President Obama ought to invoke the cyber equivalent of the Monroe Doctrine to repel rising Internet attacks against America.
So testified Oracle’s tough-talking Chief Security Officer, Mary Ann Davidson, at a Congressional hearing today.
History refresher: Back in 1823, President James Monroe decreed that any attempt to extend foreign political systems onto U.S. soil would be considered an act of aggression requiring U.S. intervention. Simple as that. Monroe sought to repel European imperialists bent on colonizing chunks of the tenuously-governed Americas.
It worked. The Monroe Doctrine became a key tenet of U.S. foreign policy invoked by Calvin Coolidge, Herbert Hoover and John F. Kennedy.
Fast forward to 2009: Foreign cybercrime lords are colonizing U.S. computers and networks with impunity, due to the tenuous state of cyber defenses.
“We are in a conflict, some would call it war,” Davidson testified before the House Subcommittee on Emerging Threats, Cybersecurity, Science & Technology. “Let’s call it what it is. Given the diversity of potentially hostile entities building cadres of cyberwarriors, probing our systems for weakness, infiltrating government networks and making similar attempts against businesses and critical industries, including our defense systems, is there any other conclusion to be reached?”
A call to defend U.S ‘cyberturf ‘
The hearing was held to get a mid-way status report of a 60-day review of U.S. cybersecurity policy being conducted by management collaboration expert, Melissa Hathaway.
“The advantages of invoking a Monroe-like Doctrine in cyberspace would be to put the world on notice that the US has cyberturf, and that we will defend our turf,” Davidson testified. “We need to do both — now.”
Davidson’s call to arms was reinforced by testimony from David Powner, GAO’s director of IT management issues; Scott Charney, Microsoft Vice President of Trustworthy Computing; Jim Lewis, director of the Center for Strategic and International Studies; and Amit Yoran CEO of security firm NetWitness.
The experts delivered a wide range of proof points showing how American citizens, businesses and governments have been under rising cyberattacks for several years.
Yoran, a former senior official in the Department of Homeland Security, testified that the U.S. has been “experiencing a 9/11 in cyber attacks” for a number of years. “Because there is no visible catastrophic outcome, we lie in bed at night asleep without realizing how much damage is being done.”
Underscoring this Last Watchdog investigation of corporate intrusions, the GAO’s Powner noted that foreign nations and criminals are targeting organizations “to gain a competitive advantage and potentially disrupt or destroy them,” and also pointed out “that terrorist groups have expressed a desire to use cyberattacks as a means to target the United States.”
Truly comprehensive plan needed
The experts agreed that there is a dire need for a truly comprehensive cyber security plan – one that involves public/private partnerships and global cooperation.
One of the top recommendations of the CSIS bi-partisan commission that spend more than a year culling cybersecurity ideas to deliver to the 44th president was a call for regulation. The private sector “will never deliver adequate security and the government must establish regulatory thresholds for critical infrastructure,” testified Lewis, CSIS director and senior fellow.
Charney, the Microsoft executive and a co-chair of the CSIS bi-partisan commission, cautioned that regulation must be carefully “tailored.”
“Finding the required balance will be difficult,” said Charney. “But if we fail to use regulation to improve our national cybersecurity, if we do not identify mandatory actions to secure the digital infrastructure, the Obama administration will have no more success than any of its predecessors.”
The experts also were unanimous about there being a singular entity best-suited to shaping and implementing such a plan: the White House.
“Only the White House has the authority to bring many large and powerful agencies to follow a common agenda and to coordinate with each other,” said Lewis. “The White House and only the White House can set strategy and policy, ensure that agencies are following them and resolve agency disputes.”
Beckstrom acknowledged
Attending the hearing was Rod A. Beckstrom, who just resigned from a key cybersecurity post in the Department of Homeland Security. Co-author of a best-selling management book, The Starfish and the Spider, Beckstrom could not escape smothering controls put on him by the National Security Agency.
Rep. Bennie Thompson D-Miss., and Rep. Yvette Clarke D-New York, acknowledged Beckstrom. Clarke called Beckstrom’s resignation “an unfortunate loss.” Thompson made note of “ineffective leadership, unclear organizational structure and poorly defined roles” demonstrated by federal agencies and corporations trying futilely to put up a cyber defense.
“I along with many of my colleagues were optimistic when Mr. Beckstrom was brought on to lead the National Cyber Security Center,” said Thompson. “He has organizational expertise. He has worked extensively with the private sector. But Mr. Beckstrom did not have experience working miracles. ”
–Byron Acohido
Portrait of James Madison
Photo of Mary Ann Davidson
Nice work Byron. If only we had the kinds of power in cyberspace that Monroe could count on in meat space way back when. Should we itch for a fight that we may have a hard time dominating? I am a software security scientist and advisor/consultant to many large multi-national corporations. Every once in a while, one of “us†comes along and gets involved in cybersecurity in Washington (you go Amit), but we don’t seem to stick. The latest casualty happened this week. http://www.technewsworld.com/story/Political-Turf-Wars-Drive-Out-US-Cybersecurity-Chief-66431.html As I say in the article above, I’d like to see the Obama administration take a… Read more »
Interesting thought re. the Monroe Doctrine. But how do we enforce it? It was relatively simple with the Monroe Doctrine — use military force (the Spanish American War being the most vivid example). Do we go to war over cyberattacks? Or do we respond with our own cyber counterattacks? Do we hold governments accountable for the activities of their criminal groups? A doctrine needs teeth to work or it’s just posturing, and I’m not sure how this thing ever gets teeth.
Interesting article Byron. Monroe had the advantage of a powerful meat space army to back up his territorial claims. I am not sure we have the same capabilities as a nation when it comes to cyber security. I am a software security advisor/consultant to many large multinational companes. Every once in a while, one of “us†comes along and gets involved in cybersecurity in Washington (you go Amit), but we don’t seem to stick. The latest casualty happened this week. http://www.technewsworld.com/story/Political-Turf-Wars-Drive-Out-US-Cybersecurity-Chief-66431.html As I say in the article above, I’d like to see the Obama administration take a leadership role in… Read more »
Andy:
You’ve hit upon some profound questions that should be discussed — and answered. Getting such questions out in the open is a good thing.
It will be crucial to see what Hathaway recommends on April 2, and how the Obama administration responds.
Byron
The call for a comprehensive national cyber security plan is right on, and I believe consumers can and should help make it a reality. My organization helps consumers recover from identity theft. Not surprisingly, people focus most on the risks that are closest to them. For consumers, that means identity theft, not the big picture challenges like the cyber crime that spawns identity theft. I hope we find ways to engage the public as supporters of America’s cyber security.
Anne
Certainly reflects a growing conversation on the lack of US Cyberdoctrine. The Lieberman/Collins report last month also focused on that:
http://www.thei3p.org/news/senate_report.html
Eric
Interesting concept. It is probably wothwhile to remember a couple of things about the Monroe Doctrine. The Monroe doctrine was issued in defense of the entire Western Hemisphere, not just the US. When the Monroe Doctrine was published the US didn’t have the muscle to back it up, it was more a statement of principle. The published doctrine set the stage to be invoked later when the US did have the power to do so. So with that in mind, we probably do need a similar statement of national doctrine of self defense, and perhaps it should be more broadly… Read more »