NR Digital

Our Failed Cybersecurity Policy

by Luke Thompson

Russian hacking requires a stronger response than it has received

President Obama’s approach to cybersecurity featured all of his bad habits. He placed undue faith in multilateralism. He emphasized intentions and neglected outcomes. His inner circle circumvented and ignored formal processes designed to ensure security and promote sound decision-making. His staff routinely failed to follow through on big promises. Above all, he placed political expedience over clear and considered policy.

His politics-first approach expressed itself chiefly in two ways: Obama took care to serve the interests of his Silicon Valley supporters, and he took measures to shield the Oval Office from embarrassment when failures of administration permitted massive, often sustained, hacks of our critical digital infrastructure. Before the failure of Hillary Clinton’s candidacy, the mainstream media largely gave Obama a pass on questions of cybersecurity, unwilling to learn a complex issue simply to embarrass an ideologically congenial administration.

Negligence, on the part of the press as well as the president, has had consequences. The politicization of cybersecurity stunted the development of a coherent cyber doctrine and, by suggesting weakness, diminished American power. Granted, technology changes faster than the government can write policy, and the government is not agile enough to deal with many aspects of cybersecurity. Even so, the Obama administration failed to address the problem with the requisite seriousness or to incent the technology industry to ensure the security of new products before releasing them. Obama’s political priorities put us on a digital collision course with Russia’s hacking.

The chickens of this malign neglect came home to roost on Election Day. Russian interference in the general election did not determine the outcome of the race. But cavalier meddling by the intelligence services of a hostile foreign country threw the administration’s policy failures into stark relief. Let the Left be distracted by the fantasy that Russian hacking and Anthony Weiner’s libido fatally sabotaged Clinton’s candidacy. Russia nonetheless felt empowered to deploy its factotums at WikiLeaks brazenly, and conservatives must confront this reality with clear eyes.

Federal cybersecurity policy began quixotically. In 1983, President Reagan, relaxing at Camp David, watched the film WarGames, which stars a young Matthew Broderick as a teenage computer hacker who commandeers NORAD to avert a nuclear war. As Fred Kaplan reports in his book Dark Territory, Reagan was struck by the central theme of the movie: government networks controlling military assets vulnerable to amateurs, rogue states, other malefactors, and the merely curious.

Reagan’s subsequent inquiries on the matter met with skepticism, but the president insisted. The Pentagon undertook an audit of its practices and network infrastructure. The results it found were hair-raising. The federal government’s communications infrastructure was woefully dependent on commercial products and academic facilities that had, at best, indifferent security standards. Daily, secrets transited easily accessible channels. In response, the White House promulgated National Security Decision Directive 145, the Magna Carta of federal cybersecurity policy. NSDD 145 charged the different parts of the executive branch to collaborate on securing both classified and unclassified communications and empowered the government to help industry shore up its own security issues. Unfortunately, like Magna Carta, the directive wound up more aspirational than practicable.

With the end of the Cold War, cybersecurity took a backseat to the “end of history.” State Department and National Security Council veteran Richard A. Clarke continued to raise the alarm about hacking and cyber vulnerability for both corporate and government systems. Indeed, he kept the issue of cybersecurity alive, but at a bureaucratic cost. To insulate cybersecurity from general indifference, Clarke advocated that the issue be treated as a policy area unto itself. It came to be seen as an emergent, unique domain.

In one of the great ironies of the federal bureaucracy, marking out a new, distinctive policy area encourages the diffusion of responsibility. Bureaucratic entrepreneurs in pursuit of promotion recast themselves as subject-matter experts. Offices in pursuit of ever larger budgets promote their own “capabilities.” Without an entity responsible for ensuring sound practices across the federal government, America’s cybersecurity functions were scattered across dozens of tiny bureaucratic ghettos. Indeed, the government treats website and network construction as essentially domestic-policy matters but splits its security apparatuses across both domestic and foreign-facing agencies. Only the president has the scope of authority required to unify cyber policy.

Successive administrations have failed to answer the challenge because treating cybersecurity as a policy area unto itself dovetails with the political incentives of the executive office. Highly complex, cybersecurity is emphatically unsexy. The media notice only when something goes horribly wrong, and so cybersecurity demands that the president invest considerable administrative energy without a clear political upside. Moreover, opacity also has advantages. Cybersecurity can be held up as a totem of the new and modern. The president can point to cyber initiatives as indications of an energetic and serious executive — and typically face no realistic fear that the public will scrutinize his braggadocio.

If the experience of the Obama years has taught us anything, clearly cybersecurity should be treated as a governing process rather than a policy domain. Just as the government relies on electricity, and sees securing power grids as integral to its functioning, digital tools are central to every element of the federal government. Continuing to treat cyber issues as a distinctive policy realm, with satrapies and sinecures scattered across the executive branch, means hamstringing America’s ability to respond to pernicious foreign actors looking to exploit our cyber vulnerabilities.

Obama recognized this problem, at least partially, after the disastrous Obamacare rollout. In mid 2014, the White House created the U.S. Digital Service. The results have been mixed. The Digital Service arrived too late in Obama’s tenure and focuses more on design and site engineering than on security. Part of the Executive Office of the President, it has the ambit to tackle problems anywhere in the executive branch but lacks the manpower to unify executive-branch practices. As a result, the Digital Service has not prioritized cybersecurity. Indeed, although its stated goal is to build “a more awesome government through technology,” the Digital Service continues to cater to the White House’s political imperatives.

Moreover, the Digital Service has reinforced the administration’s politically naïve view of the technology industry. Consisting mostly of industry veterans, the rank-and-file members of the Digital Service have every reason to maintain ties to their former employers. From Silicon Valley they came, and unto Silicon Valley they shall return. Tech companies treat engineering as a separate animal from security, tending to rush woefully unsafe software to market as soon as it hits minimal functionality. As a result, our digital economy looks a lot like the automotive industry before mandatory safety features.

Embracing the rotating-door politics familiar to Washington would pose no real problem in normal times. However, these are not normal times online. We are in the midst of a major cyber struggle with hostile foreign powers, Russia in particular. The White House has been reluctant to acknowledge this struggle because our foes have exploited both the commercial practices of the technology industry and the administrative shortcomings of the Obama White House. Industry, reflexively hostile to its dependence on the federal government with respect to regulations, has executed an effective counter-strategy by capturing the Digital Service, which is stacked with former and future tech-industry personnel. Meanwhile, Russia goes undeterred.

We find ourselves in a cyberwar that resembles World War I: Our technology has outpaced our doctrine, with rapid escalation the predictable result.

Like the Great War, the Russo–American cyberwar broke out over Sarajevo. NATO’s Balkan interventions convinced Russian officials that they needed asymmetric tools, specifically cyberattack capabilities, to counter the West. As early as 1996, Russian actors began probing and then penetrating the communications networks of defense contractors and U.S. government agencies. Chinese hackers soon followed suit.

Cyber conflict ebbed and flowed during the Bush years and Obama’s first term. Russia periodically accessed American networks but in retrospect appears to have spent that time building the capacity for a full-scale assault on the digital infrastructure of the executive branch.

Vladimir Putin despises Hillary Clinton. He blames her for fomenting protest against his administration during her tenure as secretary of state. He sees in her enthusiasm for a no-fly zone in Syria sub rosa designs to engage Russia militarily and force a stand-down. To Moscow, the collapse of the Yanukovych regime and the rise of a decidedly pro-Western Ukrainian government looked like American aggression in its backyard.

In response, the Kremlin unleashed its digital hounds. Russian actors staged a rapid series of intrusions that implied considerable planning. In late 2013, they exploited a hole in Microsoft Windows to spy on NATO, the revolutionary Ukrainian government, several European government entities, and at least one academic institution. America failed to respond decisively, and attacks escalated over the next year. In June 2014, officials revealed that Chinese hackers had made off with the personal records of 21.5 million Americans. By November, Russian cyberattacks had so thoroughly penetrated the unclassified systems of the State Department that for several days it had to partially shut down its e-mail system.

The damage was done. Using at least one compromised State Department e-mail address, Russian agents had already launched successful phishing attacks (phony e-mail requests designed to gain access to a network via log-in credentials) on the Executive Office of the President. By early 2015, the Russians had succeeded in penetrating the White House’s networks. At roughly the same time, Russian actors broke into unclassified networks at the Defense Department. Even the Joint Chiefs saw their systems compromised.

Early on, Russia confined itself to network intrusions and data theft, refraining from publicly embarrassing the White House. American media failed to seize on the steady supply of hacking stories, so the administration felt no political incentive to take public action against Russia. Nonetheless, officials began to formulate a new executive-branch policy document outlining how the federal government should retaliate if Russia escalated considerably. As we will see, the inadequacy of this document actually encouraged Russian escalation.

In September 2015, the FBI notified the Democratic National Committee that its systems had been hacked by a Russian actor. In March 2016, a Russian phishing scheme successfully hooked John Podesta, then Hillary Clinton’s campaign chairman, the author of a 2014 White House report on cyber privacy. Russian operatives pulled in considerable e-mail hauls from both attacks but chose to sit on their finds.

Shortly before the Democrats’ convention in Philadelphia, the Russians allegedly funneled the hacked DNC e-mails to their stooges at WikiLeaks. The stolen documents were released on July 22, revealing that DNC chairwoman Debbie Wasserman Schultz and her staff had, as long suspected, tilted the primary-election scale in Clinton’s favor. Bernie Sanders supporters were livid, and Wasserman Schultz was forced from her post.

These events amounted to a successful major escalation by Russia. For the first time, Moscow had intentionally embarrassed the president and his party’s nominee through a publicly conspicuous effort. The fall of the chairwoman of a national party made the DNC hack Russia’s boldest and most politically consequential cyberattack by far. Doubtless, Russia watched intently how the White House responded. Weakness from the administration might have amounted to a green light to release the Podesta e-mails at an opportune time.

To make matters worse, on July 26, four days after the DNC hack, the White House released Presidential Policy Directive 41. PPD-41 sets guidelines for how different parts of the executive branch should respond to a major cyberattack. Presidential policy directives are boring reads, and bureaucratic planning rarely gets the media’s motor going, so PPD-41 largely flew under the radar in Washington. Moscow, however, almost certainly interpreted PPD-41 as the administration’s response to the DNC hack. Usually classified, PPDs are meant as significant statements of policy. PPD-41 was probably only the sixth such document issued by the White House in 2016 and the first to be published as unclassified.

Furthermore, PPD-41 is not guidance for a run-of-the-mill cyberattack. It sets forth how the federal government should respond to the Big One, to a digital Pearl Harbor, the sort of attack ostensibly unforeseen until then.

From the PPD: “While the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have significant impacts on an entity, our national security, or the broader economy require a unique approach to response efforts.” Moscow must have seen in these words a capitulation in response to public political meddling: Less than a week earlier, Russian leaks had created havoc at the DNC, yet here the White House was implying that such an effort did not rise to the level of a significant incident. What would a “significant cyber incident” be, if the Kremlin could hack the president’s political party and face no serious retribution?

Again, from the PPD: “A significant cyber incident” is one “that is (or [a] group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” Viewed against the backdrop of the previous three years, that was like waving a red cape in front of Russia, now more bull than bear. Russia had escalated its campaign considerably with the DNC leaks, and the White House had failed to respond. Indeed, the White House had declared as a matter of policy that Russian cyber operations to date were not “significant.”

To make matters worse, the directive’s assignment of bureaucratic responsibility prevents the federal government from undertaking expeditious and effective countermeasures. PPD-41 puts the Justice Department in charge of any “response” to a major cyberattack, ostensibly because the FBI has jurisdiction over enemy activities in the U.S. Cybersecurity is beset with tricky jurisdictional questions. Are Minsk-based hackers conducting activities in the U.S. if they attack entities in America from abroad?

Worse still, the FBI lacks a counteroffensive mandate. In other words, PPD-41 lays out an investigate-first, report-second, act-third approach. It stipulates that the executive branch formulate a proportional response, of which Justice gets to determine the efficacy, scope, and pace — a process that would take weeks or even months. The Defense Department is excluded from the White House’s new cyber policy, forcing the federal government to respond to the recent, unprecedented cyberattack without most of its offensive capacities. By way of analogy, imagine that the response to a hostile power’s shooting down an airliner were an investigation by the National Transportation Safety Board.

Responding to a new kind of attack with celerity would require an act of Congress. Alternatively, the White House could simply ignore its own policy, but in that case, why have PPD-41 at all? Why publish it without any restrictions?

The Russians did not keep Clinton out of Wisconsin. They did not prevent her from visiting union halls in Michigan. No Russian apparatchik made Clinton campaign listlessly in the last two months of the race. Yet the fact remains that the intelligence services of a rival power interfered in a U.S. presidential election, unafraid of the incumbent’s wrath.

President-elect Trump should be mindful of the problem as he prepares for his administration. Initial signs are good. He talks up cybersecurity: During the campaign, his website even featured cybersecurity as one of his top two policy objectives. This attention is laudable, and long overdue. He should ignore the petulant whining of Democrats and address the issue first by overhauling PPD-41.

The ricketiness of our cyber infrastructure is real, and the next administration must take serious, focused steps toward correcting it. A technological patch will not fix our problems. We cannot buy our way out of it. America needs a coherent doctrine, a credible digital deterrent, and a comprehensive administrative overhaul. That requires an engaged president and an electorate unwilling to tolerate foreign interference. The next president can do a great deal to make sure we have both.

– Mr. Thompson is a partner at the Applecart political consultancy.

Send a letter to the editor.

Get the NR Magazine App
iPad/iPhone   |   Android