At least two major events have changed the US national security cyber playing field in the last two weeks.
First was US national intelligence director James Clapper’s speech in late February that cyber attacks pose the No. 1 threat to the US – more so even than the surge by Sunni extremist groups in the Middle East, and the pursuit of nuclear weapons by Iran.
The second was the CIA’s decision in early March to carry out one of the largest restructurings in the agency’s 70-year history, and create a powerhouse cyber directorate – a move that will require grabbing a range of powers from the four existing directorates.
The two moves may not be unrelated, and could shed light on just how challenging the cyber threat is for advanced open democracies like the US and Israel, where so much of the country runs on hi-tech.
Clapper for the first time publicly attributed the 2014 attack on the Las Vegas Sands Corporation to Iran, and announced that “the Russian cyber threat is more severe than we’ve previously assessed.”
But surprisingly, the national intelligence assessment Clapper was presenting then downplayed the idea of a “Cyber Armageddon” or “Cyber 9/11,” characterizing the “likelihood of a catastrophic attack from any particular actor” as “remote at this time.”
Instead, the assessment emphasized the costs from “an ongoing series of low-to-moderate-level cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.”
Sometimes a major policy shift can be missed in the voluminous information presented in these assessments and the bureaucratic-speak of government officials. But anyone who carefully followed Clapper and the assessment would see that the US has made a choice to recharacterize the nature of the cyber threat – moving from trying to prevent the cyber threat to managing it.
The assessment states straight out that “the cyber threat cannot be eliminated; rather, cyber risk must be managed.” The US would not push for a move to threat “management” if it was still defining the cyber threat in terms of a potential Cyber Armageddon.
By discounting the cyber threat and redefining it as “ongoing... low-to-moderate-level cyber attacks,” Clapper provides a safe landing for justifying managing, and not eliminating, the threat.
Underneath all of this is also an American admission that it does not have the power to eliminate the threat.
The CIA’s change and its explanation also left significant points unstated.
CIA Director John Brennan said he is establishing a new Directorate of Digital Innovation, to lead efforts to track and take advantage of advances in cyber technology to gather intelligence.
Historically, electronic eavesdroppers at the National Security Agency have been at the cutting edge of digital innovation within the US government. But a statement posted by Brennan said the CIA needed to reorganize to keep up “with the pace of world events.”
Brennan said the digital directorate will have equal status within the agency with the four directorates that have existed for years. “Digital technology holds great promise for mission excellence, while posing serious threats to the security of our operations and information, as well as to US interests more broadly,” Brennan’s statement said.
He added, “Never has the need for the full and unfettered integration of our capabilities been greater. If we are to meet the challenges of the current national security environment, we must take some bold steps.”
This time, the underlying message is that with all of the intimidating powers of the US intelligence community, it feels totally incapable of keeping up with cyber threats – and will continue to be so, until it massively reorganizes.
Israel is following similar trends.
Last September, Prime Minister Benjamin Netanyahu trumpeted “Beersheba as a new cyber center” similar to the Silicon Valley, offering serious tax breaks for groups working with his cyber bureau chief, Dr. Eviatar Metania.
At the same 2014 conference where the prime minister spoke, Metania said that in the coming weeks, “around Rosh Hashana,” they would announce a “new national protective cyber shield,” with the Beersheba cyber hub at its center.
The joint announcements along with the prime minister’s showing of praise on Metania also indicated that Netanyahu was empowering Metania at the expense of the Shin Bet (Israel Security Agency) in ongoing internal turf wars.
That reorganization is at least as major as the CIA’s reorganization.
The debate about cyber risks, and whether they are significant as Armageddon-type threats or as persistent threats, broke out at the same conference. In a clearly un-choreographed controversy, Metania slammed IDF Maj.-Gen. (res.) Uzi Arad for saying draftees should choose combat units over cyber units.
Responding, Metania implied that Arad was out of touch with current IDF needs and threats, and that it was inappropriate to tell draftees what units to choose.
Arad broke with conference speakers and three “doom and gloom” videos showing cyber risks, telling the conference that “some are exaggerating the threat” and that he thought Israel was “in a relatively good place” in cyber defense.
Metania’s rebuke was much stronger on the recruitment issue than on arguing that Israel faced an imminent Cyber Armageddon, and most conference speakers spoke in terms of “managing” the cyber threat, admitting that preventing the cyber threat was unrealistic.
On one hand, the US and Israeli moves may just be smart mid-course adjustments to better allocate resources and confront a diversity of threats, as opposed to only the worst-case scenarios.
On the other hand, admitting to an inability to eliminate the cyber threat and the need to massively change the CIA and likely the Shin Bet’s powers, shows how far two of the world’s most advanced countries have to go.