable for, their responsibilities in defending them.

This is where defense actions—even with sweeping changes—fall short, and rightly so. Yes, our military and intelligence agencies must develop guidelines for offensive and defensive cyber maneuvers. Yes, they need consensus and direction on serious issues like attribution, equivalency and proportionality. But the vast majority of our critical infrastructure systems, such as transportation systems and chemical, electricity and water plants, are maintained on private networks. Private networks also house billions of dollars in intellectual property, monetary funds and national security secrets. These are among the networks being explicitly targeted and penetrated, and it’s costing us dearly. But are these the systems that we want the DOD to protect, and under what conditions? Should someone attack these systems, is it the DOD's role to retaliate? Reporting suggests some of these issues may be addressed in Presidential Directive 20, which is classified.  So, the uncertainty surrounding Defense’s overall missions and responsibilities remains, as does the question of whether or not we are injecting, knowingly or inadvertently, mission creep.

This is where the nuclear doctrine provides an incredibly useful model for the cyber era. As our nation did during the 1950s, we must bring executive leaders, policymakers and academia together with the scientists and practitioners that intimately understand cyber technology to collaborate and begin a debate about the complex issues at play. We should invest in a national cyber research agenda that complements this debate to test new technologies and explore our path forward. We must consider not only the military impact of the new cyber world, but also what role cyber defense will hold in shaping the future of our country’s economy, education, foreign affairs policies and critical infrastructure initiatives. Only then can our government, industry, and private citizens align under common goals to shape a safe and prosperous future.

Timothy Sample is vice president and sector manager for special programs at Battelle Memorial Institute. He is co-editor of the new book #CyberDoc – No Borders, No Boundaries: National Doctrine for the Cyber Era.