As I finished reading Richard Clarke's book, Cyber War (see Bejtlich's notes on it), this weekend a thought occurred to me based on one of his consistently reiterated points: the Department of Defense seems to be a misnomer, if not an oxymoron. That is, when you think about it, the US DoD doesn't seem to be oriented so much toward "defense" as "offense." This point is not lost on Clarke, who talks about how the American military is ill-prepared and ill-positioned for defending the homeland from cyber-attack. Even worse, the so-called Department of Homeland Security isn't apparently chartered to deal with defending the homeland either so much as it is with protecting government networks, at least in the cyber sense of things (obviously Border Patrol, TSA, and the Coast Guard, among others, are charged with physical protection).
It seems to me that this problem represents a need for a paradigm shift. This is not to say that I think we should charter traditional military functions for operating within our borders, but that we need to rethink our military approach altogether. In part, I think that one of the key failing points in our current cultural and institutional mindsets is that we are too focused on offense and lack any sort of real or necessary competence around defense, resiliency, and self-preservation (note: I've written about self-preservation in the past).
A Different Pair of Dimes
Sitting around thinking about this challenge of defending the US against various online affronts has led me to conclude that we need a radical change in thinking. In fact, I think it's time for a complete, massive reorganization and realignment of assets, whether they be from DHS, DoD, or any number of other agencies. I think that G.W. Bush actually was on the right track in creating DHS, though the execution has been severely flawed, thanks in part to massive, soul-crushing bureaucracy, but also bolstered by a traditional mindset that is unable to conceive of a new future.
The change I'm thinking of would look like this: dissolve DHS and DoD, maintain the Joint Chiefs, but use them in a matrixed management structure, change the charter of the US military to enable defensive operations on domestic "properties" (I use this term instead of "soil" as in the online world borders can become fuzzy), and institute better oversight that is vested in ensuring that an abuse of power doesn't occur, and that has the power and authority to actually and effectively balance out executive military powers. Toss in intelligence apparatus for good measure.
From this collective I would see (at least) two separate departments deployed.
* Department of Defense and Resiliency
* Department of Offensive Initiatives
Each of these departments would be hybrid organizations that combine military and civilian resources, much as in the way that HHS currently does around healthcare, medical research, etc. The simple fact of the matter is that we need the strengths of the military (strong chain of command and it's ability to communicate and escalate issues) combined with the flexibility and charter to operate domestically. More importantly, we need to split out military and civilian units so that some are actually focused on defense and resiliency, rather than the current ineffectual model.
Along with these two, it may also be useful to add a separate directorate for intelligence, though that already seems to be somewhat addressed today. The key with this aspect is of course ensuring that the intelligence apparatus is operating effectively and efficiently, and is able to share information. By creating 2 new departments that combine military and civilian personnel and authority, clearance issues should be more easily resolved to better facilitate information sharing.
The Case For
The times, they have a-changed. It's folly to think that what we have in place today can provide any sort of reasonable protection of domestic resources. While we may have physical controls in place (and look at how overloaded Border Patrol and Coast Guard are with drug enforcement activities), it seems clear that cyber-defense and resiliency is at best an after-thought. More importantly, we are facing a major cultural crisis in that Western Civilization is not built on a foundation of of survivability, but rather one of empire-building and military domination that eventually leads to complete collapse. If we're to avoid repeating history, then we need to shift our focus.
This focus-shift needs to put a premium on embedded a mentality of survivability into the very fabric that is our cultural identity. While it's true that we as Americans have this traditional picture of the "rugged individual" in our history, we're overlooking recent history. An analysis of our current environment shows an extremely high degree of reliance on the internet, while our ability to defend against internet-based attacks is, in fact, very low. Myriad critical systems are now online and open to compromise. Even classified DoD networks have been compromised over the past decade. All of this reflects a failure to place proper emphasis on defense and resiliency, even while our military develops and achieves cyber-offensive superiority. The projection of offensive power will no longer protect American interests.
Along these same lines, if the government continues to put a focus on growth and offense, then businesses will merely follow suit. Very few organizations show enough interest in true self-preservation and resiliency. As such, it will be imperative to accompany such a reorganization with a new regulatory framework that distributes the onus between the government and private industry. Every organization - and especially every piece of critical infrastructure - should be mandated to implement a formal, quantitative risk management program that implements a legally defensible strategy. Failure to achieve legal defensibility should be result in severe penalties, up to and including government intervention (e.g., liquidation of assets or de-privatization, a la GM).
The Case Against
As is the case any time it's suggested that the government do more or have more power, the possible for increased corruption exists. Especially in the current political environment where corruption is the rule rather than the exception, it will be imperative that proper controls and oversight be put into place. Oversight must be implemented to a degree that a true check-n-balance is accomplished, and it may even require some sort of privatized authority.
Similar, given the new charter for "domestic" military operations, it will be necessary to construct a proper legal framework that allows the military to respond to an active threat, all while continuing to respect the rule of law. Today such military intervention may qualify as a coup or a violation of the US Constitution (IANAL, just supposition, though my understanding is that the "standing army" hasn't been chartered for domestic operations). With oversight will need to come a streamlined legal framework that can switch to bypass mode should a real threat be realized (i.e., an active response for an active attack).
This is a slippery slope, and one that needs to be buttressed accordingly. The last thing we would want is for the authorization of domestic operations to grease the wheels of a coup or other form of government change that puts us in a worse scenario. Ultimately, the goal here should be to provide the necessary protection mechanisms to ensure broader freedom with less government intrusion (except in the time of conflict).
Along with these concerns it will also be important to proactively guard against cultural isolation and protectionism, such as France exhibits on a regular basis. The American culture has historically been depicted as a "melting pot" - something we should all hope to preserve. At the same time, we have a fundamental flaw given our predominantly Western Civ roots that need to be addressed. Increasing the cultural emphasis on self-preservation and resiliency should be balanced against closing off the culture to external influences.
The Time to Act Was Yesterday (now will suffice)
We've dragged our collective feet too long. Despite accelerating growth in offensive capabilities, it seems clear that we are nowhere near prepared for the coming storm. The same message that we tell to business leaders ("it's not if, but when") also applies nationally for cyber-conflict. Foreign agents have already made successful forays into our online environments. We do not have adequate control over our electronic resources. While I may disagree with Clarke's catastrophic scenarios, the fact still remains that we are woefully unprepared to defend ourselves. Moreover, culturally we seem to be developing in a manner that is congruent with prior empires in Western Civilization. If we continue to stretch without focusing on survivability, then we will pay a steep penalty. Rome was not built in a day, but its collapse was sudden and rapid. Are we on a similar path? Is it already too late to correct our course? We should all hope not. It will, however, only be through rapid and radical change that we'll be able to better align our resources with our priorities in order to protect our assets.