By: James Fitch, JD ‘21
Even in 2019, three decades into the modern World Wide Web, people still refer to the internet as a “wild west.” And with so many striking similarities between the issues that frame the debate over addressing cyber threats and the tensions that would have sparked clashes in frontier towns 150 years ago, it is not hard to draw the comparison. Private industry representatives frequently bemoan the lack of government intervention and beg for authorization to organize their own reaction, like some kind of twenty-first century vigilante cyber posse. Government officials often respond by pointing to the complexity and newness of the issues to plead for time, prompting others to recommend “deputizing” private cyber defenders in the meantime. These kinds of debates are dispiriting; there has to be a better way than this in a rule of law society.
The anemic government response to cyber attacks has real effects that can be measured in both dollars and respect. When it comes to money, the corporate representatives are right: cyber attacks are exacting a massive toll on everyone, and private business are not exempt. One estimate places annual damage caused by cybercrime and espionage at $600 billion, up from an estimate of $500 billion in 2014. With losses this large, the government simply has to take a more active role. Additionally, when most of the country’s critical infrastructure is owned by private entities, defending private industries is the most important security interest that the government has. But the lack of a strong response does long-term damage beyond short-term damage. As Jack Goldsmith argues, the government’s strategy of merely attributing crimes and bringing indictments without some other response makes the United States appear weaker, which perpetuates the problem by encouraging adversaries that they can act with relative impunity.
The answer has to begin with fixing the government’s response. I disagree with many of the individuals at the conference those who argue that the answer to the cyber enforcement gap is to give control to private corporations. This might work well in the short-term and might even generate a few quick success stories. But several key problems with this approach were raised at the conference. To begin, corporations that take matters into their own hands are not aware of the second- and third-order effects of their actions. Cyber attacks are often entangled in complex interactions with both state- and non-state actors, where the lines between a cyber attack and an act of war are blurred. This means that corporations could easily disturb national security concerns while acting in their own private interest. Additionally, as one individual noted at the conference, we do not give private actors the latitude to lash out domestically or internationally in any physical domain of warfare. Cyber should not be any different.
Instead, the government needs to change its response. There are at least three things that the government should begin doing. These include (1) shifting toward a strategy of deterrence instead of mere indictment, (2) partnering with private industry rather than acting as an adversary, and (3) resolving personnel issues to preserve its workforce.
Deterrence. Until recently, the government has applied a traditional criminal justice model to cyber attack response. This means that law enforcement has focused on intelligence collection, with a goal of identification and “attribution by indictment.” The problem with this model is that its plodding pace and long-term goals are incompatible with the very real needs of private industry. In the past few years, government has increasingly incorporated a counterterrorism model. This model focuses on “disruption” and “protecting the safety of the public” as the main goals. With the more immediate goal of stopping cyber attacks, this approach opens up a broader menu of potential government action, including sharing information with foreign partners or the public, applying diplomatic pressure or sanctions, and stepping in more actively through law enforcement, intelligence operations, or even military action. In order to give American people the confidence that the government will act to protect their online interests, the government needs to continue to focus on deterring bad actors, not just indicting them. The exigency of terrorism threats means that the government doesn’t have the luxury of deciding between one approach and another; it must protect first while also continuing intelligence collection. The government should apply this same kind of urgency to cyber threats.
Partnering with private industry. Second, the government needs to create better partnerships with private industry. Much of the tension between private industry and government seems to arise from a mutual lack of understanding, and a sense from private corporations that the government is not really on their side. Corporations complain that they have the resources and expertise to research and identify cyber threats, but are repeatedly disappointed with the response they receive when they present this information to the government. And to the contrary, private corporations reference strong disincentives to reporting cyber attacks, because government regulators are quick to penalize companies that are victims of attacks as ipso facto violators. Instead, the government should be working to leverage the capabilities of private industries. Government has neither the workforce nor the expertise to do all of the investigation on its own, so it is crucial that it increase information sharing while ensuring that corporate partners have safe harbor in reporting attacks.
Preserve the Workforce. Lastly, the government needs to take affirmative steps to preserve its cyber workforce. The dearth of cyber security workers is a national problem, so the government needs to make federal employment competitive in order to attract and keep the talent it needs. The Department of Justice lists the FBI as the primary law enforcement agency to which private citizens should report cyber crimes, but the FBI itself is bleeding cyber-security talent. Without making any overly-detailed recommendations about the FBI’s personnel and retention programs, the pay simply needs to be better if the government is going to compete with private employers. While the annual compensation—including both base salary and bonuses—for an FBI assistant director hovers around $200,000, private corporations are more than happy to snatch up experienced agents and pay them salaries ranging from $300,000 to nearly $1 million annually. Simply put, FBI agents are real people, and money talks. Although I have never been in the FBI, I saw this dynamic first-hand—and repeatedly—during my time as a communications officer in the Marine Corps. Many young Marines in the cybersecurity and data networking fields were anxious to complete their first enlistment contract so that they could turn in their barracks rooms and minimal paychecks for lucrative jobs in private industry. It’s hard to blame them or the FBI agents who make a similar choice.
This call for an increased government response is not to say that much of the responsibility does not remain with private industry. Corporations should be responsible for defending themselves, in the same way that a company that does not lock its front doors or hire a security guard will end up being on the hook when opportunistic criminals rob from it. But the government still needs to have a ready response to crimes, whether or not they could have been prevented by better corporate security practices. Like the population of a lawless town plagued by horse thieves and stagecoach robberies, private citizens who are targeted in the cyber wild west will only take so much damage before taking the law into their own hands. In a nation concerned with both protecting its citizens and supporting the rule of law, it is unacceptable to have private corporations choosing between following laws and suffering massive economic losses.