Mortimer Zuckerman, writing in the Wall Street Journal, argues for a new federal bureaucracy to protect against cyber threats.
We should think of cyberattacks as guided missiles and respond similarly–intercept them and retaliate. This means we need a federal agency dedicated to defending our various networks. You cannot expect the private sector to know how–or to have the money–to defend against a nation-state attack in a cyberwar. One suggestion recommended by Mr. Clarke is that the government create a Cyber Defense Administration. He’s right. Clearly, defending the U.S. from cyberattacks should be one of our prime strategic objectives.
Few nations have used computer networks as extensively as we have to control electric power grids, airlines, railroads, banking and military support. Few nations have more of these essential systems owned and operated by private enterprise. As with 9/11, we do not enjoy the luxury of a dilatory response.
Government cannot even protect its own sensitive diplomatic cables from release by one of its own employees. In this new era of cyberconflict, we are not only fighting against other government-managed armies.
Electric power grids, airlines, railroads, banking and military support should not be connected to the public Internet for key internal functions. We don’t need a new federal bureaucracy to tell us that. That won’t be enough, of course. The Stuxnet worm proves that one thumb drive can introduce a deadly virus to an otherwise protected network. But how could a Cyber Defense Administration prevent that?
With all due respect, the best defense we have is the private sector. They constantly monitor their networks and confer amongst themselves when necessary to block most malicious traffic in an effort to relieve network congestion and provide superior service.
If government owned and operated the networks it might make sense to create a Cyber Defense Administration. But the networks are owned and operated by the private sector. And they already have adequate incentives to combat malicious traffic which threatens their paying customers. Call it the profit motive.
I’ve enjoyed Richard Clarke’s books as much as Zuckerman. But Clarke is focused on threats to private industry that the private sector is best equipped to manage. He completely failed to anticipate the nature of the first major cyberattack. It was an attack on the government itself. The lesson here is that government has its hands full protecting its own data and is not yet in a position to provide indispensable leadership to the private sector.