Cyber Statecraft: Linking Geeks and Wonks to Respond to National Security Incidents
While this gap is shrinking in the United States, the United Kingdom, and Russia, it still is very significant elsewhere. China in particular needs to create better ways to connect their national security decision-makers with their technical incident responders – linking geeks and wonks – to help ensure technical incidents do not escalate out of political control.
The Need to Link Geeks and Wonks
Traditionally, malicious cyber incidents are too often handled as a purely technical matter. Accordingly, deep problems remain because there has been no link between the tribes from, for example, MIT and CalTech and those from the Kennedy School and SAIS. To build cyber cooperation, and manage conflict and competition, the world needs solutions combining the best ideas from both these groups.
This gap between technical operators and policymakers has not yet led to deep tragedies but soon might. Imagine a fast-moving crisis where one side’s political leadership is calling their counterparts, demanding answers. The other side in the crisis, however, can neither get good answers from their own internal departments about the incident nor willing to confess this to the other nation. They would be both out of control of the situation and seemingly even more guilty in the eyes of the world.
According to Banning Garrett, director of the Atlantic Council’s Strategic Foresight Project, this is exactly what happened between the United States and China after the “Hainan Island Incident,” when a Chinese fighter aircraft collided with a U.S. Navy aircraft in 2001. Arguably, failure to coordinate and “vet” decisions among top policymakers also surrounded the China anti-satellite weapon test of 2007 and the initial test of a Chinese stealth fighter that “clouded” the visit of the U.S. Secretary of Defense in January 2011.
US, UK and Russia Making Progress
Fortunately, in some countries this disconnect has been diminishing. In the United States, for example, one of the main success stories of the last twenty years is the growing institutionalized link between policymakers and computer security professionals. Richard Clarke served as a long-time connection, overseeing cyber issues at the National Security Council long before the current Cyber Directorate was launched to continue the task.
Equally as important, the United States has an established process to escalate politically sensitive cyber incidents from the technical level (with the Department of Homeland Security’s Computer Emergency Response Team (or US CERT)) up through intermediate levels (such as the Unified Coordination Group (UCG) and Senior Officials at UCG) to the National Security Council. This is a similar process that is used for any other national security crisis, which means the president or National Security Advisor could be in the Situation Room chairing a Principals Committee within an hour of a major cyber incident. These senior-most US decision-makers can reach out to any place within the government or, indeed, call directly to foreign heads of state or government to seek cooperation or deliver demands. More needs to be done, but the interagency is one of the healthier parts of the system.
The United Kingdom has also made significant progress in linking their wonks and geeks, with an Office of Cyber Security under the Cabinet Office’s National Security Secretariat. The OCS, along with the Government Communications Headquarters (the equivalent of the National Security Agency), oversee the more technical Cyber Security Operations Centre.
Likewise, the Security Council of Russia has long been active and seems to have strong links to the Foreign Ministry and security services. Even better, the leadership of Russia know their U.S. counterparts through long interaction on more traditional national security issues (like arms control negotiations) so there are both incentives for discussion and some existing channels. Internally, the Russian leadership seems to depend more on “scientific” and “technical” experts for what in the United States would be pure policy issues, but there appears to be strong internal and international dialogue.
These processes for linking technical experts and policymakers do not ensure the right decisions will be made or that the response to cyber incidents will be fast or effective enough. But these systems do map cyber incidents into traditional methods of tackling national security issues, improving transparency both within the government and with foreign observers.
China, unfortunately, seems to lack a similarly complete process to link geeks and wonks for cyber incident response. Although interagency coordination is relative mature and improving – allowing the Ministry of Public Security (the overall lead) to communicate rapidly with the technical incident responders at CN-CERT and with the Ministry of Foreign Affairs and People’s Liberation Army – China watchers are increasingly seeing a dangerous institutionalized disconnect between these mid-level officials and their political (and Party) leadership.
There is no clear link, as in other nations, for interagency experts to pass information up to the nation’s leadership – or for those leaders to quickly get answers in fast-moving crises, such as in response to questions from Washington, London, or even Moscow. Conflicts and competition involving China in cyberspace thus will only become less transparent, more unstable, and more difficult for both sides to signal each other. The world will be safer once China, the world’s burgeoning new power and clear cyberspace giant, is able to more effectively deal – both technically and politically – with cyber incidents.
President Obama has said the “cyber threat is one of the most serious … national security challenges we face as a nation.” While this is usually seen as a statement of the importance of the issue, it also defines how the United States should respond: with cyber security professionals who understand “cyber” and national security professionals who bring other tools for cooperation, competition, and conflict. To survive cyber conflict, both geeks and wonks in all nations and across borders must accept each others’ strengths – and overlook (or better yet, complement) each others’ weaknesses.
Jason Healey is director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey.