When a headline such as “Broad Powers Seen for Obama in Cyberstrikes” appears on the NY Times, my initial response is a skeptical one. I’ve long viewed the ways that the last two administrations have handled cybersecurity as failures to understand Golidilocks; they are too harsh when it isn’t warranted and lackadaisical in times of the greatest need. Many countries are growing more dangerous in the world of cyberterrorism with China leading the way. They are arguably more advanced than the United States in understanding the realities of cyberwarfare.
To my pleasant surprise, the reported powers being granted to the President and partitioned to the various agencies within the US government appear to be at the appropriate levels. They are cautious, yet not over-reactive. They acknowledge the need to be constantly monitoring, ever diligent, and they do not take preemptive strikes off the table.
Perhaps most importantly, they still put the power of self-defense in the hands of US companies and organizations. This is an important distinction and one that, frankly, I didn’t expect. Recent attacks on the Washington Post, Twitter, and other companies are worrisome, but they should not fall into the realm of government intervention. Under the new rules, as long as the affected IT systems do not directly influence national security or wide-spread infrastructural elements such as the power grid, the administration is going to take a hands off approach.
In other words, your problems are your problems and the government is not going to get in the way or get involved.
This is an important distinction. Despite having the best technology, the government is not equipped to be the cyberpolice. They cannot prevent, investigate, or retaliate against every foreign attack on companies and individuals. Making companies responsible for their own security as long as it does not harm national interests is the only way to go. Defend the country and let the people defend their companies – it’s the only approach that is truly scalable.
One other thing to note from a defense perspective is that the wording as we understand of the classified documents only go “broad” when there are threats in other countries. The FBI and Department of Homeland Security, with all of their flaws, are still better for investigating domestic cybercrimes than the NSA. Even though the Pentagon has the best toys, they should not be pointing them internally.
Overall, this is shaping up to be a good development. Cyberwarfare is the most dangerous method of war facing America and the world today. In a society that is increasingly connected, limiting the damage that can be perpetrated by the “bad guys”, whether it be states or organizations, is the most important defensive strategy going forward.