Unfortunately, the government has no cyber-defense strategy. While the cyber warriors of Fort Meade may take comfort in America's reputation as having the most potent arsenal of cyber weapons, they may be members of the national cyber-war team with the lowest overall capability. Indeed, America's ability to defend its vital systems from cyber attack ranks among the world's worst. Some countries, like China, have implemented plans allowing them to shut the limited number of portals that connect their cyberspace to the outside world. Other nations, like North Korea, have such limited cyberspace and cyber dependence that there is almost nothing to defend. America's connectivity to the rest of the world is unlimited and controlled by no plan or agency. If, as a result of a cyber-war attack, our power grids failed, trains stopped and the financial sector froze, the government's response today would make former-FEMA Director Michael Brown's performance after Katrina truly look like one "hell of a job."
While we do have Cyber Command, it has a defensive mission largely limited to protecting the Defense Department. Cyber Command says someone else needs to defend civilian entities, specifically, the Department of Homeland Security (DHS). Unfortunately, DHS has neither a plan nor the capability to defend private-sector infrastructure from a cyber attack. Thus, electric power, gas pipelines, rail and air transport, banking, food-distribution networks and other key systems are defenseless against nation-state cyber attacks.
This asymmetry, in which we are developing offensive capability but doing little to prevent a devastating cyber attack, began in the Bush administration. In the last year of his eight-year presidency, George W. Bush signed a national-security decision called PDD-54. That directive, still classified, ordered steps be taken to improve the security of the Department of Defense and other federal-government computer networks. Critics say it did almost nothing to address the weaknesses of the national infrastructure. President Obama launched a sixty-day review of cyber policy in March, but it resulted in no new major initiatives. He did announce the creation of a cybersecurity position within the staff of the National Security Council (NSC). But it has yet to be filled permanently. The new staffer will report not only to bosses in the NSC staff, but also to Director of the National Economic Council Lawrence Summers-who has vehemently criticized government cybersecurity efforts in the past as imposing costly burdens on U.S. companies, whose leaders supposedly know best what level and type of cybersecurity they need.
When pressed about America's lack of cyber defenses, several officials privately suggested that there was no nation today that would want to hurt us like that. If that philosophy were applied more broadly to the defense budget, the nation could save hundreds of billions annually-and be left entirely defenseless.
THE FACT that legislators and policy makers do not understand the strategy issues surrounding cyber war may stem from the lack of public discussion, absence of academic contribution, minimal media coverage and insistence on unnecessary government secrecy. A multidepartment effort this year to develop a cyber-war-deterrence strategy produced a paper that is still labeled "secret." The last time someone thought a secret could deter an opponent was when 1960s movie character Dr. Strangelove yelled at the Soviet ambassador that a deterrent weapon only works "if you tell us you have it." America was not sufficiently deterred in that movie scenario (an air-force general launched an attack which resulted in escalation into global destruction).
In the absence of a public cyber-war strategy, we do not know today whether an air-force general could launch an effective cyber war. We have not had the basic discussion of whether the United States is better-off with the advent of cyber-war capabilities, or whether it is we who will be deterred in the future by the threat of cyber attack on our vulnerable infrastructure.
Although President Obama may not yet know it, his freedom to maneuver in the world is likely already restricted by those vulnerabilities. Perhaps in a crisis, someone will tell him. Or maybe he will learn it by looking out the window at a darkened city after he has ordered a bombing raid on Iran, or sent a carrier battle group to protect Taiwan, or done something to irritate the Dear Leader of Pyongyang.
Maybe then he will ask policy questions such as: How does deterrence work in cyber war when our capabilities are secret and our weapons undemonstrated? Should we, because of our own vulnerabilities to cyber attack, initiate cyber-arms-limitation talks, instead of our current policy of opposing them? Can arms control work in cyberspace when verification is so difficult? Strategic defense was not possible in nuclear strategy, despite Ronald Reagan's best efforts, but does that also apply to cyber war? Can public discussion, international norms and established lines of communication result in some sort of risk-reduction process to address the issues of crisis instability that seem to be inherent in cyber war? Are the generals and admirals at Cyber Command more thoughtful than SAC's leaders were at the advent of the era of strategic nuclear war? We would like to think so, but in the absence of public-policy development, the American people cannot know the answer to that or to the many other questions that the possibility of cyber war raises. It is time for that public discussion.
Richard Clarke was special adviser to the president for cybersecurity in the George W. Bush administration. He is now chairman of Good Harbor Consulting. His book Cyber War, coauthored with Robert Knake, will be published by HarperCollins in the spring.Image: Pullquote: War as PlayStation: death by joystick, no risk of being shot down, no chance of capture.Essay Types: Essay