The U.S. needs an Estonian cyberczar

All those scary news reports about the GhostNet and Conflicker must have had a damaging effect on the psyche of some U.S. senators, who this week have intensified their calls on Obama to appoint a cyberczar. And they don’t want just another of those regular czars — this person would also play the role of the national cybersecurity advisor, overseeing the work of several military, intelligence, and civilian agencies, who all vie for power and constantly squabble with each other (a few weeks ago Rod Beckstrom, former Director of the National Cyber Security Center, resigned – less than a year in the job – complaining about constant clashes with NSA).

I find few reasons to celebrate the coming militarization of cyberspace (the market for cybersecurity services is projected to grow at staggering 7-8 percent – significantly faster than the rest of IT industry at 4 percent – and is projected to reach $11 billion by 2013, much of it fueled by public fear of a “cyberwar”) as well as the proposed centralization of cyberportfolio under one person. While concerns over the zeal of companies like Boeing or Lockheed Martin to attract future (and undoubtedly very lucrative) government contracts to protect the cyberspace are easy to understand, the point about centralization is worth explaining in detail.

The problem is that we currently know very little about “cyberwarfare”; we don’t know how to classify it legally, we don’t know how much damage it may cause (there is an interesting contrarian argument that cyberwarfare actually offers a more humane way of fighting wars as compared, say, to carpet bombing), and we are not yet sure that the benefits of destroying the enemy’s communication networks outweigh the intelligence gains of intercepting the enemy’s electronic communications (hence the tension between the military, who want to build exciting gadgets to destroy networks and the NSA, who want those networks to stay operational). Given this tension, appointing a cyberczar would almost certainly give preference to one of the competing visions for “cyberwarfare”; inter-agency strifle, on the other hand, may be slowing things down, but at least it provides for important debate about a very complex topic that is still poorly understood by virtually all players.

My skepticism has grown even further this week, as I am touring Estonia to meet with its top cybersecurity officials and ask them what they have learned since the infamous cyber-attacks of 2007. Unlike Americans, Estonians seem to have taken the de-militarization route; the cyberportfolio is about to be shifted from the Ministry of Defense to the civilians at the Ministry of Economic Affairs and Communications. They didn’t waste the two years that passed since the cyber-attacks on loud talk or inventing metaphors like “cyber-Katrina”; instead, they re-evaluated their entire national communications infrastructure and prioritized its most critical elements accordingly. They have also launched a graduate-level program in cybersecurity, which is preparing the new generation of cyber-defenders; every time I ask Estonia’s top experts in cybersecurity about best ways to spend government money on defending the country from future cyber-attacks, almost all of them mention trainings and awareness-raising – not building better firewalls or beefing up infrastructure (as of next year, Estonian schoolchildren would even be taught about cybersecurity at school as part of a special technology module; the government types keep talking about promoting “cybersecurity culture” in the country).

Most importantly, Estonian institutions working on cybersecurity issues  continue operating in a rather decentralized fashion, with various ministries, agencies, and even represenatives of the private industry working in tandem (and, mind you, all of them have views and opinions that are not any less diverging than those of their American peers; everyone I talked to about what happened in 2007 and what needs to be done gave me a different answer). As a result of this very practical and realistic approach, I don’t sense any paranoia or fear of cyberwarfare here – any references to “cyber-Katrinas” bring smiles to the faces of my interlocutors. The Estonian approach is certainly worth emulating; otherwise, the US government may find itself replaying the “Star Wars” chapter of the Reagan era in cyberspace.

Photo by elka_cz/Flickr