Today could be our cyber September 10.
This idea stood out among the insights in the 10-year update of the 9/11 Commission Report released last week. In terms of cyber preparedness, the bi-partisan commission finds the American public remains “largely unaware of the magnitude of the cyber threat” and unimaginative in considering the implications.
This failure of imagination is its own threat. It contributed to our inability to prevent the 9/11 attacks. It is my most poignant memory of that day—the alarming vulnerability of being enormously caught off guard.
And now, it is preventing public support for the measures needed to address cyber threats, the commission finds. It is striking that the first recommendation the commission gives on cyber defense is that senior leaders should “explain to the public—in clear, specific terms—the severity of the cyber threat and what the stakes are for our country.”
What the commission report identifies again and again is a communications problem—and not a trivial one. The overarching theme of the update is that terror threats, both cyber and physical, are entering a new and dangerous phase, while “counterterrorism fatigue” is wearing down public support and decreasing urgency for action.
In the absence of a major attack, we’re becoming complacent. Meanwhile, more than $300 billion of U.S. intellectual property is stolen each year through cyber means, what former NSA Director General Keith Alexander calls “the greatest transfer of wealth in history.” In the cyber realm, attacks are happening every day, and they’re growing.
Here’s how I view the key recommendations the commission offers in regard to cyber threats:
- Communicate the real threat to the public. The report repeats this several times about multiple threats. They recommend specificity and tangibility: “In this era of heightened skepticism, platitudes will not persuade the public. Leaders should describe the threat and the capabilities they need with as much granularity as they can safely offer.”
- Enact cyber legislation that incents public-private cooperation. The commission urges Congress to enact cyber security legislation that allows companies to share cyber threat information without liability and grants them legal authority “to take direct action in response to attacks on their networks.”
- Define the global “norms of cyberspace”—including what constitutes an attack and what the consequences will be. To deter attacks from state adversaries, we need to communicate the consequences of attacking the United States and act on them.
- Clarify and untangle the responsibilities of government agencies. Agencies in the cyber realm, including the Department of Homeland Security, “need to complement, rather than attempt to replicate, the technical capabilities of the NSA.”
Cyber threats and the security measures needed to address them are a complex topic. But we cannot shy away from granularity when discussing cyber issues in the public sphere. National leaders and government agencies must focus on messages that are concise, direct, non-hyperbolic, and repeated.