In the 1983 movie WarGames, a teenager/hacker named David Lightman breaks into a military computer and challenges the WOPR (War Operation Planning Response) supercomputer to a game of Global Thermonuclear War. The result? A nuclear war simulation that nearly starts World War III as WOPR convinces the military that Soviet nuclear missiles are inbound and that the USSR is staging an attack on the U.S. In an attempt to get WOPR to stop playing the “game,” the computer is directed to play tic-tac-toe against itself. The computer learns from this exercise the concept of futility as its tic-tac-toe games end in draws. The computer then stops its game, noting to its human observers, “A strange game. The only winning move is not to play. How about a nice game of chess?”
Watching the movie this weekend on Netflix reminded me of our nation’s efforts to achieve cybersecurity. Reports this past week made me wonder if, perhaps, those efforts are much like a game of tic-tac-toe or Global Thermonuclear War. Last week, the Government Accountability Office issued a report that raised concerns about the Obama Adminsitration’s implementation of recommendations included in the White House’s 2009 cybersecurity review. The GAO noted that of the 24 recommendations laid out by the review, only two have been fully implemented – the appointments of Howard Schmidt and a privacy/civil liberties official.
The GAO found that some progress had been made on 22 of the 24 recommendations but concluded that
[o]ur extensive research and experience at federal agencies have shown that, without clearly and explicitly assigned roles and responsibilities and documented plans, agencies increase the risk that implementing such actions will not fully succeed. Consequently, until roles and responsibilities are made clear, and the schedule and planning shortfalls identified above are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country’s cyber infrastructure at risk.
Defining roles and responsibilities is not an easy feat. Since 1996, when President Clinton first took a comprehensive approach to critical infrastructure protection and cybersecurity by putting it on the government’s radar, there has been a struggle on who should be responsible for cybersecurity. That effort was recreated/repeated when President Bush issued a national strategy in 2003 and then, again, in 2008, created the Comprehensive National Cybersecurity Initiative (CNCI). Thus, the 2009 review referenced by the GAO was not the first effort in what seems to be a continual game of tic tac toe.
Part of the problem is that cybersecurity is present in so many different areas, requiring (seemingly) various agencies to be engaged. When the Department of Homeland Security was created, many of the government’s cyber efforts were merged into the new agency, though many agencies chose not to transfer over elements that would have made the new Department’s cyber efforts stronger. The result? DHS, while improving, continues to struggle with its efforts to lead on the cybersecurity front, especially as it does not have explicit authority to tell other agencies what to do on the cyber front, especially with regards to private sector engagement.
I’ve written several times about the struggle between DHS and the Department of Defense for leadership of the nation’s cybersecurity efforts. Last week, Defense Secretary Robert M. Gates and Homeland Security Secretary Janet Napolitano announced that the two agencies signed a memorandum of agreement to better protect against threats to military and civilian computer networks and systems. The agreement calls for DoD cyber analysts to work with DHS to support the National Cybersecurity and Communications Integration Center. In addition, a DHS senior staffer will be detailed to NSA. While promising, the skeptic in me hopes that we do not see a repeat of the National Infrastructure Protection Center “sharing” experience of the 1990s where the FBI and the Secret Service joined efforts on cybercrime and infrastructure protection, only to see the Secret Service to abandon the NIPC over operational differences.
So is our cybersecurity effort futile? Unlike Global Thermonuclear War, it is not the case that “the only winning move is not to play” on the cybersecurity front unless, of course, one advocates an impossible-to-achieve Luddite-approach to unplugging our society from computers. If we can realize that total elimination of cyberthreats is impossible and that our efforts should be to focus on how to mitigate potential threats and risks as much as feasible and imaginable, then we may continue to make progress on the cybersecurity front. I’ve noted before that the Obama Administration appears to have the right people in place. With expectation management and a commitment to not repeat past mistakes, we may just see an end to the cybersecurity tic-tac-toe.