Don’t Put the Pentagon in Charge of Private Industry’s Cybersecurity

In a video message posted last week, President-Elect Donald J. Trump said that he would ask the Joint Chiefs of Staff and the Department of Defense to develop a plan to protect critical infrastructure like the power grid from cyberattacks.

In so doing, Mr. Trump fell into the trap that so many politicians new to the challenges of securing cyberspace fall into—believing that cybersecurity is a problem that the military is best equipped to address. Once in office, he will discover what the last three presidents have found: there is almost nothing the U.S. military can do to protect private industry from cyberattack.

The logic that the military should be responsible for protecting private companies from cyberattacks is as compelling as it is wrong. After all, we do not ask Walmart to place anti-ballistic missiles on the roofs of its stores or to maintain its own nuclear deterrent to protect itself against nuclear attack. Therefore, the logic goes, we should not leave the private sector to defend itself from cyberattacks. Analogies, however, only take us so far.

Cyberspace is a very different domain and the consequences of even the most horrific cyberattack—grounded in any degree of technical reality—do not come close to the death and devastation from a nuclear attack. Moreover, the technical reality of cyberspace dictates that there are few ways that the military could intervene effectively without doing more harm than good.

Protecting private companies from cyberattacks would require that the U.S. military have the capability to block incoming attacks. Unlike a ballistic missile, which is readily discernable from a commercial aircraft, cyberattacks hide in the vast quantities of benign traffic that crosses the internet each day. Finding them requires access to that data.

If Mr. Trump pursues an approach that requires internet service providers, like AT&T and Verizon, and other private owners of critical infrastructure to give the military access to their data, he will face adversaries more formidable than the cyber units in the Russian, Chinese, and Iranian armies. The U.S. Chamber of Commerce, which formed an effective coalition to block President Obama’s attempt to increase regulation for cybersecurity, is likely to reject putting Cyber Command in charge of monitoring internet traffic.

Almost all U.S. companies want to increase their efficient use of information technology and to sell their products and services in overseas markets. Having a government agency act as a middleman to vet internet traffic between U.S. companies and the wider world would effectively insert Uncle Sam in every business transaction U.S. companies undertake or market they seek to enter. Much like what the Transportation Security Administration did to air travel (i. e. increase costs and delays without demonstrating that it provides better security than the private sector), Cyber Command could do to the Internet.

In opposing this effort, the private sector will make common cause with privacy and civil liberties advocates who will argue that giving the military network access in order to protect U.S. companies violates the Fourth Amendment’s protections against unwarranted government searches and places the privacy of all Americans at risk. They will be joined by a not insignificant caucus within the president-elect’s own party that is wary of giving government such power.

Even if Mr. Trump could overcome the concerns of business and privacy advocates, there is little to suggest that the U.S. military possesses better capabilities than what can be purchased on the open market. Indeed, the Pentagon has a poor record of protecting its own vital information, allowing Russia to steal email off the servers used by the Joint Chiefs in the summer of 2015, and losing troves of classified data from insider theft by Chelsea Manning, Edward Snowden, and, most recently, Harold Thomas Martin.

These losses occurred despite the advantages Cyber Command has in trying to protect its own data: thousands of dedicated personnel, billions of dollars, total control over the network on which it operates, and the ability to set rules and give orders that military personnel are required to follow. Unless he also plans to give Cyber Command regulatory powers, Cyber Command would have a responsibility it could not possibly carry out.

Meanwhile, companies like FireEye, Crowdstrike, and IronNet, founded by former NSA Director Keith Alexander, now sell capabilities to detect advanced threats that surpass even the classified capabilities available to the Defense Department.

In almost every other area of policy, President-Elect Trump has promised to get the government out of the affairs of the private sector, pledging to reduce regulation and bring competition to areas that government has traditionally monopolized like public education. On cybersecurity, he should stick to his gut and keep the security of private networks and private data a private responsibility.

This post appears courtesy of CFR.org.