Actions speak louder than words; and with regards to cybersecurity, the U.S. government has started to make good on its commitments put forth by President Obama in his State of the Union (SOTU) address earlier this year. Within four months, the White House has already pursued a variety of initiatives. In February, Mr. Obama invited tech companies from across Silicon Valley for a Cybersecurity Summit at Stanford University to promote stronger private-public sector cooperation. A Cyber Threat Intelligence Integration Center (CTIIC) was established weeks later, and in April, the President signed an executive order authorizing financial sanctions against overseas hackers and organizations that threaten U.S. national security.
“In terms of whether policymakers are more concerned than before, the answer is clearly yes,” says Edward Wittenstein, executive director of Yale University’s Johnson Center for the Study of American Diplomacy. This newfound awareness, Wittenstein furthers, has brought about demands for “a greater comprehensive approach to cybersecurity issues than there was previously.” Here, a phrase that describes the Obama administration’s particular approach is one from the White House’s 2015 National Security Strategy report: “all elements of national strength.” In other words, achieving U.S. policy goals requires a combination of legal, diplomatic, and strategic tools.
The wake-up call for Washington? Last year’s cyber-attacks on Sony Pictures Entertainment. Besides poor public-private sector communication, as demonstrated by frictions between Sony and the FBI over investigations, the incident raised a number of other questions for policymakers. According to Wittenstein, a U.S. level response, or “playbook,” was possibly developed based on the following considerations: whether the attacks undermined American values or the country’s system of governance, the possible involvement of state-sponsored elements versus an act of cyber-crime, and the extent to which the US government should act on behalf of private companies. And after evaluating these issues, the Obama administration’s response was nothing short of assertive; additional economic sanctions were levied against North Korea, despite Sony’s role as multinational corporation that does not manage U.S. critical infrastructure.
A major focal point for the recent cyber-legislation is clearer information-sharing and data breach reporting standards between corporations and government. Yet these initiatives require a “trust that [currently] doesn’t exist,” stated Sharone Tobias, a cyber intelligence associate at cloud-based security firm Bat Blue Networks. “Most tech companies believe that NSA activities have severely hurt their profitability, especially abroad,” Tobias continued. Indeed, such frictions were displayed earlier this year when executives at Facebook, Google, and Yahoo all declined invitations to attend the White House’s Cybersecurity Summit. Other private sector concerns to note are potential legal liabilities. While information-sharing still remains voluntary, companies may consider publicly acknowledging data breaches to have significant compliance and reputational costs.
Legal enforcement stands as another problem area in the Obama administration’s cybersecurity policy. According to David Thaw, Yale Law School Information Society Project fellow and University of Pittsburgh professor of Law and Information Sciences, cyber-crime penalties “[do not] serve the deterrent effect we want it to.” In fact, the results can even be counterproductive, Thaw added; U.S. criminal law still remains “dangerously vague” and has “generated so much animosity amongst various communities where one might ordinarily seek support.” An example of such a group? Hackers who tread the line between purely altruistic and purely malicious intentions—otherwise known as grey hats. Likening these individuals to confidential informants in traditional policing, Thaw explained that when ambiguities allow for these individuals to be prosecuted as criminals, “[we] lose out on the opportunity of community enforcement.” After all, hackers themselves are arguably in the best technical positions to improve information security. This demands new government approaches to multi-stakeholderism. “The electronic underground…is so sufficiently distributed, difficult, and decentralized, that in the absence of allies, it’s like tackling mist,” concluded Thaw.
In his SOTU, President Obama may have also been too quick to make comparisons between combating cyber-attacks and terrorism. Whereas the US has adopted a primarily preventative approach to terrorism—such as criminalizing and investigating “upstream activities” prior to attacks—this legal framework still needs to be created for cybersecurity. As Wittenstein elaborated, even recent measures to prosecute the sale of botnets, “still criminalize[s] conducts that have already affected different types of machines.” To this extent, U.S. policies are still reactive; and when overseas hackers are already anonymous and difficult to reach, this makes deterrence difficult. Financial sanctions may thus seem like a stronger security tool, but even these still rely on proper detection and attribution. North Korea—as an international pariah—was easy to indict, but future cases may be more complex.
So despite Washington’s newfound political will, challenges remain. But it’s important to recognize the silver lining here: cybersecurity reform matters, and progress is happening. Cybersecurity is no longer a nebulous, all-encompassing military or intelligence term. Instead, an “all elements of national strength” approach has begun to address each technical aspect of the field. The President’s initiatives do have their flaws, but this legislation is better than no legislation. After all, sound policy can’t be crafted overnight, and it will be the Obama administration’ determination that drives political momentum on cyber-related issues. For example, while a newly approved House bill on information-sharing may not be a direct response to the President’s call to Congress to pass comprehensive cybersecurity legislation, the bill’s passing after five years of setbacks does suggest a brighter outlook for bipartisanship.
These developments also comes at an important point internationally as well; the European Union is set to finalize its own information sharing and data breach reporting measures this year, and eyes will be on the U.S. Here, the sharing of best practices does have its place in international discussions; for while binding agreements on cyber-warfare capabilities may be far off, developing technical standards is a good start for norm-building.
In this sense, President Obama has an immense stake in building a cybersecurity legacy over his remaining time in office—for both the present and the future. Indeed, domestic legislation may be just one part of the puzzle, but it sets precedents for other frontiers. It We’ll need the necessary building blocks before we can begin to set any comprehensive U.S. cybersecurity architecture. “Obama or any of 2016 candidates [can no longer] ignore cyber and Internet issues,” remarked Tobias. “We’ve already seen net neutrality and the Internet Corporation for Assigned Names and Numbers [to] Internet Assigned Numbers Authority transition become highly politicized, and cybersecurity will as well.”
Erwin Li ’16 is a Global Affairs major in Jonathan Edwards College. To contact him, please e-mail [email protected].