excerpt from my book on technology, terrorism, and
DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
firstname.lastname@example.org. If you're dying to order the book, send
mail to the same address.
By the time we were done putting the report together, I realized, we hadn’t just touched the third rail. We were tapdancing on it. By candidly treating the end of online anonymity and the adoption of tough security regulation as options, we were goring some of the noisiest oxen in Washington.
Well, what the hell, I thought. Maybe the time was right for a reconsideration of security regulation, especially after the hodge-podge the states were making of the issue.
I was wrong.
Memories of Dick Clarke’s fate were too fresh, and by mid-2008 the Administration was running out of time. I showed a draft of the report to the front office and sent the Homeland Security Council a copy. Not much later I got a call. The Council didn’t want to even raise regulation as an option in the interagency discussions. They feared that industry and Congress would kill the little progress that had been made if regulation was even treated as an option. In fact, they wanted to bury the report. Instead of thinking about the future, they’d focus only on tasks that could be done in the waning months of the Bush Administration.
It was disappointing but I understood. Chertoff, who'd been a rock in other disputes, was now focused only on fights he could win and changes he could implement in six months or less. And we had reached that point in an administration where accomplishing even the simplest and most obvious tasks had become nearly impossible. Energy was draining out of the Bush team, and what remained was soon focused on a cascading financial crisis that left no time for next year’s threats.
I thought that there might be value in letting the Obama administration consider these issues without explain that it was reviewing options proposed under President Bush. The new administration might have more leeway to consider the attribution and regulation issues with an open mind.
I was wrong about that too.
The Obama administration brought a flurry of energy and determination to the problem. As well it should have. Barack Obama and John McCain, after all, had been the first presidential candidates whose campaign networks were systematically penetrated and exploited by foreign intelligence-collectors. And candidate Obama had pledged that cybersecurity would be a top national security priority in his administration. Nevertheless, the new Administration's resolution seemed to waver within weeks of the inauguration.
The new administration did produce a cybersecurity strategy only a few months into the term, but White House watchers learned a lot from what it said and how it was edited. The draft was reportedly produced on the schedule set by the President – within sixty days of his request. But it didn't go to him on that schedule. Instead, it went through a new set of edits, as office after office protected itself, its prerogatives, or its constituencies by removing controversial passages.
The result was mostly pabulum. Pabulum of a sort that would have been familiar to the Clinton and Bush White Houses, of course, since they too had blinked when faced with hard choices over cybersecurity.
For example, the strategy recognizes that improving authentication of people and machines is a key to improving cybersecurity. While much of its attention is focused on just making sure that federal networks can properly identify users, it acknowledges as a goal the creation of a “global, trusted eco-system” that could form the basis of a secure network. But it call for that system to be built by working with “international partners” and by building an ecosystem that is seen to protect “privacy rights and civil liberties.” Hard experience tells us that if building a secure network depends on the full support of the international and privacy communities, it will never happen.
Business too was fully protected from the specter of security regulation in the Obama administration's strategy document, which mentioned regulation just once – to declare that it would be considered only “as a last resort.”
By the time the editing was done, Washington knew that nothing dramatic would come from the cybersecurity initiative – or the new cybersecurity coordinator job the President had announced with fanfare. Indeed, the position remained unfilled until the end of 2009.
Three Presidents in a row had tried to change course and head off the worst consequences of Moore's law for our national and personal security.
All three had failed.
The privacy and business lobbies that guard the exponential status quo had defeated them all.