by Peter M. Shane and Jeffrey Hunker (eds.). Durham, North Carolina: Carolina Academic Press, 2013, 330pp. Paper $43.00. ISBN: 978-1-61163-159-3
Reviewed by Donald W. Jackson, Department of Political Science, Texas Christian University. Email: d.w.jackson [at] tcu.edu
pp.173-175
This is an important book; however, a non-specialist reader like myself may only be capable of comprehending the broad perspectives and implications for the policy issues that are presented.
Peter Shane is a law professor who has written about communication problems, especially concerning their implications for democracy, and Jeffrey Hunker is a computer scientist who was responsible for the development of the first U.S. national strategy for cybersecurity during the Clinton Administration. They have done excellent work in bringing together these contributions, grouped into three parts: I. Private and Public roles in Cybersecurity, Chapters 1-4; II. Cybersecurity and Conflict Response, Chapters 5-8; and III. The Politics of Cyber Decision Making, Chapers 9-11.
Altogether, the book consists of eleven chapters written by thirteen contributors who include a senior attorney and a head of global security strategy, both with Microsoft; the Director of the Cyber Statecraft Initiative of the Atlantic Council; two senior researchers and scientists with RAND Corporation; the chief computer scientist with the National Research Council; a former senior officer for Global Public Policy with Visa, Inc; the Director of the Project on Freedom, Security and Technology at the non-profit Center for Democracy and Technology; two consultants, one for the DOD and the other for Homeland Security; and the head of Plans and Policy at the United States Cyber Command. It is a powerful set of contributors.
Readers should be interested in this book due to the concern that many of our public laws and legal institutions are under stress because they have not kept pace with technological developments. We need to adapt our laws and policies to keep up with rapidly evolving technology, while preserving the fundamental principles of our Bill of Rights, especially the right of privacy. The legal regime also needs to be able to handle have effective and coordinated policies to address issues of commerce and transnational governance. The test for the reader of this book will be whether sufficient information can be gleaned from it to frame our understanding of the difficult adjustments in policy that must be resolved. It is problematic whether the issues reflected in this book can be translated into words and issues that can be fully understood, either by our political parties or by our citizenry.
The issues raised by recent disclosures of the bulk metadata program of the National Security Agency relative to the interests of privacy offer one recent example of the problems we confront. The structure of the United States Cyber [*174] Command at the N.S.A. is presented by Mark Young (of that Command) in Chapter 5 of Part II. A good description of the problem of timeliness may be found in Chapter 9, in which Paul Rosenzweig (formerly of the Department of Homeland Security) points out that the, “pace of events in cyber space moves so quickly that policy cannot keep up.” He calls this the problem of “The Policy ‘Ford Sedan’” (p.234): “In a world in which notice and comment rulemaking takes eighteen to twenty-four months to complete – during which time the average processing speed of computer chips will have doubled – our system for making policy is ill-suited to the task.” Rosenzweig attributes an important extension of this “Ford Sedan” analogy to Professor Harvey Rishikof, Chair of the American Bar Association Standing Committee on Law and National Security, who charged the government with using a “Ford sedan” policy-making system when trying to cope with a cyberspace “Porsche” system (p.238).
The issue of cybersecurity first gained a prominent place in the spotlight almost twenty years ago, with a 1997 report by President Clinton’s Commission on Critical Infrastructures. As President Clinton then suggested, whenever there comes a new way of communicating, there arise new ways of making money and taking advantage (p.3).
When we move from the beginnings of cybersecurity awareness in 1997 to the present, we have good figurative bookends; in February 2013, President Obama issued Executive Order 13636 on “Improving Infrastructure Cybersecurity” which then led to the “Framework for Improving Infrastructure Cyber Security” in mid-February 2014. However, this “Framework” does not provide either particular solutions or specifications, but rather describes a core process which is called a “life cycle” for identifying, assessing and managing cybersecurity risks.
While the proposed Framework may well be a reasonable approach to security from the perspective of stakeholders (including ourselves) whose security may be breached, we should also note that our government may itself be an active agent in some breaches and attacks. Thus, we may ourselves be the agents of Cyberwarfare, as in the instance of the Stuxnet virus attack on Iranian nuclear development, conducted by the United States under the codename of “Olympic Games.” Then-CIA Director Leon Panetta disclosed this attack in 2010. The Stuxnet virus had the effect of accelerating the centrifuges that the Iranians used to enrich nuclear fuel. The Olympic Games/Stuxnet program had been started under President George W. Bush, and then extended by President Obama (Sanger, 2011: 197-208). Obama authorized a covert and “unattributable” operation, but problems arose that led to disclosures in 2010. The Stuxnet attack is is introduced by co-editor Jeffrey Hunker (p.38), and mentioned in several chapters of this book. It is important to remember our own culpability when thinking about cybersecurity remedies.
However, as noted by J. Paul Nichols and Cristin Goodwin (both from Microsoft) in Chapter 4, “The U.S. government exerts virtually no control over Internet users with respect to security” (p.113). Yet, as suggested by Gregory T. Nojeim (of the Project on Freedom, Security and Technology) in Chapter 10 – when he considers [*175] possible solutions for greater security – having the U.S. government monitor private networks, or giving our Department of Defense the lead in providing such security, may be a very bad idea that “should be resisted” (p.255).
Is resistance too late? On March 12, 2014, David Sanger wrote in THE NEW YORK TIMES that Vice Admiral Michael S. Rogers, President Obama’s nominee to head the National Security Agency, said, when appearing before the Senate Armed Services Committee the day before, that, “All of the major combat commands in the United States will soon have dedicated forces to conduct cyberattacks alongside their air, naval and ground capabilities.” If confirmed, Admiral Rogers will also head the United States Cyber Command.
It thus is important that in Chapter 6, Martin C. Libicki (of RAND Corporation) writes that Cyberspace ought not to be another “war fighting domain,” and he provides a discussion of the topic which in some ways justifies our concerns. He recalls that in human history the “land domain” was followed by the “sea domain,” then by the “space domain,” which now has been followed by the “cyberspace domain” (p.163). Warfare was adapted by people to reach each of these domains, and considering cyberspace merely as another venue for warfare – to be overseen for us by U.S. Cybercommand – may serve to validate still another place for human conflict. Recognizing this new venue for warfare may reflect reality, Libicki argues that we must learn to protect ourselves. For example, Edward Snowden suggested in March 2014, via satellite feed from Moscow to the South By Southwest Interactive Festival in Austin, Texas, that encryption of our messages might be a solution, but it is unlikely that such encryption will remain forever unbroken. Instead we must develop new legal standards for protecting our cherished right to privacy. This must become an important subject for international law.
REFERENCES
Executive Order no. 13636, IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY, DCPD-20130091, February 12, 2013. Available at: http:www.gpo.gov/fas/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf (accessed March 10, 2014).
National Institute for Standards and Technology. February 12, 2014. FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY. www.nist.gov/cyberframework (accessed March 10, 2014).
President’s Commission on Critical Infrastructure. 1997. CRITICAL FOUNDATIONS: PROTECTING AMERICA’S INFRASTRUCTURE. Available at: http://www.fas.org/sgp/library/pccip.pdf (accessed March 10, 2014).
Sanger, David E. 2011. CONFRONT AND CONCEAL; OBAMA’S SECRET WARS AND SURPRISING USE OF AMERICAN POWER. New York. Crown Publishers.
Sanger, David E. 2014. “N.S.A. Nominee Promotes Cyberwar Units.” THE NEW YORK TIMES, March 12, 2014 at p. A18.
Copyright 2014 by the Author, Donald W. Jackson.