Hardcover, 320 pages
Published June 20th 2016 by Rowman & Littlefield Publishers
One of the most pressing issues in cybersecurity policy is the question of jurisdiction. Who should secure cyberspace from rogue hackers, terrorists, and nation-states? Is it the responsibility of the government, the private sector, or both? In his recent book, Hacked: The Inside Story of America’s Struggle to Secure Cyberspace, Charlie Mitchell traces how that question has been answered in the Obama administration, mapping recent attempts by the government and industry to cooperate on the issue.
Towards the end of his second term, President Bush began to explore the issue of cybersecurity and the Obama administration picked up where he left off, except the 44th president, hoping not to stifle economic growth by putting undue burdens on corporations, was less inclined to use regulation as a security mechanism than his predecessor. Hoping for a more voluntary approach, the administration attempted to partner with the private sector and the two aspects of that partnership that Mitchell highlights were cybersecurity standards and information sharing.
After Congressional failure to pass cyber legislation (a constant theme throughout the book), the White House decided to take the lead and in 2013 the President issued an executive order based on government and private sector collaboration.
The most significant example of such collaboration was the National Institute of Standards and Technology (NIST) cybersecurity framework creation process. The executive order tasked NIST with developing a framework of “voluntary standards” for cybersecurity in collaboration with the tech industry. Both sides met and discussed the framework at a series of conferences at various college campuses across the country. The basics of the framework included “five core functions: know, prevent, detect, respond, and recover… It would also include three framework implantation levels.” It also included a list of other issues that NIST officials hoped industry leaders would consider including “improving authentication” and “bolstering the cybersecurity workforce.”
The process was constantly threatened by business leader’s fears that the framework (specifically the metrics used to measure adoption of the framework) would devolve into regulation, accordingly the three implementation levels were changed to four “tiers.” The Framework was released in 2014 to positive reviews from the business community, but the media and security experts had more unenthusiastic takes.
Information sharing, another area of collaboration highlighted by Mitchell, refers primarily to the flow of information about cyber threats between the government and private industry. Laws and national security considerations limit the sharing ability of the federal government, and concerns about liability and government punishment inhibit industry sharing with the government.
Hacked follows the twisted path that information sharing-legislation takes through Congress and explores how Washington strives to foster increased information sharing between the two parties. A number of bills are proposed in the House during Obama’s second term with different approaches to information sharing, especially concerning who in the government information should be shared with: the Department of Homeland Security, the NSA, or multiple government agencies.
Mitchell spends most of his time not on the specifics of the bills but on the excruciatingly difficult and long process that the House and the Senate take to pass them. Cybersecurity legislation is repeatedly passed over because of looming elections, government shutdowns, squabbles between Republicans and Democrats, the budget, immigration, and the Iran nuclear deal. Even when it is brought up, it is constantly assailed by privacy advocates such as the ACLU.
Mitchell closes the book with musings on the future of cybersecurity in the United States. Questions still exist about whether the voluntary approach favored by the Obama administration has staying power, especially when a new President takes office this January. Restructuring at the federal government level, especially within Congress and the bureaucracy, is also necessary to deal with the cyber threat more efficiently, and he warns against seeing information-sharing as an end in itself instead of part of a larger cyber strategy. The private sector, especially the insurance community, has made great strides in security, but the government still struggles to provide adequate incentives for companies to invest in it, and time will tell whether the government or private industry will take the lead in cybersecurity development in the future.
Mitchell ends by stating that “cybersecurity, and cyber threats, are now a permanent feature of the governing, political, and economic landscape,” the dangers they pose will not disappear, and any response to them must be based on this fundamental fact. Though a bit dry at times, Hacked is a must read for anyone seeking greater familiarity with this essential element of national security, which will only grow in importance in the coming years.
- Obama Issues Federal Government Policy For Cyberattack Response
- Obama's War On Hackers
- Obama Calls For Norms To Prevent 'Cyber Wild Wild West'