Howard Schmidt, President Obama's newly minted "cyber-czar" certainly has his work cut out for him.
Last November, Google claimed that Chinese hackers had penetrated its digital infrastructure. As a result of the attack, Google threatened to leave China altogether. Later, Google's co-founder, Sergei Brin, softened the company's stance and said he hoped its running disputes with the Chinese over censorship could be resolved.
Google's volte face was not before Secretary of State Hillary Clinton got into the act with a Churchillian "Iron Curtain" type of speech. Vowing to "protect our networks," and demanding that the Chinese launch a thorough investigation into the Google attack, she declared that, "those who disrupt the free flow of information in our society...pose a threat to our economy, our government and our civil society".
Lest we become too alarmed, the US is not about to go to war with China over whether Google can operate its Chinese subsidiary free from cyber-static -- at least no time soon. Testifying before Congress, Director of National Intelligence Dennis Blair saw the Google incident, much like the aborted attack of the underpants bomber last Christmas, as less of a casus belli than a wake-up call to our intelligence community that we are not doing all we can to defend the homeland.
But the seriousness of the problem persists. As President Obama's Cyberspace Policy Review concludes, "a growing array of state and non-state actors are compromising, stealing, changing or destroying information and could cause critical disruptions in U.S. systems."
"Critical disruptions" may be the understatement of the year. The consequences of a cyber-attack on our military infrastructure, our power grids or our financial data bases are too cataclysmic even to contemplate. If accomplished by an enemy state, such a doomsday attack would certainly be an act of war with more devastating consequences than any we have ever experienced.
One scary problem is that we might not be able to detect "who dun it" with sufficient certainty to launch a retaliatory attack. It is next to impossible, using existing technology, to trace the source of a sophisticated attack back to a foreign actor or actors. Even if you could, it would be too difficult to link those conducting the attack with hostile action by a foreign state. In the light of this, deterrence, which stood by us so well in the Cold War, hardly seems a viable strategy.
Our government is really in a quandary as to how to fight back. We recognize that offensive technologies might readily be sold by organized criminal elements in Russia to rogue states or terrorist organizations. Analogizing to the Cold War strategies, we know that certain countries have been investing heavily in cyber-warfare techniques such as multiple Trojans, malware and spear carriers designed to infiltrate our computers. It would seem we me might want to minimize a "cyber-gap" so they don't get too far ahead of us. How far we have progressed is a matter of speculation since any sums appropriated for this purpose are squirreled away in the dark recesses of the defense budget.
Stronger defensive action is obviously indicated. There are a number of ways to play defense. Cyber-czar Schmidt, who comes from a cyber-security firm in the private sector, may have some rich ideas, but, as an outsider, he may have difficulty forging a coordinated effort among the various agencies involved, which have historically engaged in unproductive turf wars or as Christopher Buckley puts it "hate one another." Moreover, Schmidt is merely a member of the White House staff which doesn't have such a good reputation nowadays for getting things done. But even were this not the case, it would challenge the tactical abilities of the greatest military planner to divine where in cyberspace the next attack might come from; how it would be executed; what would be the target;and by what means, including conventional military force, it might be counteracted.
Many have suggested a public-private partnership to deal with the perils of cyber-warfare. This approach of course has great merit. Private corporations, such as Google, utility companies and banks provide their own security against conventional attack and are in the best position to protect their digital systems. They should be encouraged to do more. But once the government gets involved in the databases of the private sector, there will be howls of protest from all shades of the political spectrum with civil liberties groups raising privacy concerns and tea party loyalists claiming that the government is encroaching still further into private lives.
Heightened security over the Internet may impinge on First Amendment values as well. If Hillary Clinton is correct that "We stand for a single Internet where all of humanity has equal access to knowledge and ideas," it may be hard to maintain this stance where governments, including our own, filter the web in search of dissidents, terrorists, hackers, drug dealers, sex traffickers and other enemies of the people.
Indeed, a "single Internet" may not be possible if a rogue country like Iran, for example, persists in blocking information flows and polices its digital infrastructures with hacker vigilantes armed to launch web attacks in the strategic interests of the state.
Howard Schmidt has much to contemplate.
James D. Zirin is a New York lawyer and member of the Council on Foreign Relations. He co-hosts the cable talk show "Digital Age."