excerpt from my book on technology, terrorism, and
DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
[email protected]. If you're dying to order the book, send
mail to the same address.
By the time we were done putting the report together, I realized,
we hadn’t just touched the third rail. We were tapdancing on it. By candidly
treating the end of online anonymity and the adoption of tough security
regulation as options, we were goring some of the noisiest oxen in Washington.
Well, what the hell, I thought. Maybe the time was right for a
reconsideration of security regulation, especially after the hodge-podge the
states were making of the issue.
I was wrong.
Memories of Dick Clarke’s fate were too fresh, and by mid-2008 the
Administration was running out of time. I showed a draft of the report to the
front office and sent the Homeland Security Council a copy. Not much later I
got a call. The Council didn’t want to even raise regulation as an option in
the interagency discussions. They feared that industry and Congress would kill
the little progress that had been made if regulation was even treated as an
option. In fact, they wanted to bury the report. Instead of thinking about the
future, they’d focus only on tasks that could be done in the waning months of
the Bush Administration.
It was disappointing but I understood. Chertoff, who'd been a rock
in other disputes, was now focused only on fights he could win and changes he
could implement in six months or less.
And we had reached that point in an administration where accomplishing
even the simplest and most obvious tasks had become nearly impossible. Energy was draining out of the Bush team, and
what remained was soon focused on a cascading financial crisis that left no
time for next year’s threats.
I thought that there might be value in letting the Obama
administration consider these issues without explain that it was reviewing
options proposed under President Bush. The new administration might have more
leeway to consider the attribution and regulation issues with an open mind.
I was wrong about that too.
The Obama administration brought a flurry of energy and
determination to the problem. As well it
should have. Barack Obama and John
McCain, after all, had been the first presidential candidates whose campaign
networks were systematically penetrated and exploited by foreign
intelligence-collectors. And candidate
Obama had pledged that cybersecurity would be a top national security priority
in his administration. Nevertheless, the
new Administration's resolution seemed to waver within weeks of the
The new administration did produce a cybersecurity strategy only a
few months into the term, but White House watchers learned a lot from what it
said and how it was edited. The draft
was reportedly produced on the schedule set by the President – within sixty
days of his request. But it didn't go to
him on that schedule. Instead, it went
through a new set of edits, as office after office protected itself, its
prerogatives, or its constituencies by removing controversial passages.
The result was mostly pabulum.
Pabulum of a sort that would have been familiar to the Clinton and Bush
White Houses, of course, since they too had blinked when faced with hard
choices over cybersecurity.
For example, the strategy recognizes that improving authentication
of people and machines is a key to improving cybersecurity. While much of its
attention is focused on just making sure that federal networks can properly
identify users, it acknowledges as a goal the creation of a “global, trusted
eco-system” that could form the basis of a secure network. But it call for that
system to be built by working with “international partners” and by building an
ecosystem that is seen to protect “privacy rights and civil liberties.” Hard experience tells us that if building a
secure network depends on the full support of the international and privacy
communities, it will never happen.
Business too was fully protected from the specter of security
regulation in the Obama administration's strategy document, which mentioned regulation just once – to declare
that it would be considered only “as a last resort.”
By the time the editing was done, Washington knew that nothing
dramatic would come from the cybersecurity initiative – or the new
cybersecurity coordinator job the President had announced with fanfare. Indeed, the position remained unfilled until
the end of 2009.
Three Presidents in a row had tried to change course and head off
the worst consequences of Moore's law for our national and personal
All three had failed.
The privacy and business lobbies that guard the exponential status
quo had defeated them all.