Should the U.S. Develop a National Cyberdoctrine?

With cybersecurity breaches on the rise in both the public and private sectors, concerns have arisen regarding whether cyberattacks are being properly combated. These rising concerns have many in the IT industry asking if and when the U.S. federal government will develop a national cyberdoctrine to guide U.S. policy in these matters.

Earlier this month, the Potomac Institute Press released a new book #CyberDoc: No Borders – No Boundaries, which addresses the rising concern of cyber-related disasters and the growing need for such a doctrine.

U.S. Cyberdoctrine: Questions to Ask Before developing a national cyberdoctrine, Michigan’s Chief Security Officer Dan Lohrmann suggested that 10 big questions be asked before moving forward:  What data and threat information can be shared before, during and after cyberattacks? (This includes public- and private-sector roles/responsibilities.) What are the roles of the National Security Agency, the U.S. Department of Homeland Security, other agencies or the military in private networks in the U.S.? Can we engage in offensive capabilities to stop the attackers? What privacy rights do citizens and corporations have regarding Internet activities? Who pays for what cybersecurity protections? What is voluntary and what is mandatory? Do we need minimum standards for critical infrastructure?  With 80 percent or more of Internet infrastructure owned by private companies, what is the government’s role and what are the private-sector roles? What is an act of war in cyberspace? When do nations cross the lines? How can we govern cyberspace in the U.S. and around the globe? (What is the United Nations’ role?) What training is needed on the doctrine? How will it be provided? Image courtesy of Shutterstock

“The book is a call to action,” said Tim Sample, vice president and sector manager of special programs at Battelle and co-editor of #CyberDoc. “It says that we are really not only out of time, but we are behind time in having a [national cyber] doctrine that people can relate to as we go forward.”

Sample said a national cyberdoctrine would place an overarching framework on these matters, and would allow for all levels of government to orchestrate a plan on cyber-related issues and determine government’s role in the process.

In the U.S. alone, cyberattacks have not been uncommon. In recent months, the South Carolina Department of Revenueunderwent a major cyberattack that compromised millions of customer records. Since the beginning of a series of attacks that started in August by hackers, 3.6 million Social Security numbers were exposed, as well as debit and credit card information from state tax payers.

Loose-knit hacker collective “Anonymous” sparked controversy over numerous incidents involving the exposure of sensitive data after the group targeted companies like Sony and Bank of America.
But even with security breaches making media headlines, David Fisher, vice president of cyberinnovations for Battelle, said it is still unclear who is posing the major threat to the U.S. on cyber-related matters and how severe the threats may be.

“There is no way right now to disguise and deal with those various actors through any kind of policy or doctrine, and I think that that is one of the key points in all of this …” Fisher said. “Is it a criminal activity? Or is it act of war? Is it espionage?”

Although the U.S. continues to face the threat of cyberattacks, the federal government has attempted to address the issue. However, according to Dan Lohrmann, Michigan’s chief security officer, the White House and Congress cannot agree on cyberlegislation. While Lohrmann is in favor of the idea of developing a national cyber doctrine, challenges still lie ahead.

“Unfortunately, I don’t think we have a consensus on what that doctrine should be,” Lohrmann said. “Many in the private sector are afraid of ‘Big Brother’ taking over the Internet, while others worry that we are not doing enough to protect critical infrastructure from a ‘cyber Pearl Harbor’ or major event.”