December 16, 2012 /
Defining a National Doctrine on Cybersecurity
Our nation has developed a fairly long list of doctrines that have historically provided statements of what we believe and the principles by which we’re going to base our future actions. Two examples that come to mind are the Monroe Doctrine and the Reagan Doctrine, but there have been many others. In addition, military doctrine has long provided a guide to national defense actions.
Do we need such a national doctrine on cybersecurity? If so, what needs to be included? How will the rest of the world view this doctrine? Can a cyberdoctrine help guide our actions?
Earlier this week, I was contacted by Sarah Rich from Government Technology Magazine and asked to comment on recent efforts to develop a national doctrine on cybersecurity. Sarah wrote this article entitled: Should the U.S. Develop a National Cyberdoctrine? Here’s an excerpt:
“Earlier this month, the Potomac Institute Press released a new book #CyberDoc: No Borders – No Boundaries, which addresses the rising concern of cyber-related disasters and the growing need for such a doctrine.
‘The book is a call to action,’ said Tim Sample, vice president and sector manager of special programs at Battelle and co-editor of #CyberDoc.”
I won’t reiterate my comments to Sarah here, except to emphasize that I support the overall call to action in the book for a national discussion on key cyber issues. Nevertheless, I also think that getting a meaningful national consensus on the answers to key questions will be very difficult. (See Sarah’s article in the gray box for some of the key questions, beginning with ten questions that are foundational.)
But I am highlighting this topic again for another reason. I urge readers of my cybersecurity blog to take 15-20 minutes and ponder the transcript of the Potomac Institute for Policy Studies event on cybersecurity held in early December.
This transcript for the event covers many excellent topics of discussion and provides a wealth of information regarding why a doctrine for dealing with cybersecurity is important. It also discusses many relevant topics that should guide our thinking on dealing with the new cyber environment moving forward.
Here is a brief sample of intriguing statements from the panel discussion:
- “…Nobody thinks that the government can provide cybersecurity. We don't want to turn it over to the government; it doesn't do that well. We must recognize that cybersecurity costs money and that somebody has to do it.
- I think one of the things that came out of the conference is that there clearly needs to be someone in charge.
- Somewhere along the line in the last four or five, six, seven years, this thing has changed from essentially "isn't this cute," to "gosh, this is useful," to a public utility. And the question becomes, how does a government deal with that?
- So what do you need to know? Well, you need to know what are you trying to deter. You need to know who are you trying to deter. And you need to know how.
- If somebody attacks you and you notice that and people die and buildings come crashing down, it's a pretty obvious thing. But what if they don't attack you? What if all they do is put in place the ability inside all your infrastructure to take it down if they wanted to at some point in the future? It's all benign, nothing's happening, nothing's being taken down; it's just sitting there.”
I also found this article written by well know cybersecurity policy expert and author, Dan Verton, to be very helpful. Here’s an excerpt from that piece:
“President Barack Obama’s signing last month of Presidential Policy Directive 20 (PPD 20), a classified directive that establishes guidelines by which the federal government can operate beyond the confines of federal networks to respond to serious cyber attacks, may have finally laid the foundation upon which a national doctrine governing cybersecurity can be built….
“The issue here is that the status quo is no longer acceptable,” said Rear Admiral Jamie Barnett (USNR-Ret.). “We’re no longer going to simply defend the networks and continue to take the attacks and intrusions. We’re not going to be in a corner with our boxing gloves over our face. We’re going out and we’re going to swing at people who are attacking us.”
One more things on this topic: There are several additional classic questions that are particularly useful when setting forth a doctrine. These were sent to me by Andris Ozols, who is an excellent researcher and adviser on our Michigan CIO’s staff.
- What is it that we don’t know (regarding cybersecurity)? This question is not a logical impossibility, but an ongoing open inquiry.
- What happens if we under or overreact (to cyberattacks)? Risks in both – how to choose.
- What is plan B, C and so on? No plan in effect is a plan, but can it ever be a good plan? Perhaps better than some plans.
All of this is thought-provoking stuff that makes for important dialogue as we consider the future direction of cybersecurity in America and around the world. I agree with the sentiment that we can’t keep doing the same things and expect different results. We all know that we need to be taking new actions to protect critical infrastructure as a nation, as states, as local governments and as private companies.
Now if we can just agree on the right questions (and the same answers.) Perhaps an open process of building a cybersecurity doctrine can help.
What are your thoughts?