A Failure to Identify: A Look at United States Cyber Policy
The old adage that history repeats itself is ever so present in Fred Kaplan's Dark Territory: The Secret History of Cyber War. There is a recurring theme in the United States (US) government of implementation lag, policy lag, and a lack of proper oversight in this rapidly changing technology age. The problem is 3-fold: (1) the lack of an implementation plan makes the policy just a piece of paper with ink, (2) the absence of policy hinders the ability for entities to protect critical cyber infrastructure in a systematic manner, (3) the lack of proper oversight allows entities the opportunity to utilize technology with little to no accountability, on the fringe of ethical use in some instances. The reader finds these exact cases when you strip away the minutia of Kaplan's book.
Kaplan does well at setting the tone for the book. He paints a picture of science fiction becoming science fact with the introduction of a 1983 movie, WarGames, about a tech-whiz teenager who unwittingly hacks into the main computer at NORAD, the North American Aerospace Defense Command (Kaplan 8). What followed 15-months later, after President Ronald Reagan inquired his staff on the validity of the movie, was National Security Decision Directive Number 145: National Policy on Telecommunications and Automated Information Systems Security (NSDD-145), signed on 17 September 1984, which marked the first of many national policies involving the emerging cyber landscape. This, however, was short-lived as the issue vanished, at least in the realm of high-level politics, and [w]hen it reemerged a dozen years later, after a spate of actual cyber intrusions during Bill Clinton's presidency [1993 - 2001], enough time had passed that the senior officials of the day were shocked by the nation's seemingly sudden vulnerability to this brand-new threat. The technology climate, at the time of signing, was nowhere near as robust as today. Kaplan notes that, the first public Internet providers wouldn't come online for another few years. This climate clearly shapes the apathy by senior officials. While the prescient nature of the policy showed that the US government understood the impending threat, this meant nothing without proper implementation.
The recurring theme of lag, this time policy, continues in a 1990 study by the U.S. Office of Technology Assessment, a congressional advisory group, called [the] Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage. The study details a concerning picture of which power stations and switches, if disabled, would take down huge chunks of the national grid. Kaplan walks the reader through a timeline of subsequent events, culminating with Presidential Decision Directive “ 63 (PDD-63), titled Critical Infrastructure Protection, signed 22 May 1998. Kaplan does not explicitly note any protective actions occurring in the 8-years between the publishing of the 1990 study and the directive in 1998. The issue only compounded when the directive called for an additional 5-years to achieve and maintain the protection of these critical infrastructures. This inaction would soon change with the leak of classified documents from the infamous NSA analyst, Edward Snowden.
Snowden's 2013 leak of a treasure trove of amounting to tens of thousands of highly classified documents. Of those documents, the most damaging concerned a program known as PRISM in which the NSA and FBI tapped into the central servers of nine leading American Internet companies”Microsoft, Yahoo, Google, Facebook, AOL, Skype, YouTube, Apple, and Paltalk”extracting email, documents, photos, audio and video files, and connection logs (131). The NSA released a statement shortly after the leak made headlines, stating that PRISM was the most significant tool in the NSA's arsenal for the detection, identification, and distribution of terrorist threats to the US and around the world. Kaplan goes on to show how NSA lawyers even altered plain definitions [with the FISA Court (a.k.a. Foreign Intelligence Surveillance Court), so that doing this [type of surveillance] didn't constitute collecting data from American citizens [which is illegal]. Under the new definition the NSA was just storing data; the collecting wouldn't happen until an analyst went to retrieve it from the files. Here is a depiction of gross manipulation in order to put the agencies goals over rights granted by the 4th amendment. Kaplan makes it clear that the restraints had been put up from the inside, and they could be taken down from the inside as well. There were no external auditors for checks and balances. Furthermore, what would have happened if a rogue NSA director or a different president, like Richard Nixon, were in power? The potential for abuse would be staggering.
From the first national level policy on cyber warfare, NSDD-145, to the political aftermath of the Edward Snowden leaks, the author presents a coherently weaved pieces of work, while providing the reader with first-hand accounts of the significant events throughout the US growth in the computer age. He sprinkles well-known characters (e.g. Edward Snowden, President Barack Obama) and federal agencies (e.g. FBI, CIA, NSA), while breaking down the US governments struggle of proper utilization of policy driven use of technology, . This is a recommended read for those with established cyber roles in the government to those who are wanting to understand how the failure of governmental cyber policy allowed for the overreaching of boundaries. What it comes down to is whether you want to At its core, Kaplan depicts a history of the United States (US) Government failing to create policy (i.e. the boundaries) for the use of emerging technological advances in the cyber domain.
Kaplan, Fred M., Dark Territory: The Secret History of Cyber War. Simon & Schuster Paperbacks, 2017.
Underwood, Kimberly, The U.S. Government Urgently Needs to Address Cyber security Challenges, Signal, September 24, 2018, https://www.afcea.org/content/us-government-urgently-needs-address-cybersecurity-challenges.
PDD-63 - Critical Infrastructure Protection, 5/20/1998https://clinton.presidentiallibraries.us/items/show/12762