Cyberspace is a global commons, open to all, dominated by none. But, as the recent hack of Sony Pictures Entertainment illustrates, it is also a battlefield. Unlike battlefields in the physical world where the United States has advantages over most adversaries, U.S. superiority in cyberspace is not assured. In fact, without a reorganization of resources and responsibilities, the United States may find it difficult to keep pace with this growing threat.
The United States has no lack of skilled, well-trained cyberwarriors; nor is inferior equipment to blame. Rather, fragmented responsibilities and restrictive laws and policies may be hampering the United States' ability to effectively respond to cyberattacks. And if the United States fails to respond to this growing issue, the trend of escalating attacks—Target, Home Depot, Sony—will not only continue but will likely increase.
Boundaries set up to protect individual liberties and organize government operations can slow the ability of federal authorities to detect and pursue attackers in cyberspace, whether they are international criminals or nation-state operatives. In terms of who protects what in cyberspace, the Department of Defense focuses on the military networks, while the FBI and the Department of Homeland Security concentrate on the other government and private networks. It was the FBI that attributed the Sony attack to North Korea—within a matter of days, if not hours, after it was first detected. This represented a breakthrough in cyber-attribution, a feat that relied heavily on information from “multiple departments and agencies as well as with domestic, foreign, and private sector partners,” the bureau said in its press release.
But organizational swim lanes persist that limit the kind of synergy that was brought to bear in the Sony case. The armed forces, the intelligence community and law enforcement are authorized and granted various authorities under different federal laws. These laws strictly govern who can do what on the cyber-battlefield. The resulting legal complexity makes efforts to police this global commons ponderous and less effective.
The problem has not gone unrecognized. For years, Congress has been debating options for organizational assignments and new authorities to provide a comprehensive approach to cybersecurity to defend the United States against criminals, corporate spies, foreign armies and various saboteurs in cyberspace (all of whom derive their capabilities from the same tools and techniques). One of the offerings from the last Congress—called the Cybersecurity Information Sharing Act of 2014—would have directed “enhanced sharing of information about cybersecurity threats between the U.S. government and the private sector.” Specifically the bill called for the sharing of classified and unclassified cyber-threat indicators with private entities, non-federal government agencies and state and local governments. President Barack Obama highlighted several cybersecurity initiatives in his State of the Union address. These proposals are overdue and represent steps forward, but they are akin to providing a neighborhood watch program for cyberspace: useful, but inadequate to fully address the threat.
What remains vitally needed is legislation that would grant at least one capable government organization the authority to track cyber-intruders and -criminals with the same freedom and speed of maneuver that these adversaries enjoy, while protecting the civil liberties and freedoms that allowed the establishment of the Internet. New authorities must be established for this to occur, and it will likely require substantial revisions to the U.S. code—undoubtedly a daunting challenge—and public debate. At the same time, the Congress should remain mindful of the understandable public interest in personal privacy. But absent the creation of an authority that has the agility and the resources to act quickly to respond to or prevent attacks, rogue nations and criminal gangs will continue their depredations with impunity.
Isaac Porche is a senior researcher at the nonprofit, nonpartisan RAND Corporation.
This commentary originally appeared on U.S. News & World Report on January 22, 2015. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.