It's no secret that the United States faces advanced, persistent threats to the security of the networks and data that drive our daily lives—from state, state-sponsored, and non-state actors, to criminal organizations, hacktivists, and 'lone wolf' cyber terrorists, even insiders who work amongst us. How do we begin to defend ourselves against those threats? To take a lesson from the war on terror, we think it will take a network to defend our networks, but in this case, a human one: a network of citizen cyber-soldiers developed and deployed across our public and private sectors, all connected in support of our common defense.
The Constitution's preamble empowers the federal government to provide for that common defense. In the earliest days of our republic, that meant reliance on citizen soldiers from among the 13 original colonies. When a threat arose, they came together as one, to fight for the greater good. We believe that this simple and profound model can be adapted to address the cyber wars (declared and otherwise) that lay ahead…to look back to our origins and apply the citizen militia model to the cyber-defenders of tomorrow.
The foundation for that network of cyber-defenders has already been laid. President Barack Obama has issued several executive orders to promote the sharing of cyber threat information, and organizations and institutions are beginning to form together to do just that. However, sharing information is just the first step. That information needs to be translated into insights and actionable intelligence, something only a boundary-spanning network of cybersecurity experts—trained to the highest standards, vetted for trustworthiness, and connected by a shared ethos—can do.
Our cyber adversaries respect no boundaries, and those who defend us against them must be able to operate in kind, no matter where they work. The members of a boundary-spanning network of defenders would be in a position to respond quickly and collaboratively to a potentially crippling cyber-attack.
Authority and precedent exist to do this. Executive Order 13636 instructs the Secretary of Homeland Security to bring private sector cyber experts into government on a temporary basis. Likewise, the intelligence community is authorized to create the civilian equivalent of the US military's vaunted ROTC program to develop civilian intelligence officers and analysts, including those who work the cyber beat. However, these authorities have been woefully underutilized, and we believe they can be better leveraged to develop the sort of connected cadre of cyber defenders—think of them as a virtual Cyber National Guard—who can be 'called up' to bring their expertise to bear whenever and wherever needed.
Something like this has been done before. The nation created a similar network of intelligence operatives and analysts ten years ago, in part by requiring the sixteen different agencies that comprised the US Intelligence Community (IC) to share their best and brightest professionals, and in so doing, create a cadre of 'joint' intelligence officers that could "connect the dots."
Patterned after a similar requirement for military officers mandated by the Goldwater-Nichols Act of 1986, the IC's initiative has produced a network of over 12,000 intelligence professionals, connected and collaborating in support of our common defense. Retired Vice Admiral Mike McConnell, the former Director of National Intelligence, credits the program with changing the mindset and culture of the U.S. intelligence community, and recently told us that it was "one of the most fundamental and profound mechanisms to achieve a culture of collaboration among the organizations charged with identifying and thwarting our adversaries."
We need that same culture of common cause and collaboration in our cyber defense. The president's information-sharing executive orders have set the stage to collect the dots, but they leave to chance how they may best be connected, and in our view, it ultimately takes a network of people to do that.
Today, virtually all organizations, public and private, operate as separate islands, each responsible for their own cyber defense, and the bureaucratic boundaries that separate them impede their ability to fight the virtual fight in a unified way. To be sure, public and private entities do, from time-to-time, receive help connecting the dots from the federal government: advice and support from the FBI, information from the Department of Homeland Security, and guidelines from the National Institute of Standards and Technology. But that is simply not enough.
We believe that the concept of 'jointness' pioneered by the US military and intelligence community can be adapted to fight the cyber wars of the future. Working out the details will be hard and complex, especially given the need to apply it across public and private sectors without compromising proprietary information and incurring legal liability. But make no mistake. It will take a network—a modern-day militia of citizen cyber soldiers, connected in our common defense—to protect the networks upon which we are so utterly dependent.
Ron Sanders is a vice president and fellow with Booz Allen Hamilton. Michael Richter is an attorney in private practice in New York. Sanders and Richter worked together at the Office of the Director of National Intelligence.
