Over the past couple months, the Pentagon has assumed an increasing role in defending American networks. In October, Secretary of Defense Leon Panetta announced new rules of engagement for the Pentagon's cyber operations. "The new rules will make clear that the department has a responsibility, not only to defend DOD networks, but also to be prepared to defend the nation and our national interests against an attack in or through cyberspace." Panetta insisted that the Pentagon would play only a "supporting role," but as James Lewis at the Center for Strategic and International Studies pointed out, "When it comes to cybersecurity, the center of action just shifted." And, indeed, a few weeks ago, the Washington Post revealed that President Obama had signed a secret directive expanding the U.S. military's authority in cyberspace to include defense of non-military networks.
It is a sign that efforts to develop the capacity of the Department of Homeland Security (DHS) to defend cyberspace have not kept pace with the perception of increasing threats. But it's also a sign that the United States is struggling to adapt to a world of transnational threats -- and risks eroding the fundamental distinction between the traditional roles of civilian and military forces in providing security. The Posse Comitatus Act of 1878 has restricted the deployment of federal troops in the homeland since the end of Reconstruction. It enshrined the idea that police forces are responsible for security within U.S. borders, while the military protects against threats beyond the country's borders. That is why only in extreme circumstances -- a natural or man-made crisis -- do we see troops in the streets.
The new policy is essentially the result of a trade-off between authority and capacity: The Department of Homeland Security has the authority, but not sufficient capacity to effectively defend the nation's networks. In contrast, the Department of Defense has better capacity, but not the authority. The choice then is to build up DHS's capacity, leaving the nation less protected in the interim, or expand DOD's authority. (This publication by National Defense University provides a more comprehensive analysis of the various policy options.)
Apparently, DHS has not been coming on fast enough. Lewis notes that "Iran has discovered a new way to harass much sooner than expected, and the United States is ill-prepared to deal with it," referencing the cyberattacks against the Saudi Aramco and RasGas companies. Secretary Panetta points out, "We know that foreign cyber-actors are probing America's critical infrastructure networks.... We know of specific instances where intruders have successfully gained access to these control systems. We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction, and even the loss of life."
So does that mean the Posse Comitatus Act doesn't apply in cyberspace? Or if it does apply, how so? While cyberspace is bound by physical infrastructure located on territory with national borders, cyberspace as a domain is very different from any of the four other territorial domains -- land, sea, air, and space. There is no physical border in cyberspace that an attacker must cross to hit at his or her target, as there was for the British ships in 1777, the Japanese planes in 1941, or the terrorists on 9/11. An attack can happen anywhere within the United States, and in the case of zero-day exploits -- a cyberattack using a previously unknown vulnerability -- without prior warning. How will the government know whether suspicious activity is a criminal matter most appropriate for law enforcement, or a security matter falling within the Department of Defense's mission to protect the nation against threats from abroad in light of the continued challenges to attribute the source of an attack?
Expanding the Pentagon's role is a slippery slope. Not only is the military ill-suited for many civilian tasks -- witness police training in Afghanistan -- it can also easily bump up against civil liberties. For example, the warrantless wiretapping scandal during the last decade included the National Security Agency -- whose director also leads U.S. Cyber Command -- which was authorized by an executive order to conduct domestic surveillance. If the military is taking over cybersecurity simply because it has greater capacity, what will prevent it from being asked to assume ever greater homeland responsibilities in the future? After all, the Pentagon is the largest organization in the world -- it has more capacity when it comes to any number of problems. But capability is not a sufficient argument for policy. It highlights how reactive our current approach to cybersecurity is. It is borne out of immediate necessity to fill the current gap, but we need an effective longer-term plan -- and an exit strategy for the Pentagon's involvement in domestic security.
The public needs to start discussing how comfortable it is with the military's role in cyberspace. Clearly, some advocates are not: The Electronic Privacy Information Center, for example, filed a Freedom of Information Act request the same day the Washington Post revealed the secret directive, arguing that "transparency in cybersecurity is crucial to the public's ability to monitor the government's national security efforts." Congress faces a choice, too. So far it has not yet passed effective legislation even though both parties agree that there is a need for a comprehensive domestic strategy to protect critical infrastructure. Is Congress more comfortable with the alternative -- the U.S. military becoming increasingly involved in domestic security?
What about the private sector? The U.S. Chamber of Commerce has been blocking action and watering down legislation lest business be forced to adhere to even minimum security standards. It does not suffice that some industry members develop strong security standards while others refuse to adopt them, creating negative security externalities for others in the sector who are trying much harder. Harvard law school professor Jack Goldsmith makes a compelling case: "This is a classic case for government regulation -- indeed, it is the classic case for government supply of the public good we call national defense, since there is every reason to think that the private sector, following its private interests, will undersupply national defense in this context."
Some of the issues cybersecurity entails affect core principles that have been a foundation of democracies for over a hundred years. But extending DOD's authority to manage the cyberthreat should be an interim solution with a sunset clause and an exit strategy for when DHS has the capacity. After all, the Secret Service is also part of DHS and enjoys an excellent yet underreported reputation when it comes to cybersecurity. The Secret Service was able to develop its expertise and become a leader in this field as the Internet spread over the last 15 years. Why should this not be possible at a larger scale for DHS, especially since it was established only a decade ago? The Pentagon plays a crucial role, but as with any crisis in a democracy, using the military should always be a last resort and a temporary state. The administration has been trying hard to address these challenges and Congress demonstrated this year that it considers cybersecurity a top issue. This administration's first cyberstrategy has been called "clunky;" it now has a second term to develop a smoother long-term strategy.