Given the proliferation of cyber threats from foreign governments, terrorists, and criminals as well as the importance of a secure Internet to America’s economy, increased federal attention to cyber security makes good sense.
However, these vast sums have been allocated without a comprehensive strategy to guide them in a climate of widespread anxiety, governmental disorganization, private contractors eager for new business, high degrees of secrecy, and enormous technical complexity. As the new Congress considers the president’s budget, lawmakers must ensure that the U.S. government does not spend aimlessly on cyber security.
The United States cannot afford another uncoordinated U.S. government response like the one made while countering the threat of transnational terrorism after 9/11. A “spend first, ask questions later” attitude characterized these efforts all too often and, haunted by memories of 9/11, Congress proved reluctant to question expenditures.
At least 263 organizations were created or reorganized while hundreds of billions of dollars flowed toward stopping an amorphous terrorist threat. Such feverish activity led to waste, diverted American attention from worsening situations in Afghanistan and beyond, and created a sprawling bureaucracy.
Unless the U.S. government quickly establishes its priorities for cyber security, we risk repeating the mistakes of the past. The Departments of Commerce, Defense, Homeland Security, Justice, and State, among others, are all actively developing cyber security initiatives. The Pentagon’s cyber bureaucracy alone will soon include more than 40,000 personnel under the supervision of Cyber Command.
As the White House and Defense Department prepare to unveil new cyber strategies next month, the Congress and public should look for three key things to ensure these strategies balance cyber security risks with taxpayer costs.
First, the U.S. government needs to avoid what one official, speaking off the record, termed “billion dollar solutions to million dollar problems.” While headlines focus on highly sophisticated cyber threats like the Stuxnet malware that attacked Iranian centrifuges, most cyber attacks use far less advanced methods and require far less expensive responses.
Second, prevention is cheaper than defense. Investing in unglamorous, lower-cost solutions such as well staffed IT departments engaged in routine prevention is a good long-term investment for federal agencies and, by extension, for taxpayers. Buying software and machines that are more resistant to threats in the first place also carries a high return.
Third, the White House strategy and the budget that supports it should focus on the most likely threats as well as the most dangerous ones. That means prioritizing a response to the astonishing levels of crime and economic espionage that now cost the global economy at least $1 trillion each year and threatens to sap America’s economic power and competitiveness.
Though these attacks target largely the private sector, the broad societal costs extend far beyond the harm done to any one company and necessitate government action. As a starting point, the intelligence community should develop new and timely mechanisms to share threat information with corporate leaders. Many are unaware that their networks have been penetrated until millions of dollars worth of intellectual property are lost – if they are aware at all.
A collective sense of urgency is needed about the growing threats in cyber space. But so too is pragmatic level-headedness expressed through a U.S. cyber security strategy that prioritizes intelligently. Such a strategy will enable the U.S. government to craft policies that ensure safe access to the Internet without breaking the bank.
Kristin Lord is vice president and director of studies and Travis Sharp is a research associate at the Center for a New American Security, where they lead the Center’s cyber security initiative.