The auto industry failed to manufacture safe cars, so the government stepped in with regulations, and James Lewis sees the same pattern possibly happening with the Internet.
"We haven't seen the demand for security, and some people say that is because people don't know the threat," Lewis, senior fellow at the public policy group Center for Strategic and International Studies, said in an interview with GovInfoSecurity.com (transcript below). "The Model T was a dreadful car, old, antiquated, wooden parts, no seatbelts, no safety, but people loved them because they were so cool and that is kind of like the Internet. People love it and they use it even though they know it is not secure. They don't realize the risk to themselves and so individuals are willing to accept a risk. But, when you aggregate that risk, it is very damaging for the larger society.
"And, so just like cars where we had to set standards for safety - seatbelts and all of the other stuff - that is kind of the model we are in. There are some things that the market will not produce."
In the first of a two-part, wide-ranging interview, conducted by GovInfoSecurity.com's Eric Chabrow, Lewis explains why the federal government must take the lead in securing America's key digital assets, despite the fact that much of the nation's critical IT infrastructure is owned by business. He also grades President Obama's performance as a cybersecurity leader and discusses:
In Part 2 of the interview, Lewis addresses the roadblocks Congress faces in enacting meaningful cybersecurity legislation this year and the continuing work being conducted by CSIS's Commission on Cybersecurity for the 44th Presidency, which is studying identity management, situational awareness and international engagement. Lewis is project leader of the Commission, which produced a highly regarded report that served as a roadmap for the Obama administration in developing its cybersecurity policy.
Lewis is recognized as one of Washington's most respected thought-leaders on government cybersecurity policy. As a senior fellow at CSIS, Lewis conducts research and writes on technology, national security and the international economy. Before joining CSIS, Lewis worked as a foreign service officer and as a member of the senior executive service. His assignments involved Asian regional security, military intervention and insurgency, conventional arms negotiations, technology transfer, foreign investment and the defense industry, sanctions, internet policy, and military space programs.
Lewis received his Ph.D. from the University of Chicago and has authored more than 40 publications on a range of topics since coming to CSIS, including: Assessing the Risks of Cyber Terror and Cyber War, Strengthening Law Enforcement Capabilities for Counter-Terrorism and Globalization and National Security.
ERIC CHABROW: We are approaching the first anniversary of President Obama's inauguration. What grade would you give the president in confronting the cybersecurity challenges that face the nation?
JAMES LEWIS: I would probably give him a B, B+. The issue that people have fixated on has been the cyber coordinator at the White House, and hat has been interesting to watch it play out. Not encouraging, but in other agencies there has been a lot of activity and we can't necessarily see the results right now, but the DOD (Department of Defense), DHS, the Homeland Security Department, even at State, we are beginning to see people do things so I would give him a pretty good grade.
CHABROW: Let's talk about the cybersecurity coordinator. The Center for Strategic International Studies' Commission on Cybersecurity for the 44th Presidency issued its report just over a year ago and one of its recommendations was the creation of the Office of Cyberspace in the White House, advice that the president didn't quite adopt. He does have a cybersecurity adviser, Howard Schmidt. What are the consequences of the president in not creating or highly positioning a cybersecurity officer in the White House?
LEWIS: He did create a coordinator, which is good; we need one. They have committed to come up with a new strategy, which we also recommended, and God knows they need one. The old one was dreadful and it hasn't gotten any better, but the issue that we are going to face as a nation is that we have got a new global infrastructure that we are dependent on and we haven't figured out a good way to have the government deal with it and normally what we would do is create some kind of new office, department, agency to look at this.
When telephones were invented, they came up with the FCC (Federal Communications Commission). When airplanes were entered into commercial use, they came up with the FAA (Federal Aviation Administration). That is the path we are on and the question is: How fast should we go? These people have taken a go slow approach, but eventually we will get to the point where we are going to need the big office that the CSIS report calls for.
CHABROW: Do you still feel that the position should be within the White House or something like the FAA, a separate agency?
LEWIS: We thought that having it be something like the USTR, the U.S. Trade Representatives Office, which is attached to the White House, but separate from it. It is actually right across the street on 17th Street. That might be the best approach and so for now we might want to think about that.
They would have been better off coming up with something like USTR, but they took a halfway step so it could be worse; a halfway step after nine months.
CHABROW: Regardless of his position in the White House, what do you think of Howard Schmidt and what do you consider his two or three top priorities?
LEWIS: His priorities are pretty clear. One of the things that is interesting about this is the president apparently cares about cybersecurity and he is interested in it. He, right before Christmas, issued some commands I guess for Howard and John Brennan, who Howard will be working for, to basically pick up the ball and start running with it. The political will is there but that doesn't always translate into action.
Howard has a good chance to do some things different. If he tries to do what the White House wanted to do in 2003, it won't work, and that means he is going to have to look at a couple of really big and hard issues. He is going to have to look at the role of the DOD. He is going to have to look at the need for authentication nationally for better identity management. And, he is going to have to think about how we engage with other countries. Things that we haven't done very well in the past and that's a tough agenda but it is one that he is going to have to tackle.
CHABROW: What happened in 2003 that won't work today?
LEWIS: We had a national strategy to secure cyberspace and as people remember, the original draft written by Dick Clarke was very action oriented, very dynamic and it was significantly watered down by the rest of the White House. What I usually say is they just took out all of the nouns and verbs but they left in a couple of nouns and verbs, and one was the private sector should lead. This has been a mantra in the Internet community for years and the private sector can't lead on this, that's the deal.
CHABROW: Why not?
LEWIS: It is just not capable of meeting the range of threats that we face. There was a big emphasis on public/private partnership and information sharing. I guess the theory was if you told people they were getting wacked, they would do something about it but that clearly hasn't worked and we need to rethink what a public-private partnership means. It gets back to this issue of who is leading? Is it the private sector or the government? I would say a public-private partnership with a more active government role, led by the government and directed toward security is what we are going to have to do and that is not at all what the 2003 strategy envisioned.
CHABROW: Does that mean we will have a need for some kind of regulation?
LEWIS: That is to be determined. Usually when the market fails, you have to regulate. The market has failed so there are some things we can do, but some mandates, some regulation will end up being necessary and that will be one of the things Howard has to tackle.
This doesn't mean some huge regulatory overlay. it doesn't mean giving DHS new authorities, but it means asking yourself what is it that we need to require form consumers or from ISPs (Internet service providers) or from vendors to make the internet more secure?
CHABROW: Why isn't the market working?
LEWIS: Two reasons for that. The first is we haven't seen the demand for security, and some people say that is because people don't know the threat. Compared to the Model T, the Model T was a dreadful car, old, antiquated, wooden parts, no seatbelts, no safety, but people loved them because they were so cool and that is kind of like the Internet. People love it and they use it even though they know it is not secure. They don't realize the risk to themselves and so individuals are willing to accept a risk but when you aggregate that risk it is very damaging for the larger society.
And, so just like cars where we had to set standards for safety - seatbelts and all of the other stuff - that is kind of the model we are in. There are some things that the market will not produce and the other part of this is the most sophisticated threats we face can overpower any private sector effort. I know these big companies that think they do a wonderful job and they have lots of people working on IT, but they are just not going to be a match for the PLA (China's People's Liberation Army) or the SVR (Russia's intelligence agency) that spent hundreds of millions of dollars and have thousands of people trying to figure out how to beat them. And it is not just the Chinese and the Russians, unfortunately. Between the slow pace of improvement in the technology and between the rapid pace of improvement on the threats side, we can't wait for the market to fix this, just as we didn't wait with cars or with airplanes or steam engines or phones.
This happens with all new technologies. It comes out and for a little while it is the Wild West and homebrew and then after a while, it matures and becomes something stable that economies and societies can rely on.
CHABROW: You mentioned a few other things, one was the role of the Department of Defense; I guess there are a few issues here. One is some concern about the National Security Agency's involvement in cybersecurity and the other is what seems to be a delay with the confirmation of Army Lt. Gen Keith Alexander to the Cyber Command position in addition to his role as NSA director. What is happening there with that and how does that fit into the DOD's role in cybersecurity for the government and the nation?
LEWIS: The two aren't necessarily related. As I understand it, the delays with Gen. Alexander are that he has been asked some questions by the committees and they are having to come up with answers to those questions of how will the chain of command work, what are the different authorities that will be used, how will the relationship between the military command and the intelligence agencies work. They are working through some of the hard problems and that is what the reason for the delay is.
The question about DOD's role in cybersecurity gets back to the very sophisticated threat. What people sometimes call advanced persistent threat, which is basically other countries intelligence agencies. No company can deal with them. No civilian agency can deal with them. DHS is not going to be capable of defeating foreign intelligence agencies and frankly it is not clear to me that the DOD will be able to do it, either, but they are the only people we can afford to put in the game. If we don't find a better way to make use of NSA's capabilities, we will be unable to secure our national networks.
I know that raises all sorts of red flags; the warrantless surveillance program did a huge disservice to the country in that regard of making everyone very nervous about privacy and civil liberties and rightfully so.
CHABROW: Does a change of administration change NSA culture in any way?
LEWIS: The NSA tends to get blamed for stuff that really they didn't do. It is not rogue agents; it is rogue politicians. So yeah, there is a huge change, but the change in culture is at the White House where the feeling that because we were maybe, sort of, kind of in some kind of war that we could suspend the Constitution or at least parts of it. I understand that theory, they harkened back to Lincoln and the Civil War; I don't agree with it, but it wasn't that NSA was saying to itself, "Gosh I want to go out and eavesdrop on people." It is that they were instructed, ordered by the White House to do it. Now they are getting different orders and that should make people comfortable.