Throwback Thursday, Cyber Edition #CTBT

By Phil Reitinger

Sometimes it’s fun to examine cyber “historical documents” to see the postulates and predictions of the time. The recent release of PPD-41 caused me to look back at one of my favorite oldies – PDD-63 in 1998:

No later than the year 2000, the United States shall have achieved an initial operating capability and no later than five years from today the United States shall have achieved and shall maintain the ability to protect the nation’s critical infrastructures from intentional acts that would significantly diminish [critical functions].

The PDD goes on to say: “Any interruptions or manipulations of these critical functions must be brief, infrequent, manageable, geographically isolated and minimally detrimental to the welfare of the United States.”

Let’s think about that for a moment. In 1998, the President of the United States set a goal that by 2003 the US would achieve and maintain an ability to prevent significant effects from attacks (cyber or otherwise) on the nation’s critical functions. How are we doing on that one? And let’s not even discuss the goal that an interruptions of critical functions be “geographically isolated” – for cyber attacks, I am not sure that is possible in a significant number of cases.

That’s perhaps good for a laugh, or maybe an uncomfortable grimace, but it also tells us something about how we should act now. It is incredibly hard to make accurate predictions about where information technology and networks will take us, and which strategies will be effective. Those who lived the through first decade of this millennium will remember blithe predictions that public-private partnerships or the market would solve the cybersecurity problem. That’s not to say that the market and public-private partnerships are not critical – they undoubtedly have been and are – but that in a world of exponentially increasing network complexity, we need a more than magical thinking that a Presidential Directive or a National Strategy will make a difference standing alone.

Instead, we need to treat one of the greatest international security problems like a great international security problem:

  • Cybersecurity must not be a political football – either between Rs and Ds in the US or between the US and Europe;
  • Governments must provide resources that reflect the scale of the problem – if a program from a large industrialized government doesn’t have a “billion” associated with it perhaps we should wonder why;
  • If we want to really affect the problem we have to be able to measure it – that’s why utilizing programs such as CyberGreen to measure Internet “health” are so important; and
  • While working on the problems of the future too, we have to work just as hard on the hard problems of the now – the systemic cyber risks that exist now and will hang around for decades unless we do something.

The author, Phil Reitinger, is the President and CEO of the Global Cyber AllianceYou can follow him on Twitter @CarpeDiemCyber.