Privacy-Technologist Alliance, Agencies’ Deadwood-Dumping Blamed for U.S. Cyberwar Deficiencies
SAN FRANCISCO -- A former senior Homeland Security official largely blamed the privacy-rights lobby’s success for what he called lack of U.S. preparation for cyberwar. Improved preparedness “requires that the public grow up and realize we need these capabilities,” said Stewart Baker, DHS’s first assistant secretary for policy, 2005-2009. Privacy advocates never got behind that, he said on panel at the American Bar Association’s annual meeting, which ended this week. Baker, a Steptoe & Johnson partner, criticized “privacy campaigners” as insisting that “we don’t want” the National Security Agency “anywhere near our packets,” even in a response to a cyberattack on the U.S.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Waging cyberwar can’t be treated like covert action when it comes to legal restrictions, Baker said. That would require presidential approval each time an operative wants “to hit the return button,” he said.
Computer scientists have allied with privacy advocates to interfere with achieving the attribution of online activity that’s crucial to punishment and deterrence of wrongdoers, Baker said. This alliance has won the sympathy of Internet users who fear identification of their sensitive activities online, he said. But “other unattributed people are going to steal them blind, and then they'll be more enthusiastic about attribution,” Baker said.
Attribution will create tricky problems, Baker acknowledged. He painted a scenario in which the U.S. faces a disclosure dilemma from investigating the source of a cyberattack against China at its government’s request and tracing it to Falun Gong, which are political and religious dissidents.
Homeland Security’s cybersecurity work also has been hampered by lack of staff expertise, Baker said. When the department got responsibility in this field, agencies that make it up kept many of their more competent employees and dumped on DHS some that they thought “could benefit from a change of scenery,” he said. This “hurt DHS’s response to this crisis for a number of years,” Baker said. “DHS for years was a laughingstock and gradually caught up to being respectable,” he said. The department got to respectability only by “taking staff and tools from the NSA and civilianizing them,” and it still isn’t fully competent in cybersecurity, Baker said.
Robert Knake, a Council on Foreign Relations fellow and co-author of Richard Clarke’s book Cyber War, said cybersecurity threats are real and dangerous but the risk of cyberwar and cyberterrorism has been exaggerated, and misused to promote regulatory legislation. Regulation “is ill-suited to the purpose” of supporting warfare, he said.
The U.S. should shift its emphasis internationally from law enforcement, which has lifted security responsibility from business, Knake said. The government should start using “the network to our advantage” and “shut the network down” through international mechanisms in response to severe attacks, he said. Otherwise, U.S. goals in international work should be protecting the root zone and dealing with denial-of-service attacks, Knake said. The ultimate aims should be increasing U.S. cybersecurity and limiting cyberwar to governments, he said. Knake disagreed about the centrality of attribution. The U.S. can trace an attack to a network and tell the operator to “help us investigate or we're going to hold you responsible,” he said.