An Airman installs computer systems on the operations floor of the new 497th Intelligence, Surveillance, and Reconnaissance Group building at Langley Air Force Base, Va., April 21, 2010.

An Airman installs computer systems on the operations floor of the new 497th Intelligence, Surveillance, and Reconnaissance Group building at Langley Air Force Base, Va., April 21, 2010. U.S. Air Force photo by Senior Airman Dana Hill

Science & Tech

Don’t Put the Pentagon in Charge of Private Industry’s Cybersecurity

There are few ways that the military could intervene effectively without doing more harm than good.

Robert Knake,
Council on Foreign Relations

|
Robert Knake
By Robert Knake
Senior Fellow for Cyber Policy

In a video message posted last week, President-Elect Donald J. Trump said that he would ask the Joint Chiefs of Staff and the Department of Defense to develop a plan to protect critical infrastructure like the power grid from cyberattacks.

In so doing, Mr. Trump fell into the trap that so many politicians new to the challenges of securing cyberspace fall into—believing that cybersecurity is a problem that the military is best equipped to address. Once in office, he will discover what the last three presidents have found: there is almost nothing the U.S. military can do to protect private industry from cyberattack.

The logic that the military should be responsible for protecting private companies from cyberattacks is as compelling as it is wrong. After all, we do not ask Walmart to place anti-ballistic missiles on the roofs of its stores or to maintain its own nuclear deterrent to protect itself against nuclear attack. Therefore, the logic goes, we should not leave the private sector to defend itself from cyberattacks. Analogies, however, only take us so far.

Cyberspace is a very different domain and the consequences of even the most horrific cyberattack—grounded in any degree of technical reality—do not come close to the death and devastation from a nuclear attack. Moreover, the technical reality of cyberspace dictates that there are few ways that the military could intervene effectively without doing more harm than good.

Protecting private companies from cyberattacks would require that the U.S. military have the capability to block incoming attacks. Unlike a ballistic missile, which is readily discernable from a commercial aircraft, cyberattacks hide in the vast quantities of benign traffic that crosses the internet each day. Finding them requires access to that data.

If Mr. Trump pursues an approach that requires internet service providers, like AT&T and Verizon, and other private owners of critical infrastructure to give the military access to their data, he will face adversaries more formidable than the cyber units in the Russian, Chinese, and Iranian armies. The U.S. Chamber of Commerce, which formed an effective coalition to block President Obama’s attempt to increase regulation for cybersecurity, is likely to reject putting Cyber Command in charge of monitoring internet traffic.

Almost all U.S. companies want to increase their efficient use of information technology and to sell their products and services in overseas markets. Having a government agency act as a middleman to vet internet traffic between U.S. companies and the wider world would effectively insert Uncle Sam in every business transaction U.S. companies undertake or market they seek to enter. Much like what the Transportation Security Administration did to air travel (i. e. increase costs and delays without demonstrating that it provides better security than the private sector), Cyber Command could do to the Internet.

In opposing this effort, the private sector will make common cause with privacy and civil liberties advocates who will argue that giving the military network access in order to protect U.S. companies violates the Fourth Amendment’s protections against unwarranted government searches and places the privacy of all Americans at risk. They will be joined by a not insignificant caucus within the president-elect’s own party that is wary of giving government such power.

Even if Mr. Trump could overcome the concerns of business and privacy advocates, there is little to suggest that the U.S. military possesses better capabilities than what can be purchased on the open market. Indeed, the Pentagon has a poor record of protecting its own vital information, allowing Russia to steal email off the servers used by the Joint Chiefs in the summer of 2015, and losing troves of classified data from insider theft by Chelsea Manning, Edward Snowden, and, most recently, Harold Thomas Martin.

These losses occurred despite the advantages Cyber Command has in trying to protect its own data: thousands of dedicated personnel, billions of dollars, total control over the network on which it operates, and the ability to set rules and give orders that military personnel are required to follow. Unless he also plans to give Cyber Command regulatory powers, Cyber Command would have a responsibility it could not possibly carry out.

Meanwhile, companies like FireEye, Crowdstrike, and IronNet, founded by former NSA Director Keith Alexander, now sell capabilities to detect advanced threats that surpass even the classified capabilities available to the Defense Department.

In almost every other area of policy, President-Elect Trump has promised to get the government out of the affairs of the private sector, pledging to reduce regulation and bring competition to areas that government has traditionally monopolized like public education. On cybersecurity, he should stick to his gut and keep the security of private networks and private data a private responsibility.

This post appears courtesy of CFR.org.

NEXT STORY: A Glimpse At How the F-35 Will Help the Marines Storm the Beach

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.