Digital Security In An Analog Bureaucracy
President Obama is making cyber-security a top priority, but he faces several hurdles within his own administration.
Saturday, June 13, 2009
by Shane Harris
y the time Barack Obama took office, he was convinced that the Internet was an extraordinary tool for communicating, organizing, and raising money, and that it also posed a critical vulnerability for national security.
During the campaign, Obama's computer systems were hacked, and the intruders made off with valuable information. As the president recounted in a speech in May, "Between August and October [2008], hackers gained access to e-mails and a range of campaign files, from policy position papers to travel plans. And we worked closely with the CIA, with the FBI and the Secret Service, and hired security consultants to restore the security of our systems." Republican nominee John McCain's campaign computers were also compromised.
Newsweek first reported the cyber-breach in November 2008. Technology experts at Obama's campaign headquarters had detected what they thought was a computer virus, according to the magazine. But a day later, the FBI and Secret Service warned the campaign: "You have a problem way bigger than you understand. You have been compromised, and a serious amount of files have been loaded off your system."
Newsweek reported that FBI and White House officials told the Obama campaign that "a foreign entity or organization" had launched the attack to gather information about the evolution of the campaign's policy positions, "information that might be useful in negotiations with a future administration." A former senior intelligence official told National Journal that Chinese sources were responsible. Separately, the government's top counterintelligence official said that hackers based in China have stolen information from U.S. businesses to get a leg up in negotiations. The hack of Obama's computers fits a general pattern of cyber-espionage.
In recalling the episode in his speech last month, Obama said, "It was a powerful reminder: In this Information Age, one of your greatest strengths -- in our case, our ability to communicate to a wide range of supporters through the Internet -- could also be one of your greatest vulnerabilities." The occasion of the speech was the much-anticipated unveiling of the administration's Cyberspace Policy Review. The document is the product of an inventory that Obama ordered of security policies, plans, and studies, and it is an opening step in what the president called "a new, comprehensive approach to securing America's digital infrastructure."
Fulfilling a campaign promise, Obama has made cyber-security a top priority, and he's putting presidential clout behind the effort. "This new approach starts at the top, with this commitment from me," he said. "From now on, our digital infrastructure -- the networks and computers we depend on every day -- will be treated as they should be: as a strategic national asset."
In protecting the Internet, Obama seeks to safeguard the very integrity of global commerce, communications, and the operation of government. "In short, America's economic prosperity in the 21st century will depend on cyber-security," he said.
Obama cited startling statistics, ranging from intellectual-property theft -- estimated at $1 trillion worldwide last year -- to cybercrime perpetrated on everyday users of the banking system. "In one brazen act last year," he said, "thieves used stolen credit card information to steal millions of dollars from 130 ATMs in 49 cities around the world -- and they did it in just 30 minutes."
Obama also recognized that the nation's energy production and delivery systems are vulnerable because many of them are run by computers connected to the Internet. "We know that cyber-intruders have probed our electrical grid and that in other countries, cyberattackers have plunged entire cities into darkness," Obama said, marking the first time that a U.S. president has ever publicly acknowledged such serious intrusions.
Cyber-Czar
Obama also promised to put a high-level official in charge of coordinating cyber-security across the government. During the campaign, he said that this person would "report directly to me." But when Obama unveiled his cyber-policy review, he announced that the official would have "regular access to me."
"That is not the same as an adviser. And this is a difference that can mean a lot in Washington circles," said Eugene H. Spafford, a professor at Purdue University who's the executive director of the Center for Education and Research in Information Assurance and Security. He compared the position with the "largely ineffectual" job of cyber-security coordinator set up in the first months of the Bush administration. The person in that post, Richard Clarke, was an early evangelist for a national response to cyber-security, but he was also seen as lacking the budgetary authority and full backing of the president necessary to make real headway on the issue.
The new cyber-czar will occupy an unusual spot in the White House pecking order. He or she will report to the national security adviser, James Jones, as well as the director of the National Economic Council, Lawrence Summers. This bifurcated arrangement was reportedly the result of Summers's request, made during internal debates, that the new cyber official not have broad policy-making powers over the Internet, for fear that it might restrain economic growth and innovation. It remains to be seen how limited the new czar's powers will be, but many in the business community have supported Summers's stance.
"Given the constant temptation for meddling in technology policy by both political parties, a czar can easily become a central figure in the drive to regulate someone, somewhere, rather than simply tend to government-modernization knitting," said Wayne Crews, vice president for policy and director of technology studies at the Competitive Enterprise Institute.
Still, major business trade associations applauded the new moves from the White House. Phil Bond, the president of TechAmerica, which represents many of the companies that help run the Internet, called Obama's emerging plan "a historic step in the right direction." The U.S. Chamber of Commerce praised Obama for making good on his campaign promise to give cyber-security a high profile. "Cyber-threats are real, growing, and causing significant challenges for businesses," said Ann Beauchesne, the chamber's vice president for national security and emergency preparedness.
But the cyber-chief will have to do more than elevate the status of the issue, or launch a public awareness campaign about cyber-threats, another key part of Obama's policy. The czar will have to take on big, entrenched bureaucracies to significantly advance the president's agenda.
Turf Dispute
Today, two large departments exert the most influence over cyber-security policy and actual cyber-defense. The Defense Department is responsible for protecting military assets and, through the National Security Agency, classified intelligence and other sensitive information. The Homeland Security Department is charged with ensuring that civilian agencies and departments are protected and coordinates the safeguarding of critical infrastructures, such as electrical systems, with the private sector.
The Defense Department has no plans to relinquish its authority. On the contrary, it is setting up a Cyber Command to be headed by Army Lt. Gen. Keith Alexander, who currently directs the NSA. Alexander also commands the Joint Functional Component Command, an elite group of computer operators responsible not only for defending Pentagon networks but also for hacking into an adversary's systems for the purpose of cyber-warfare.
Meanwhile, at the Homeland Security Department, officials also intend to continue their role in civilian government security and their work with the private sector. During his confirmation hearing, Obama's nominee for a senior DHS post said that the appointment of a cyber-czar wouldn't diminish the department's responsibilities.
"There was no realignment of roles and missions in the department, and it is the view in the White House that [DHS] will continue to play a central role in the protection of America's cyber infrastructure," said Rand Beers, the nominee for undersecretary in the National Protection and Programs Directorate. But Beers said that the czar would have to help settle bureaucratic disputes. "I'm sorry to say we need help from the White House for people to play in the same sandbox."
Homeland Security and the NSA have sparred in the past over operational control of cyber-security. The agency has the expertise and experience for that job, but DHS officials have asserted that they have the legal authority to safeguard government networks and coordinate broader protection with the private sector. Nothing in the president's new plan settles these turf fights.
This is the 20th and final report in a series looking at an issue on President Obama's agenda. The entire series can be found at NationalJournal.com/agenda.