Let’s Stop Playing Whac-a-Mole on our networks

The White House has been slow to the cyber defense problem and continues to miss the boat.  For years we’ve been playing Whac-a-Mole, but there are too many moles in the garden to whack.  The President’s proposal for better information sharing with the private sector would be a good thing; Congress should pass that bill.  But it would not touch the underlying weaknesses in the networks.  Nor would heavier penalties for cyber fraud or a uniform national breach reporting law.  In Politico today I lay out five steps we could take that could really make us safer.

Merely an attack on a German steel producer — or is it a message to Germany?

This link will take you to an account of a sophisticated, network-enabled attack on a German steel producer that disrupted production and caused physical damage to a blast furnace.  We are the beginning, not the end, of an era in which proliferating and uncontrollable expertise, backed by very little capital, can be leveraged to cause huge damage to critical systems that reside on the same vulnerable infrastructure that supports middle school chit chat.

State-Sponsored IP Theft: The Huge Hole in the WTO — and How to Fix It

How is it that the world’s trading nations, including Russia and China, are obligated by treaty to protect other nationals’ intellectual property within their own borders, but are free to steal it when operating abroad?  Near-universal digitization of information and pervasive connectivity have turned state-sponsored IP theft into a plague.   The World Trade Organization was created in 1994 — just before the digital revolution shook up commercial and personal life. It was meant to bring IP into the world of “honest commercial practices in international trade,” but the treaty came too early to deal with cross-border, network-enabled IP theft.  This is a huge hole in the way the WTO works, and it’s time to fix it.  This will be hard and will require a sustained diplomatic effort.  This month, in an an article called “The New Industrial Espionage” in The American Interest, I lay out a case for how it could be done.

A Reflection on Veterans’ Day 2014

I had the good fortune this Veterans’ Day to participate in a panel on surveillance sponsored by the ACLU at Harvard Law School and moderated by Professor Jonathan Zittrain, and the equal good fortune to have as fellow panelists federal appellate Judge Alex Kozinsky and the ACLU’s Alex Abdo.  It was fitting, on the day we remove our hats to those who served in our military, to recall the liberties for which they served and to wrestle with the relationship of liberty and security.  Rather than retail the high-minded sentiments we’ve all heard on that subject, however, I want to repeat something I said at NSA when I became that agency’s inspector general in 2002.


If one draws a Venn diagram of two circles on a page, one circle representing those who care deeply about civil liberties and another representing those who care deeply about national security, they hardly overlap.  By “care deeply,” I don’t mean a distracted shrug in the right directions.  I mean taking the time and trouble to know and speak up about abuses of liberty that even in the best of times occur around us, and to understand the military and other structures, but especially the military and those who serve in it, that make us secure.  This separation of concerns, and even worse, the sociological separation of interested groups, has grown decidedly greater since the creation of a volunteer military.   Less than one percent of Americans now serve in the military.  As a result, knowledge of military affairs in the public and in Congress may be at an historic and lamentable all-time low.


The two circles on my Venn diagram will never be perfectly superimposed.  Sociological as well as ideological factors push them apart.  They nevertheless represent values that in a decent civil society can never be separated.  It was clear to me as I assumed my duties at NSA in 2002 that the powerful momentum toward security would one day shift, and that actions taken in the face of immediate danger would eventually be subject to harsh scrutiny.  In some cases that scrutiny would result from cooler judgments about real risk, in others from the fickle attention of citizens who, having comfortably forgotten the truly grave threats to the country that followed the first strikes on September 11, 2001, were equally willing to forget the need for exceptional measures and for the exceptional sacrifices that people in and out of uniform were making to protect the country.  Yet it was hot-headed to say, as some highly placed politicians were then saying, “Everything has changed now” – that was code for ignoring Constitutional principles on detention and torture – or who said we could not take even a one-percent risk of terrorism.  Free societies take constant risks with both crime and terrorism.  We could reduce crime to near zero – the Soviets did it. We could probably also reduce the risk of terrorism to near zero – but not a price in liberty we are willing to pay.  A society that declares it will take no risk with crime or terrorism defines itself as a police state.


And so on Veterans’ Day it seems to me fit to reflect that it is a citizen’s duty to push these two circles closer together by becoming personally engaged both in the actual state of civil liberty in our land and in the treatment of our veterans.  It is not sufficient to thank these men and women for their service.   When soldiers, sailors, airmen, and marines return from warfare with broken bodies and shaken minds, they require a consistent and high level of care and training, and they have not had it.  We are breaking faith.  A nation that taxes itself to make war must also tax itself to care for its warriors.

Critical Infrastructure Vulnerabilities Constrain U.S. Freedom of Action

A few days ago I explained in the Washington Post how the vulnerabilities of our critical infrastructure like banks and the electric grid can affect a President’s freedom of action.  The New York Times had reported that Mr. Obama specifically asked our intel agencies whether the Russian hack of J.P. Morgan was Putin’s payback for sanctions over Ukraine — an no one could tell him.  The question and lack of answer implied that it could have been payback, and that our agencies do indeed think that Russian foreign intelligence services could do serious harm to our critical infrastructure.  Whether that attack was the work of a Russian criminal gang operating on its own or at the direction of the Kremlin, isn’t it clear by now that weaknesses in our critical infrastructure can constrain our freedom of action in international affairs?  I addressed this topic again today with KT McFarland on Fox.com.

Warlike network operations are important to contemplate, but visions of conflagrations, while they illuminate real risk, obscure the current state of affairs in which threats to our infrastructure can simply make us think twice or thrice before we act, or paralyze us.  I call this the grey space between war and peace, and we are in it.