Waiting for a Cyber 9/11 Is a Poor Security Strategy

The government’s efforts on cybersecurity are intimately connected to terrorist threats.

Today, on the 11th anniversary of the 9/11 attacks, Americans are remembering and honoring those who were lost and affected. Among the stories that have been circulating during the past week (and today) are those that talk about the fight for cybersecurity legislation being about avoiding the next 9/11.  Just this morning, the National Journal ran a story entitled “9/11 Haunts Debate Over Cybersecurity.” Other recent headlines include “Does a Cyber 9/11 loom?” “Former FBI cyber cop worries about a digital 9/11.” and “Despite Threat of ‘Cyber 9/11′, Lawmakers Punt Cyber Security Bill.”

Regardless of whether one believes that a cyber 9/11 or cyber Pearl Harbor is imminent, one thing is clear—the government’s efforts on cybersecurity have and will be intimately connected to terrorist threats to our critical infrastructure. The genesis of much of our cybersecurity efforts pre-dates 9/11, yet trace back to another attack on U.S. soil—the Oklahoma City bombings. Following those attacks on April 19, 1995, President Clinton signed a then-classified Presidential Decision Directive 39 (PDD 39), U.S. Policy on Counterterrorism, that required:

The Attorney General, as the chief law enforcement officer, shall chair a Cabinet Committee to review the vulnerability to terrorism of government facilities in the United states and critical national infrastructure and make recommendations.

The Committee, which became the Critical Infrastructure Working Group, identified critical national infrastructure and the threats to them.  Among its final recommendations—create a commission to further evaluate what should be done to protect our national infrastructure.  From that recommendation, the President issued Executive Order 13010, creating the President’s Commission on Critical Infrastructure Protection. The Commission issued its findings in October 1997 in the report Critical Foundations. Protecting America's Infrastructures. The report connected the dots between terrorism, critical infrastructure protection and cybersecurity in a cohesive manner not previously done. The introduction to the report read:

Our national defense, economic prosperity, and quality of life have long depended on the essential services that underpin our society. These critical infrastructures—energy, banking and finance, transportation, vital human services, and telecommunications—must be viewed in a new context in the Information Age. The rapid proliferation and integration of telecommunications and computer systems have connected infrastructures to one another in a complex network of interdependence. This interlinkage has created a new dimension of vulnerability, which, when combined with an emerging constellation of threats, poses unprecedented national risk.

The Commission noted that while it had “not discovered an immediate threat sufficient to warrant a fear of imminent national crisis,” it was important to address our nation’s cyber vulnerabilities before America faced a disaster, not after. Among the Commission’s recommendations:

  • Information sharing “clearing houses” to facilitate partnerships between infrastructure owners and operations and appropriate government agencies;
  • A real-time capability for attack warning;
  • A top-level policy making office in the White House;
  • Education and awareness program;
  • Government tightening of its own systems;
  • Reforming the legal structure to keep pace with technology; and
  • Research and development

Ironically, these very issues are what we’ve seen hammered out and argued over during the past two years of debate on cybersecurity legislation.   

The PCCIP report led to President Clinton issuing PDD-63, which over time led to additional PDDs and Executive Order. Many were directly linked to the attacks of 9/11, such as President Bush’s issuance of Executive Order 13231, Critical Infrastructure Protection in the Information Age. All arguably followed the language and themes laid out years earlier, whether by building upon them or altering them to keep up with changing technology.

As the same issues continue to evolve today, it may well be that a cyber 9/11 is around the corner. It may or may not be as imminent as it was in 1997 when the PCCIP warned of the need to act. The PCCIP’s conclusion, “waiting for disaster is a dangerous strategy. Now is the time to act,” however, remains valid.

While cybersecurity may have become a political football in recent months leading up to this year’s elections, hopefully government, industry, and political parties will be able to overcome the politicization and polarization to address an issue that is critical to our national security and efforts against terrorism that threatens our critical assets and infrastructure. While President Obama is contemplating issuing Executive Orders and Presidential Directives, it’s clear from the history of cybersecurity policy that Congress will need to act to truly further our nation’s efforts.