Cybersecurity is one of most important issues being discussed in national security. Since 2005, Shane Harris has served as the intelligence and homeland security correspondent at the National Journal. He has watched cybersecurity move from a rarely discussed topic to the forefront of national security debates. Here, Harris discusses his book The Watchers (forthcoming February 2010 with Penguin Press) and some of the current issues facing cybersecurity.
TNNI: I understand you recently authored a book called The Watchers. Could you tell us a bit about the book?
Harris: That is correct, it will be out Feb. 18 and it is being published by the Penguin Press. Basically, it is narrative non-fiction, meaning it reads like a novel, but is nonfiction–it’s journalism. The story centers broadly on the rise of terrorist surveillance in the United States over the past 25 years. It looks at the evolution of programs that are aimed at gathering and crunching and analyzing huge amounts of data and information to detect the signals of a pending terrorist attack. I tell the story through the lives of five individuals who are the key players in this evolution over the past 25 years and through their interlocking stories. The individuals are actually the ones who have built and in many cases run and overseen these programs in the government. So, it is told from their perspective, very behind the scenes kind of storytelling.
TNNI: That sounds very interesting. So where do you see the right balance between national security and civil liberties?
Harris: That is one of the constant tensions in the book. What I’ve settled on is that the key to achieving that balance is to have a level of public debate, which I think candidly we really haven’t had, certainly not in the past eight to 10 years I would say. I think most people take it as a given that the government is monitoring broadly, things like the telecommunications network, it is looking at data. I don't think they really know how they are doing it and the reason for that is partly because the operations are secret and the technology is secret, but the government hasn't really courted a public debate about how do we strike that balance? I think to a certain degree, a lot of that is just the post 9/11 reflex to keep intelligence operations secret and to say that national security is a blanket that prohibits debate.
I am not sure how sustainable that actually is. I think that lawmakers and Congress have tried to get at this over the past few years with things like a new rewrite of the Foreign Intelligence Surveillance Act, trying to give the government the latitude it needs to collect and analyze information and at the same time implementing these ostensible checks and balances and safeguards in the system. The problem has been that the government has come down on the side of “˜let’s collect as much as we possibly can' and the law has been written to largely govern the acquisition of that information. Comparatively less attention has been paid to what does the government DO with it once it gets it. One of the things I go into in the book is exploring how a lot of these systems that are designed to ingest a lot of information and try and sift it really don't work all that well and are not terribly effective. They are certainly not doing what they are designed to do, which is to somehow see into the future and predict when the next attack is coming. I think there has to be much more of a debate publicly about how the government goes about doing these things, which is what I explore in the book. But I am also not sure that the legislative prescription has been exactly right because it has been so focused on the acquisition of the information, the collection, and not what you do with it or the connecting of the dots.
TNNI: Let's talk about cybersecurity a bit. It has become a buzzword recently, a lot of people are talking about it. There are several bills in Congress that are looking to strengthen cybersecurity. This past month, October, was National Cyber Security Awareness Month. How effective do you think this kind of push to educate the public has been? Do you really see education efforts having an effect, or do you think people are still relatively unaware of the cyber threat?
Harris: Relatively unaware. We should recognize first that it is hard to get an exact measurement of how much this is resonating with the public. I suppose you could look at things like, have the rates of certain kinds of cyber crime that depend upon duping an unwitting victim, have those gone down? That would be one way to look at it perhaps. I think that overall though, this sort of raising public awareness is probably a good thing. I can remember when I was a kid we had, public-service announcements talking about “˜if you give a hoot, don't pollute' and “˜only you can prevent forest fires'. It was the age of trying to almost indoctrinate a safety mentality into a younger generation. A lot of people I have talked to in government say that is kind of where we are at with cybersecurity now. That it's ripe for this sort of very broad public information campaign. It's not even so much aimed at making people aware of the dangers, but at the same time trying to inculcate good behavior from the outset. And I know that the White House, the administration, calls for some level of that. I think that that is just beginning to happen. We have a long way to go in terms of educating an entire generation of people. I think it is probably going to start with the young people now. It is not to say that if you are of a certain age you are hopeless, but I think you are more likely to ingrain it as a foundational kind of awareness if you are starting with kids.
TNNI: There has been some significant speculation around the naming of the cyber coordinator, or “cyber czar.” Why do you think that it is taking so long and do you think that maybe we are missing some things currently by not having someone in that position?
Harris: I see a couple reasons about why it has been taking so long. One is I am not sure that the position has the authorities that a strong coordinator, quote unquote “˜czar' would demand or need to really get the job done. If you look at broadly what that position is suppose to do, it is pretty daunting. You are talking about somebody who is essentially acting like a coach for a soccer team that has a lot of really aggressive and talented players on it and who is really going to corral all of them. It is probably not going to have budgetary authority, at least not directly. The position was originally conceived as having “˜direct access' to the President; he has now said that the person will have “˜regular access' to the president, which is a big change. I think that if you at least look at the list of names that has been vetted for the job, these are not people who I think are going to be inclined to take a position that is essentially a subordinate staff position. They are going to want some more authority; they are going to want some more power than that. I think the other part of it is that the administration has its hands full with healthcare legislation, the economy and I think that probably, to a degree, this cyber coordinator issue is just slipping a little bit in priority. Unless it gets that real focus from the top, it is not going to get any movement. You couple that with the fact that the position itself probably seems somewhat unattractive to a lot of people. I think that that helps explain why it is taking so long.
In terms of what we are missing, by that person not being in there, its interesting. If you look at this from the DoD's prospective, from the military prospective, they are moving forward with plans to go ahead and set up a cyber command, which will be run by the director of the National Security Agency, it will be a dual-hat position. It seems to me that there is momentum behind these efforts, going forward independently of the coordinator. And I think that you could make the argument that the longer those kind of initiatives go on without somebody coordinating them, the less coordinated they will be. I have a sense that the White House probably grasps that, and now you are seeing lawmakers introducing measures to try and force them to go pick that person and put that person in there and to try to have a say over what those authorities will be. So I think the mood of lawmakers is probably becoming increasingly impatient on that issue.
TNNI: What do you see as the role for government contractors in the field of cybersecurity in the coming years? There has been a lot of talk about all this money that will likely become available in the field, how do you see that playing out?
Harris: I think the role is going to be absolutely central. If you just look at the numbers, just looking at it from a recruitment standpoint for instance, the government is, this is true across the board for any intelligence/security contracting space, it is always going to be at a disadvantage with private industry in terms of the money that they can pay, how quickly they can hire people. They are competing for this very specific kind of talent. From the perspective of an organization such as the National Security Agency, which plays a leading role in this, or the Homeland Security Department, which is going to play increasingly important roles still to be determined, they are looking for people with highly, highly developed technical skills and those people don't just fall off of trees. They are competing for them with private industry.
You are also looking for a kind of person who might not be culturally predisposed to working in government or working in a bureaucracy. I think a lot of times the people who have these kinds of high-level computer security skills are by nature going to be more independent, perhaps even more rebellious. But the fact of the matter is that the government cannot do this cyber mission without private-sector expertise and involvement. They don't have enough people on there own and frankly the private sector is developing a lot of the technologies that are going to be central to doing cybersecurity. So the term, private-public partnership gets sort of bounced about and has become something of a clichÃ©, but I think it is absolutely true in this case. I don't sense that there is any backlash per se, against contractors being involved in cybersecurity, but of course, as you know, there is generally, particularly in the security and intelligence base over the past few years, a backlash generally against contractors. That could cause some problems ahead, but broadly speaking, that is not going to be a big issue. Your traditional Beltway companies that have always had a role in the space are just going to be increasing. You see them now, brand name contractors posting ads that say things like “˜cyber warriors wanted', I mean, that is actually a real ad. They are out there recruiting very heavily, as is the NSA. The NSA four or five months ago took out a full-page ad for cyber specialists in WIRED magazine. So you are seeing a really high level of pitch and a lot of activity on both sides, private and public.
TNNI: Finally, how do you see cybersecurity developing in the coming years?
Harris: I think it is going to become increasingly central to national security policy. I think that cybersecurity has arrived in terms of the attention that people are paying to it at a very high level in the government. I think that you are not going to see its profile diminish. It is not going to suddenly become an issue that is only the domain of technical officials and not getting a lot of high-level attention and a lot of money. I think what it is lacking at this point in terms of really shaking up the system even more, and this is not something that anybody hopes for, is a very public, massive kind of attack, something on the order of, not necessarily 9/11, that extreme, but something that certainly gets a lot of people's attention. Something that breaks through the technical barrier and makes everybody in America aware of the risks on the network. You saw this happen to a degree in an attack a few years ago in Estonia and the attack in Georgia as well, which I think most experts blame on either the Russian government or sources inside Russia acting on behalf of the government. You saw this massive assault on a nation's critical infrastructure. The government of Estonia essentially came under this digital barrage and was knocked offline for a period of time. An event like that in the United States would galvanize policy very quickly. That is certainly a real possibility and we need to take this issue seriously, which is why you are seeing it getting such high levels of attention from the White House.