One of the major themes of the Cyberspace Policy Review (the Review) is that a national strategy on cybersecurity must be consistent with the protection of privacy rights and civil liberties guaranteed by the Constitution and the law. Indeed, President Obama underscored that point in announcing the Review when he said that his Administration “will preserve and protect the personal privacy and civil liberties that we cherish as Americans,” reiterating the theme from his inaugural address that choosing between our safety and our ideals is a false choice. The authors of the Review are to be commended for encouraging a national dialogue on how this can be achieved while promoting national and economic security. Intelligence agencies, particularly the National Security Agency (NSA), are at the intersection of these vital interests, and intelligence lawyers face daunting but tremendously exciting and important opportunities to help ensure that their agencies operate in ways that effectively balance demands for both privacy and civil liberties and for the security of cyberspace.
The cyber threat is the most pervasive and pernicious threat facing the United States today. Its mention does not immediately conjure visions of the catastrophic horrors that would result from an attack using a weapon of mass destruction, but today’s cyber threat is a very real and present danger. As of September 14, 2009, more than 10,450,000 U.S. residents had been victimized by identity theft in 2009 alone, and that number increases by one victim each second.2 Fifteen million victims will lose more than fifty billion dollars each year.3 Specific threats such as identity and consumer fraud allow us to quantify and understand part of the cyber threat in terms that allow the U.S. government,4 corporate America,5 consumer groups, and individuals6 to take preventive action. However, the growing number of victims would clearly suggest we have not effectively solved the problem, even if we are starting to comprehend its scope.
The cyber threat to U.S. national security, economic security, and public health and safety is far more amorphous and less susceptible of comprehension than its kinetic analogs. Popular media productions such as 247 and Live Free or Die Hard8 have depicted sophisticated cyber intrusions that intentionally caused aircraft collisions, a nuclear power plant meltdown, a compromise of White House security and communications…
The Internet seems to offer the promise of everything to everyone. For global and local business, it lowers costs while increasing innovation, invention, effectiveness, and efficiencies. For wealthy and poor economies alike, the Internet greatly expands markets for products and services. For peoples free and repressed, it provides an inlet and an outlet of expression. For large and small communities, whether living in urban centers or outlying regions, the Internet enables control over critical power, transportation, water, and sewerage systems.
Lest we forget, for sophisticated criminals, terrorists, warmongers, and spies, the Internet also offers the chance of a lifetime to cheat, steal, and strike from afar with little money, covered tracks, and enormous real world impact. While the ability to use the same technology for positive or destructive ends is neither new nor momentous, it is necessary to consider whether the rapid adoption of the Internet has provided so considerable an asymmetric advantage to our adversaries that it can change the course of American history. In this regard, when we consider the intent and capabilities of our enemies, we cannot underestimate them or, as the 9/11 Commission found in a different context, suffer from failures in imagination, policy, capabilities, or management.
Thus our future remains uncertain. Based on our increasing reliance on networks to drive our economy and support our health, welfare, communications, and security, certain questions loom large. For example, can our enemies control whether, how, and when our systems operate and our vital services get delivered? Are our personal and business records, corporate intellectual property, and state secrets routinely exposed or imperceptibly altered?1
Unfortunately, the answers to these questions not only remain unknown, they perhaps are unknowable. Therefore, it is difficult to provide our nation’s government leaders, corporate executives, shareholders, and citizens with reasonable assurance that our computer systems have not been…