As the administration of U.S. President Barack Obama begins to wind down, much of Washington’s national security community is working to deliver the next president with fresh ideas on cybersecurity. No matter what these groups recommend, the next president would do well to recognize that the Obama administration has found what is likely the only workable strategy: making it a private sector responsibility.
A recent poll found that cybersecurity ranks second only to terrorist attacks on a list of U.S. security fears. This anxiety, and the frequency of data breaches, has made it easy to forget that the benefits of Internet connectivity far outweigh the risks that businesses and governments face from cyberattacks. The Obama administration’s approach to cybersecurity has focused on preserving and extending the Internet as a platform for increased efficiency, economic transactions, and the exchange of ideas. Although cyberthreats pose real risks, any workable approach to cybersecurity must address these problems in ways that increase the value of the open and innovative Internet. Solutions that focus on putting the military in charge of cyber security or the creation of borders in cyberspace would harm the digital economy more than they would help. Realizing this, the White House has focused on helping the private sector protect itself, instead rather than trying to make cybersecurity a government responsibility.
DO NO HARM
As appealing as it seemed for Washington to take cybersecurity responsibilities out of the hands of private enterprise, the costs and consequences of an expanded government role would do more harm than good. Few private sector executives like the idea that they are responsible for securing their own networks and data, especially against foreign militaries and intelligence agencies. Effective cybersecurity is costly, and defense against foreign agents appears to be a government task on the surface. But making cybersecurity a government responsibility would come with a set of costs that far outweigh the benefits.
When U.S. banks were attacked by Iran in 2013, they pressed Washington to intervene. They wanted the government to either block the attacks before they could reach their intended targets or direct U.S. Cyber Command to carry out a counteroffensive that would shut down the attacking computers. For both technical and legal reasons, the U.S. government did neither; instead, the White House opted for a more limited approach. The Department of Homeland Security coordinated remediation, collecting information from the banks on which computers were attacking them and passing this information on to Internet service providers in the United States so they could notify any of their customers whose computers had been unwittingly used in the attack. Meanwhile, the Department of State asked foreign governments to do the same thing overseas.
The Iranian attack caught the banking industry’s attention but failed to inflict any long-lasting harm. The government helped mitigate the attacks, but it was the private sector that ended up solving the problem. Once the banks understood that the government was not going to act, they invested in measures to be able to withstand the attacks on their own. Had the government heeded the calls to take more aggressive action, U.S.–Iranian relations would likely have worsened and the future of the Internet as a civilian domain might be in jeopardy.
Washington’s restraint proved prescient. The attacks were likely intended to provoke a response, but Washington effectively shrugged them off and instead focused on the Iranian nuclear deal. If Washington had escalated the issue, the deal could have died. It also would have set a dangerous precedent, making the U.S. government responsible for protecting the private sector in cyberspace. Instead, the administration’s handling of the incident sent a clear signal to the private sector that companies were fundamentally responsible for protecting their own assets and systems in cyberspace, with government acting in a supporting role.
The Obama administration approached later attacks, such as the Sony Pictures hack by North Korea in 2014 and federal agency breaches in 2014–15, in largely the same way. The overall policy has been to emphasize network defense over escalation, handling cyberthreats in ways that do not fundamentally harm the Internet’s place as an open network run by the private sector for consumers and businesses. More aggressive approaches, once advocated by the banks, would take the future of the Internet in a different, more harmful, and less open direction.
The idea of using the military’s offensive capability has a lot of surface-level appeal, but in reality, a heavy-handed approach would do more harm than good. Foreign hackers tend to take control of computers outside of their own countries, such as Europe or the United States, to hide their location and take advantage of faster Internet speeds and more powerful servers. Therefore, ordering U.S. Cyber Command to take down a botnet might mean launching operations against commercial targets in Canada, Germany, and France, let alone within the United States. This would be an unreasonable action against U.S. companies and could constitute an act of war if done outside of the country.
Giving the government the ability to block malicious traffic would be equally harmful. The United States’ borders in cyberspace are open. To police them, Washington would need to build a system that inspects every packet of data, doing away with privacy in the process. This would require traffic to travel unencrypted throughout the country—a move that would be counterproductive for cybersecurity. Given the current debate on encryption in the United States, it is all but unthinkable that the American people would allow real-time, ubiquitous, and warrantless searches of their Internet traffic for the sake of security.
Although the Obama administration has pushed cybersecurity responsibilities to private companies, it has not abandoned them entirely. Michael Daniel, the president’s cybersecurity coordinator, has made clear that although private companies are responsible for their own network defense, the government will provide support by conducting law enforcement investigations, sharing information, exerting diplomatic pressure, issuing sanctions, and taking military action against nations when necessary. The administration has also focused on helping companies protect themselves.
Obama has directed federal agencies to share information on threats, creating a critical mass of information that is hard for companies to ignore. Agencies have taken steps to ramp up sharing of classified information and to get this information into network defense systems. The president also directed the National Institute of Standards and Technology to work with the private sector to develop the Cybersecurity Framework, a common set of cybersecurity best practices, which was finalized in 2014. Adherence to the framework is voluntary, but it has become a de facto standard of care. Independent regulators at federal and state levels now use it to assess the security of companies they regulate. In turn, companies are using it to justify the investments and operational decisions they make.
Investment in cybersecurity has increased by nearly five percent over 2015; the market for cybersecurity products is currently valued at $75 billion. And the insurance industry, with prompting from the Department of Homeland Security, now writes policies to cover losses due to cybercrime and requires policyholders to implement best practices.
Obama’s approach provides a platform for the next administration to build on. His successor must work with Congress to encourage companies to deepen their security investments. Once a company takes these threats seriously, it can require four or five years to securely rebuild their systems securely. These upgrades require large up-front investments and are costly to maintain. Given that many companies are targeted merely because they are based out of the United States, Washington should consider offering financial incentives to help offset these expenditures. The government could create tax breaks for both investments in cybersecurity and cooperation with the federal government to help ease this financial burden. Congress should also consider developing a federal insurance backstop that would provide expanded coverage at lower costs for making prudent security investments. The next administration must also do more to tighten coordination with the private sector, and put more attention on bringing federal agency security up to the level of security now found within financial institutions.
These steps will not make cybersecurity challenges go away. That would require remaking the Internet as we know it into something that is more controlled and less open, innovative, and efficient. That would end up costing society far more than cybercrime does today. On cybersecurity, there are only bad options. The Obama administration has found the least bad one. The next administration should be wary of departing from the path that Obama has paved for them.