And why the White House needs to split up the “deep state” of the NSA and Cyber Command.
- By Jason HealeyJason Healey is the director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict, and competition on Twitter, @Jason_Healey.
The militarization of American cyber policy did not happen overnight. What began with a healthy balance of military and civilian interests has, over the course of the past 10 years, devolved into the largely exclusive domain of secretive military and intelligence groups bent on developing America’s offensive and intelligence capabilities in cyberspace at the expense of other, longer-term national security interests.
Of course, the Department of Defense has been interested in military applications of the Internet (and cyberspace more broadly) for more than two decades, especially since 1991 when it used dominant information awareness to tear through the feared Iraqi army. In 1998, the Pentagon set up the first joint "cyber command," which I helped create, while that same year the FBI and Department of Commerce stood up sister offices to fight cybercrime and protect America’s civilian infrastructure. In those early years, there was a healthy balance between the military and other executive departments and a high degree of cooperation.
Moreover, there was a vigorous debate on the relative merits of offense and defense. Policymakers realized the Internet allowed nations to attack one another anonymously and with impunity; the presiding view was that this was a fatal risk for America that demanded prioritizing U.S. defenses.
This balance lasted less than five years, until the standup in 2003 of the Department of Homeland Security swept up most of the existing civilian organizations and talent into a department which a decade later is still finding its voice. The resulting chaos meant the Pentagon — and its captive intelligence agencies, including the National Security Agency — became the only organization with significant institutional and cyber power left standing, especially as fear of terrorism meant ever-more risk taking, fatter budgets, and stifling classification.
Gen. Michael Hayden, then director of the NSA, positioned his organization to live up to this responsibility — but his successor, Gen. Keith Alexander, raced into the gap and positioned NSA as the savior of American cyberspace.
Few military or intelligence professionals, then or now, have had any experience outside the closed world of national security. So this well-meaning group of patriotic insiders did what came most naturally: They classified everything and prioritized one national security goal — more spying and attack capabilities — above all others. Since classification levels permitted few, if any, outside voices, the seeming consensus helped convince U.S. policymakers to adopt General Alexander’s "collect it all" strategy and create a new U.S. Cyber Command to streamline military cyber power. With Congress and the White House convinced (or captured), who could, or would, argue with the all-powerful "Emperor Alexander"?
Just as in 1998, the Internet still allowed nations to attack one another anonymously and with impunity. Only now, a new generation of military officers and policymakers see this not as a fatal risk but as a fantastic opportunity.
It could have been a priority to ensure the Internet is safe and secure for U.S. citizens and commerce; this certainly has been the lofty rhetoric in the president’s speeches and in published strategies. But the unfortunate fact (obvious everywhere except in Washington, D.C.) is that the military’s naturally aggressive views dominate U.S. government ideas of how to conduct itself in cyberspace.
Today, the State Department has perhaps two or three dozen diplomats bravely trying to convince the world that the United States wants peace and an open, secure Internet. Unfortunately, at Fort Meade, headquarters of NSA and U.S. Cyber Command, there are more people with vastly larger budgets working towards opposite ends. The diplomats work towards America’s stated priorities while the spies and warfighters create their own truths in the network. With powerful budgets and authorities, they can seize ground in cyberspace, infiltrating networks around the world with little friction from the Beltway bureaucracy.
For example, U.S. diplomats were leading the fight to create norms that make Chinese espionage beyond the pale, while all along the NSA was infiltrating not just U.S. adversaries, but allies as well.
The U.S. government publicly claims to want a relatively borderless Internet to grow digital economies and nurture cyber culture, yet coerced U.S. companies to give NSA and U.S. Cyber Command the "high ground" of cyberspace by tapping information flows and tampering with American tech products. Other nations are already shunning these companies’ products, convinced they were fronts for the NSA all along.
When designing and launching the most sophisticated and disruptive cyberattack ever, the autonomous Stuxnet intended to cripple Iran’s nuclear centrifuge program, the officials involved reportedly found it "ironic" that the United States was betraying all its fine language on wanting a safe and secure Internet.
Other nations had already been exploring their own military options for cyberspace, but once they saw the United States putting so much effort into these kinds of attacks and spying, they piled on, too. Now Brazil, Japan, South Korea, Colombia, Iran, China, Russia, Norway, and Spain are getting in the act; any self-respecting military needs to boast of having its own cyber organization.
To rebalance America’s national security priorities in cyberspace, the administration must coordinate and publish an honest and open cyberstrategy. If President Obama truly wants a safe and secure cyberspace, he needs to be upfront about how this priority conflicts with the emphasis put on offensive and exploitation capabilities. He did this in the drone debate and it is overdue here.
The departure of General Alexander in early 2014 will help, but the White House should go further and split the "deep state" of NSA and Cyber Command to ensure no one officer ever again has such a dominant voice and monopoly of power.
Within the White House, to be more prominent advocates for a stronger defense, the president should plus-up his staff in the National Economic Council and Cyber Directorate of the National Security Council. However, with so much power concentrated in the directorates for defense and intelligence, he ought to appoint an independent senior official overseeing all cyber policy with far more power, policy oversight, and budget authority than today.
America’s policymakers have forgotten that our true center of cyber power is not Fort Meade, but our private sector: the companies that create and maintain cyberspace and the companies and citizens that fill it with the content and commerce the world wants. This is a world where cyberspace underlies American prosperity, aided by U.S. policies that put commerce first.
Rebalancing America’s national security priorities away from the military and bringing them in line with our true power will give the United States — and users of cyberspace everywhere — a more stable and secure fut