Category Archives: Vol. 4 No. 1

Cybersecurity: National Leadership, Individual Responsibility | This issue contributes to the national debate on cyber-related issues by supplying some of the missing pieces of the discussion, focusing on the largest and most difficult sub-set: cybersecurity.

Foreword

I am proud to be asked by the Journal of National Security Law & Policy to introduce this important and impressive issue. The timing could not be more critical. The nation is in the middle of a significant debate – how important is cybersecurity among the many security vulnerabilities competing for scarce resources? This is precisely the sort of consequential topic regularly addressed by this journal, which was created on a volunteer basis as a direct reaction to the September 11 attacks on the United States. My compliments to the Journal for providing incisive commentary by and for public officials and academics alike.

A cornerstone of our twenty-first century economy is the ability to employ computers to transact business, operate infrastructure, and manage our personal affairs. We often take for granted how much of our daily lives depends upon the efficient operation of our computers and their ability to communicate across vast and varied networks. Not just mobile phones, email, and online shopping rely on cyberspace, but also electricity and the businesses that facilitate our daily living like grocery stores and trash pickup. This dependence on cyberspace means that it must be reliable and resilient – in other words, secure from failure, compromise, data manipulation, or theft.

Of course, cybersecurity is only one aspect of national and homeland security. We are fighting against Taliban insurgents in Afghanistan, hardening the transportation system, and investing unprecedented resources in securing our national border. We undertook a massive immunization effort across our country’s school systems to address H1N1 influenza. How do we assign a relative value to cybersecurity among this list of priorities? And once we determine the relative values, how do we take action to secure cyberspace? These matters are just beginning to be opened to robust debate. And that debate must take place within a common framework of analysis…

Introduction

For many of us, the cyber threat to U. S. national security is amorphous and not easy to comprehend. At the same time, in the last two years of the Bush administration and through the first year of the Obama presidency, cybersecurity has been characterized as “one of the most urgent national security problems facing the new administration.”1 Our cyber systems have increasingly been infiltrated in recent years by malefactors with widely ranging motivations and associations. Experts point to stunning amounts of sensitive material lost to cyber thieves.

Given the increasing dependence on cyber technology, the vulnerabilities within insecure cyber networks are hard to quantify and even harder to understand and protect against. We have devoted the current issue of the Journal of National Security Law & Policy (JNSLP) to cyber threats in an attempt to raise awareness and focus national debate on what should be done in a variety of contexts to improve cybersecurity.

Many have helped in this project, but particular thanks go to Gary Sharp, special editor for this issue, who conceived the idea and did much to shape its content. Thanks are also due to Richard Shiffrin, who graciously served as an unofficial editor of this special issue, reviewing and critiquing significant amounts of material.

For many reasons, the collection of views presented in this issue is especially timely. By any measure, developing and implementing a forward-looking cybersecurity policy is among the most compelling items on the Obama administration national security agenda. It may also be the most complex. Developing such a policy requires a sophisticated understanding of the technology, interests, and motivations involved in perpetrating cyber attacks, on the one hand, and an appreciation of the tradeoffs implicated in decisions to create new authorities and institutional arrangements for cyber defense, on the other. That the Administration has not yet implemented a blueprint for action, despite the issue’s priority, may simply reflect its understanding that, given the intricacies of the threat and its management, leadership means showing restraint, rather than acting precipitately.

The Past, Present, and Future of Cybersecurity

The cyber threat is the most pervasive and pernicious threat facing the United States today. Its mention does not immediately conjure visions of the catastrophic horrors that would result from an attack using a weapon of mass destruction, but today’s cyber threat is a very real and present danger. As of September 14, 2009, more than 10,450,000 U.S. residents had been victimized by identity theft in 2009 alone, and that number increases by one victim each second.2 Fifteen million victims will lose more than fifty billion dollars each year.3 Specific threats such as identity and consumer fraud allow us to quantify and understand part of the cyber threat in terms that allow the U.S. government,4 corporate America,5 consumer groups, and individuals6 to take preventive action. However, the growing number of victims would clearly suggest we have not effectively solved the problem, even if we are starting to comprehend its scope.

The cyber threat to U.S. national security, economic security, and public health and safety is far more amorphous and less susceptible of comprehension than its kinetic analogs. Popular media productions such as 247 and Live Free or Die Hard8 have depicted sophisticated cyber intrusions that intentionally caused aircraft collisions, a nuclear power plant meltdown, a compromise of White House security and communications…