Defense in the Information Age

US cybersecurity strategy faces an uncertain future in Washington while the private sector bolsters its ability to respond to cyber attacks

Monitoring a simulated test at Central Control Facility at Eglin Air Force Base (080416-F-5297K-101)

U.S. Air Force officers monitor a simulated test April 16 in the Central Control Facility at Eglin Air Force Base, Fla. They use the Central Control Facility to oversee electronic warfare mission data flight testing. April 16, 2008 (U.S. Air Force photo/Capt. Carrie Kessler/Wikimedia Commons)

In July 2011, the Department of Defense (DoD) issued a five-point strategic initiative, the first of which designated cyberspace as the fifth domain of warfare, joining land, air, sea and space.1 Recent events such as Target’s security breach, which resulted in the compromise of the personal data of over 70 million consumers and the resignation of CEO Gregg Steinhafel, highlight the vulnerabilities of even the largest, and supposedly best-defended, enterprises.

Cyber warfare, defined as espionage or sabotage conducted through politically motivated hacking, has existed as long as networked devices. In 1998, US officials discovered systematic unauthorized access to sensitive data at NASA, the Department of Energy, private research labs, and the Pentagon. The DoD traced the attacks to a mainframe computer in the former Soviet Union, although Moscow to this day denies any involvement.2 In 2003, cyber attackers gained access to the networks of several major US defense contractors, including Lockheed Martin.3 The SANS Institute, a US security company, determined two years later that the attacks were “most likely the result of Chinese military hackers attempting to gather information on U.S. systems.” In the decade since these two milestone incidents, known by their codenames Moonlight Maze and Titan Rain, networked systems have experienced order-of-magnitude growth. Over 80,000 pieces of malware are reported daily in the United States.4 Despite the best efforts of financial institutions and large corporations, defending against cyber warfare has never been so difficult.

Recent events have revealed that cyber attacks can come from various sources, including national governments, militaries, organized crime, or individuals. In March 2014, a group of unknown hackers installed a malicious piece of software in Target’s security and payments system designed to siphon customer to a remote server. Over the course of two weeks, the hackers obtained 40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information that Target had been trusted by its customers to protect.5 Just a few days later, the tech world was rocked by the discovery of the Heartbleed Bug, an accidental mistake in the coding of the OpenSSL cryptography library – part of the backbone of the Internet. In this case, a concerned citizen reported the vulnerability; had it been exploited, an attacker could theoretically have decrypted the web traffic on 20% of the world’s servers.6

If cybersecurity was not in the national spotlight already, then these two events certainly pushed it in. The Pew Research Center reported that 39% of Internet users surveyed either changed at least one account password or shut down at least one online account to protect personal data as a result of Heartbleed media coverage.7

The private sector was similarly quick to respond. On May 9, General Electric (GE) announced its acquisition of the privately held company Wurldtech, a Vancouver-based leader in cybersecurity solutions for oil refineries and power grids.8 On May 14, Gap, JC Penney, Lowe’s, Nike, Safeway, and Walgreen’s partnered with a large group of other retailers (including Target) to launch the Retail Industry Leaders Association (RILA), an independent organization combining the cybersecurity efforts of private retailers with those of the Department of Homeland Security.9 Finally, private firms funded this year’s United States Cybercrime Conference – an annual gathering of hundreds of private-sector administrators and CISOs (Chief Information Security Officers) – instead of the DoD as is typical.10

There is little argument in Washington with the opinion that the government must now protect public infrastructure and sensitive national data at all cost. Homeland Security, in its 2013 year-end report, stated that it responded to 256 cyber invasion incidents last year, 151 of which occurred in the energy sector.11 The thought of hackers compromising energy grids, or troop configurations and weapon designs falling into the hands of a foreign military, is chilling. A repeat of Moonlight Maze or Titan Rain in 2014 could compromise America’s position in a number of domestic and international affairs.

But the rapid emergence of cyber threats elicits two difficult questions. One, what should be the role of the government in protecting private sector institutions against cyber attacks? Two, how will voters and policymakers balance the need for cybersecurity with their desire for online privacy?

In a 2009 speech, President Obama declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.”12 He commissioned a comprehensive review (entitled “Cyberspace Policy Review”) of the US government’s ability to defend information and communication infrastructure. The resulting report outlined a ten-point plan designed to accomplish two objectives: improving US resilience to cyber incidents and reducing the general threat of cyber attacks.13 The ten-point plan, like the two objectives it was supposed to accomplish, was vague and largely procedural. Its scope was limited to the appointment of officials, the creation of preparedness plans, the promotion of national awareness, and the creation of new international relationships.

In February 2013, the President urged Congress to pass a more comprehensive and action-oriented plan named the Cyber Intelligence Sharing and Protection Act (CISPA). CISPA’s aim is to help the US government investigate cyber threats and ensure the security of networks against attacks.14 Introduced in 2012, the bill has twice passed the House and twice failed to pass the Senate due to concerns over a lack of civil liberties safeguards. Dozens of Internet privacy activist organizations have decried the bill for its failure to provide specificity on when and how the government can monitor an individual’s browsing history. Ron Paul (R-TX) labeled the bill “Big Brother writ large.”15

Recent reports from Capitol Hill suggest that Intelligence Committee Chair Dianne Feinstein (D-CA) and Ranking Member Saxby Chambliss (R-GA) have drafted a new piece of cybersecurity legislation currently being circulated for comment. Yet, the stated aim of the bill sounds too similar to that of CISPA to have a chance of passing the Senate. The new bill’s goal is reportedly to “allow companies to monitor their computer networks for cyber attacks, promote sharing of cyber threat information, and provide liability protection for companies who share that information.”16

Two new proposals have also been introduced in the Senate. The first, proposed by John Thune (R-SD), would allow the Federal Trade Commission to punish companies retroactively for failing to adopt “reasonable” data security practices and would preserve Congress’s authority to determine what those security practices should be.17 The second, proposed by Jay Rockefeller (D-WV), would give the Federal Trade Commission (FTC) legislative authority to set cybersecurity standards, removing Congress’s authority altogether.18

Given the rapidly increasing threat that cyber attacks pose and Congress’s relative lack of cybersecurity knowledge compared to the FTC, Rockefeller’s plan seems more reasonable. But the past history of the Senate’s concern for privacy indicates that neither bill will garner enough votes to pass.

The unfortunate reality for cybersecurity policy is that online security is simply not a top priority for enough Americans. Edward Snowden’s unauthorized disclosure of the PRISM program profoundly altered the public psyche toward online privacy, creating a largely irrational belief among many technology users that the government should not have a right to ensure maximum cyberspace security with their personal data. In CISPA’s case, people seem to value the privacy of their Internet browsing histories alone over the reduction of imminent cyber threats. Given Washington’s inability to pass legislation promoting cooperation between the private sector and the government, and that its chief responsibility is to ensure the security of nationwide systems and government facilities, individual companies are beginning to realize that the security of private sector networks is their prerogative alone.

Evidence suggests that the private sector is up to the task. In April, the National Retail Federation, a trade association comprising both independent and chain retailers, established the Information Sharing and Analysis Center, which links the threat data of all member retailers and shares anonymized data with the US government.19 The steps of GE in protecting its infrastructure through the acquisition of Wurldtech will bolster private sector confidence in the value of cybersecurity and will dispel fear that the return on investment of protecting critical information is outweighed by its cost.

In the coming years, companies will need to focus their efforts in these areas:

1. Transitioning the chief objective of cybersecurity from preventing attacks to reacting quickly and determining their source. Given the difficulty of predicting hacker behavior and the inevitability of eventual breaches, companies must develop robust internal programs that can destroy cyber attacks before they do damage. Target’s shortcoming was not its failure to prevent a breach, but rather its failure to act swiftly once it diagnosed the problem.20 The post-mortem investigation showed that Target’s systems set off unmistakable red flags, yet officials waited several days before acting on the information. Had they responded immediately, the stolen data would never have made it to the hacker’s servers.

2. Holding third-party providers to a higher standard. Most major company data breaches come through third-party service providers rather than through the company’s infrastructure. Data security is inconsistent across platforms and industries, and companies need to subject all of their partners and contractors to rigorous stress tests to ensure that attackers have no easy entry points.

3. Building stronger relationships with the government and the police so that attackers can be prosecuted. Regardless of what legislation is passed in Congress, the government’s role in cybersecurity should include, at a minimum, the vigilant pursuit of known cyber marauders.

While the burden may seem to fall hard on private sector companies today, the government will eventually pass definitive and meaningful legislation. The political climate toward national cybersecurity is simply too charged for a bill not to pass at some point in the next few years. The Pentagon’s annual reports to Congress have become increasingly direct in their condemnations of national militaries and governments. The 2012 report openly accused both the Chinese government and the People’s Liberation Army of propagating cyber attacks against the United States in deliberate attempt to “gain strategic advantage.”21 The government is aware of the grave threat posed by cyber attackers; it now needs to match its rhetoric with legislation and action. Although largely symbolic, the Justice Department’s May 19 indictment of five members of the Chinese People’s Liberation Army for hacking into US networks was a step in the right direction. The hackers allegedly compromised the networks of Westinghouse Electric, the US Steel Corporation, and several other private companies. Attorney General Eric Holder Jr. stated that these actions crossed the line because the government commissioned covert actions for the purpose of gaining a commercial advantage, not for advancing national security.22

Nonetheless, it is not and should never be the government’s responsibility to ensure the full security of private sector networks. For the sake of both national security and auxiliary benefits to individual companies – such as liability protection after security breaches in exchange for sharing data with the government – Washington should still attempt to pass legislation that will improve cooperation between the private and public sectors. Perhaps the upcoming midterm elections will yield a Congress more appropriately focused on pushing a cybersecurity bill into law. If the Senate, as well as the American public, can realize the relative importance of national cyber attack preparedness over the disclosure of personal user data to the government, then US cybersecurity strategy may have a promising near-term future.


The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff and editorial board.


Works Cited


1. U.S. Department of Defense. “ Special Report.” 12 June 2013. <>.

2. Drogin, Bob. “Russians Seem to be Hacking into Pentagon / Sensitive Information Taken.” SFGate. 7 October 1999. <>.

3. Lewis, J.A. “Computer Espionage, Titan Rain, and China.” Center for Strategic and International Studies. December 2005.

4. Proofpoint. “Upwards of 80,000 malware breaches a daily problem.” ThreatInsight. 19 March 2014. <>.

5. Kash, Wyatt. “Retail Breaches Bolster Interest in NIST Cyber Security Conference.” InformationWeek. 15 May 2014. <>.

6. Yadron, Danny. “Massive OpenSSL Bug ‘Heartbleed’ Threatens Sensitive Data.” The Wall Street Journal. 8 April 2014. <>.

7. Rainie, Lee and Maeve Duggan. “Heartbleed’s Impact.” PewResearch Internet Project. 30 April 2014. <>.

8. Lee, Richard. “GE purchase of Wurldtech focuses on cybersecurity.” 14 May 2014. <>.

9. Gagliordi, Natalie. “Target, JC Penny among new ragtag retail cybersecurity team.” ZDNet. 15 May 2014. <>.

10. Tobias, Marc Weber. “Your Cybersecurity: Don’t Count on the Government.” Forbes. 12 May 2014. <>.

11. National Cybersecurity and Communications Integration Center. “Trends in Incident Response in 2013 Overview.” ICS-Cert Monitor. 14 February 2014.

12. Office of the Press Secretary. “Remarks by the President on Securing our Nation’s Cyber Infrastructure.” The White House. 29 May 2009. <>.

13. The White House. “Cyber Security.” <>.

14. Whittaker, Zack. “Obama’s cybersecurity executive order: what you need to know.” ZDNet. 13 February 2013. <>.

15. McCullagh, Declan. “Opposition grows to CISPA ‘Big Brother’ cybersecurity bill.” Cnet. 23 April 2012. <>.

16. Dianne Feinstein: United States Senator for California. “Feinstein, Chambliss Statement on Cybersecurity Information Sharing Bill.” 30 April 2014. <>.

17. Martinez, Jennifer. “Senate Commerce panel approves cybersecurity bill.” The Hill. 30 July 2013. <>.

18. Sasso, Brendan. “Rockefeller to offer cybersecurity amendment to Defense bill.” The Hill. 21 November 2013. <>.

19. Higgins, Kelly Jackson. “Dual Retail Cyberthreat Intelligence-Sharing Efforts Emerge.” InformationWeek. 15 May 2014. <>.

20. Riley, Michael, Ben Elgin, Dune Lawrence, and Carol Matlack. “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It.” BloombergBusinessWeek. 13 March 2014. <>.

21. Sanger, David E. “U.S. Blames China’s Military Directly for Cyberattacks.” The New York Times 6 May 2013. <>.

22. Schmidt, Michael S. and David E. Sanger. “5 in China Army Face U.S. Charges of Cyberattacks.” The New York Times. 19 May 2014. <>.

A Look Back at Snowden in the Press

National Security Agency headquarters, Fort Meade, Maryland

NSA HQ, Fort Meade, Maryland. NSA [Public domain], via Wikimedia Commons

Here’s a worthwhile thought exercise: considering China and the United States only, which state’s media would be the most aggressive in criticizing a foreign government for suppressing individual liberty and stifling free domestic press coverage? Before the Edward Snowden case, the United States would likely be the answer. Interestingly when articles from China Daily, People’s Daily, and New York Times are examined, a distinctly different narrative emerges. The Snowden Case has provided the Chinese media with a golden opportunity to champion individual liberties and criticize US surveillance policies. Conversely, the US press coverage has been more reactionary, framing the Snowden case as a statist US-China confrontation rather than a domestic political debate gone global.

The reaction of the Chinese press has focused on the controversial NSA policies illuminated by the Snowden files; US press coverage instead covered the reactions of the Chinese and Hong Kong governments’. “Surveillance programs reveal U.S. hypocrisy,” reads the headline of a June 14, 2013 article from the People’s Daily – the word “hypocrisy” is borrowed from a Snowden quote referenced in the article. Calling for a “serious self-examination” of US government policies vis-à-vis the NSA, the article deftly uses American voices to construct its argument citing comments from The New Yorker and USA Today. This stands in diametric opposition to comments from the American press that automatically regard Chinese press criticisms of American policies as party-line rhetoric, or as New York Times columnist Joe Nocera writes “another classic response.”

The dichotomy should be clear; Chinese media emphasizes the theme of liberty and ethics while US coverage of Snowden attempts to shift the debate to one of security. Nocera’s piece addresses the problem of US cyber espionage policy linking it to China’s own cyber espionage programs noting that the Snowden scandal will make it “far more difficult to force the Chinese to get serious about sopping their own hacking.” This commentary remains firmly grounded in the ideological camp which condones hacking behavior. Chen Wiehua of the China Daily takes a far more comprehensive view asking:

In the US, (…), the discussion in the mainstream media is often limited to whether the surveillance program has violated US citizen’s rights. Very few seem to question whether such invasive surveillance programs on governments, institutions and citizens of other countries are legal or, for that matter, ethical.

Mr. Wiehua’s article presents solid evidence to back this claim; evidence that is noticeably absent in Nocera’s discussion. Meanwhile, the US media response underscores the vast gulf in tone and substance between Chinese and American reporting surrounding the Snowden case. Indeed, rather than addressing the criticisms raised by their Chinese press, an article in the New York Times simply dismissed the Chinese media response as “snide.”

While both the US and Chinese press considered the Snowden imbroglio within the US-China diplomatic frame, US commentary has consistently played up a confrontational tone between the two states. The Chinese media response has not been beyond reproach in all areas. In fact, the Chinese have overlooked their cyber espionage capabilities by waving the bloody shirt noting, “the United States has a matchless superiority and ability to launch cyber attacks around the globe.” Fact: the United States has met its cyber match with China. Regardless, press coverage on both sides viewed the governments as having a monopoly on decision-making power.

The Snowden Case has provided the Chinese media with the rare opportunity to levy ethical, moral, and policy criticisms against the United States. It is disheartening to see that the Snowden coverage in major American newspapers lacks the moment of national self-reflection that Snowden likely hoped to unleash by releasing the NSA files. Both China and the United States carry a clear policy bias, however, coverage of the Snowden case gets at the broader theme of how globalization does guarantee that no two international takes on one story are the same.

On America’s “Culture of Leaks”


Those individuals who believe Edward Snowden is a hero who exposed Big Brother should think twice. It may be easy to support an increasingly popular culture of Internet leaks and freedom of information for all things sensitive, but it is more difficult to examine the long-term consequences and implications of Snowden and other leakers’ actions for U.S. national security. While leaking has occurred long before Snowden and Manning, a new culture of internet freedom in which every tech-savvy person can be a world hero by disclosing government secrets seems to be growing in the U.S. I am very wary of this misguided “culture of leaks.” The leaking of sensitive information, even if well-intentioned, exposes some of our nation’s most sensitive sources and methods to terrorist organizations and foreign intelligence services, which makes us all less secure.

Let’s start with Snowden. This man did not merely blow the whistle, he trumpeted a storm. Snowden could have chosen to carefully release only the documents that succinctly showed violations of NSA surveillance policy and a potential overstepping of government surveillance, but instead he opted to flee to Russia and Hong Kong with multiple computers filled with highly-classified NSA security programs and other sensitive data. I am still dumbfounded that a man who preaches privacy and freedom would scurry away to Russia, one of the most oppressive great powers in the world today. In addition to this highly questionable circumstance, Snowden’s seemingly indiscriminate release of sensitive information cost the U.S. government dearly in research and development, resulted in a loss of international prestige, turned attention away from regimes that actually oppress their people, and damaged U.S. national security capabilities. Responsible whistleblowing takes restraint, thoughtful planning, and thorough exhaustion of internal channels, standards that are seemingly absent from Snowden’s actions.

Now that we understand Edward Snowden is no Deep Throat, I want to touch on Wikileaks, one of the biggest players on the receiving end of our leak culture. I am astonished that an organization dedicated to the mass transmission of our state secrets to all peoples and governments commands respect among so many fellow citizens. If these were the days of the Cold War when America faced the more discernable threat of a nuclear-armed “Evil Empire,” I doubt as many Americans would be supportive of a global databank of U.S. sources and methods ripe for the picking. My generation seems to forget that it is not just terrorists in the Middle East that threaten our national security, but also foreign governments. Just about every competent nation is constantly seeking to penetrate our private industry and government to steal sensitive trade information and government secrets. Indeed, there is no such thing as a “friendly” intelligence service. These foreign intelligence services and hostile transnational groups have already scoured Snowden’s leaked data and have adjusted their methods accordingly. I would not be surprised if Snowden was already debriefed by Russian intelligence officers. U.S. citizens should be more wary of global institutions that eagerly await more leakers to approach them for “assistance.” Organizations like Wikileaks, unlike the Intelligence Community, do not have a loyalty to our country and are working to further their own interests, which can vary from world fame to fulfilling certain ideological goals.

As Snowden relaxes and drinks Russian vodka at a dacha (cottage) near Moscow, U.S. national security professionals are in damage control mode. Now more than ever, our adversaries have a better understanding of how our national security apparatus operates and have adapted their operations accordingly. These groups include both terrorist cells that are constantly planning to attack U.S. and Allied targets, as well as foreign intelligence services that seek to steal our industry trade secrets and sensitive government information to gain an economic, political, and military edge. Indeed, I would be very hesitant to readily praise Snowden, Manning, Anonymous, and other distressing groups or individuals. As a concerned citizen, it’s up to you to counter this malice with two easy actions. First, read a few books and/or articles about our security services and the threats facing our country to gain a more complete understanding of current global challenges and the proper function of our Intelligence Community. To start, I would personally recommend Intelligence: From Secrets to Policy by Mark Lowenthal and a student subscription to The Economist. Second, and most importantly, consider finding ways to become involved in our government in order to responsibly facilitate the improvements you may wish to enact. This involvement could range from grassroots advocacy activities such as writing letters to your Congressman to interning for an Executive branch agency, an NGO/think tank, or Congress. We should not have to wait for unlawful and misguided security leaks for calls to activism and civic involvement. Our generation needs to make a more robust effort to become involved in the governmental process, and perhaps even work directly for the institutions that run our government in order to face these challenges. Our country deserves no less from our generation, and mere armchair activism via social media will not suffice.

Don’t Waste Your Crises, Mr. President

“You never want a serious crisis to go to waste,” counseled President Obama’s first Chief of Staff, Rahm Emanuel, in early 2009.

Although many Republicans, still recovering from their losses in the 2008 Election, seized the advice as evidence of the Obama Administration’s secret intention of transforming the United States into an Orwellian nightmare, the quote itself is not unprecedented. Winston Churchill said something similar, and strategists across the ages have noted that when the status quo falls into chaos, the winners are those who seize what they can. Looking back on American history, it seems that the greatest Presidents used great conflagrations to their advantage, and the weakest Presidents bungled them. Abraham Lincoln and Franklin Roosevelt come to mind. Their presidencies coincided with the two deadliest threats in the country’s history: the Civil War in Lincoln’s case, and the Second World War in Roosevelt’s.

Conversely, the presidents directly before these legends have been remembered as failures. James Buchanan is remembered as the man who thought he would be the last President of the United States and failed to subdue the domestic unrest which ultimately culminated in the Civil War. Calvin Coolidge and Herbert Hoover are remembered for their isolationism in the time of the rise of Fascism, and their inaction when faced with the onset of the Great Depression.

But a Commander-in-Chief need not wait for apocalyptic upheavals to get a chance to prove his leadership. The nature of politics is such that the state is beset by constant crisis, with challenges approaching at all times and from every direction, including from within.

Most people would be hard-pressed to recount the foreign policy of Dwight Eisenhower. Yet the Sputnik controversy, the Korean Armistice, the Suez Crisis, and the U2 Incident all occurred on his watch, and Ike is generally remembered as one of the best – if not the least interesting – Presidents of the Twentieth Century. Perhaps Kennedy best exhibited good crisis management: following the failure of the Bay of Pigs Invasion, he deftly managed the Cuban Missile Crisis and is still one of the most popular Presidents in our history. Truman, Nixon, and Reagan assembled some of the best foreign policy staffs in American history, and are thus remembered for strong foreign policies.

Carter, on the other hand, is remembered as a better person than President precisely because of his crisis management – he bungled the Iranian Hostage Crisis, which was not necessarily a matter which threatened our territorial security the way previous crises had, but nonetheless posed a threat to our overseas interests and national prestige. Lyndon Johnson, another great man, dramatically increased America’s presence in Vietnam, yet failed to solve anything, and for that has been reviled among moralists and strategists alike. Perhaps most notorious has been George W. Bush; it is likely that his management of the War on Terror will leave him remembered as a warmonger and a generally incompetent leader.

We come, now, to the question of President Obama. How will he be remembered? If he continues to pursue a foreign policy akin to his first term, he will likely be remembered in the same harsh light covering Johnson, Carter and Bush.

The international system is entering a period of great change. The ongoing financial crisis is its economic manifestation, but the crisis itself goes beyond economics: class, technology, and the role of government all affect and are affected by the current developments. Meanwhile, new bases of power rise around a world which is politically more complex now than it has been since the late 1960s.

New challenges are on the horizon, and those who handle such situations well will go down as great statesmen. History remembers those who fare poorly as politicians. To his credit, President Obama did not emulate his predecessor’s adventurism, and by scaling back the Afghan and Iraqi wars has freed the American military from its former tied-down state. And the Bin Laden raid was, undoubtedly, the high point of his foreign policy.

But almost all of his administration’s major initiatives, from the Reset Button with Russia to the Asian “Pivot” to the New Beginning with the Muslim world, have been either poorly-informed ideas or only partly-successful policies. And the President’s crisis management, it seems, has been no better. As the Arab Spring toppled dictator after dictator, some of whom were American allies, inconclusive and contradictory statements emerged from the White House. The same pattern is visible now as the Syrian war drags on and an American intervention appears to loom closer. And although the President handled the recent North Korean crisis reasonably well, the unwise Libyan intervention has spawned countless unforeseen consequences, while Russia’s recent granting of asylum to Edward Snowden on the grounds of international law appears to be a diplomatic crisis in the making. It is unclear whether the President will handle the unknown crises awaiting him in the last years of his second term as a politician or a statesman.