How the CIA can get from spy to cyberspy
"No agency employee should be able to say 'cyber' isn't in their job description," writes Jane Harman.
Agility and digital savvy traditionally haven't been the strong suits of government agencies, so it's encouraging that CIA Director John O. Brennan wants a big investment in cyberespionage and a new Directorate of Digital Innovation as part of what he calls a “bold” reorganization of the CIA. Brennan's overhaul is commendable, but it's urgent to do more to make his agency cyber literate.
Cyber competence isn't just a set of technical skills; it's a state of mind. Digital thinking must be baked into the CIA's whole intelligence mission and its covert operations. No agency employee should be able to say “cyber” isn't in their job description. As Brennan brings more hackers to Langley, Va., he should be careful not to let new walls rise between the new digital spies and those undercover. There's precedent for this: The agency's counter-terrorism center successfully dismantled silos between analysts and operators to track militants around the globe.
Next, the Directorate of Digital Innovation should think critically about what it means to conduct clandestine operations in the digital realm. Unlike drone specs or bomb schematics, code is very difficult to keep classified. Think of the Stuxnet virus. Even though it was written to attack a closed computer network, the code escaped onto the broader Web, where it was publicly dissected by digital security firms such as Symantec. Since then, more cyberespionage tools have been uncovered “in the wild,” meaning some are suddenly available to rogue nations and terrorists. As the CIA gets into this game, it should keep in mind the old admonition not to write down anything you wouldn't want to see on the front page. In this case, be wary of writing code you wouldn't want thrown back against your own networks.
The agency also will face tough decisions about if and when to share knowledge about computer and network vulnerabilities. As Kim Zetter detailed in her book “Countdown to Zero Day,” the government faces a difficult choice when it discovers a security flaw: share it so it can be patched, or keep it secret and useful. In my opinion, the dangerous impulse to over-classify should be resisted. If we want the private sector to share threat information with the government, the government — even its intelligence agencies — should get used to reciprocating.
I hope the CIA's new commitment to all things cyber also will boost its work on open-source intelligence — the collection and analysis of public information and material — especially on social media. Invaluable intelligence on Islamic State and Al Qaeda is sitting in plain digital sight. Private consulting firms such as SITE Intelligence Group have been quick to leverage that opportunity, and the CIA should follow their example. If Islamic militants recruit through Facebook, Twitter, Pinterest or other social networks, understanding exactly what they do and how to shut them down must become a major intelligence community priority.
Finally, the CIA should remember that just because it can do something doesn't mean it should. That's a lesson that the National Security Agency learned the hard way. Programs revealed by Edward Snowden, giving away much of our technology playbook to bad guys, prompted severe backlash; the encryption fight between Silicon Valley and Washington is just part of that fallout. Digital spies should have been asking: Will the intelligence gained outweigh the risk of damaging the trust of key constituencies?
Our nation's enemies are remarkably adaptable. They form opportunistic, horizontal relationships and strike new partnerships. They quickly adopt new digital tools and social media. Brennan deserves credit for overhauling the CIA to become more nimble and more ready to meet these threats on this digital front. But as cyber competence becomes part of the CIA's mission, friends of the agency should ask tough, constructive questions — to make certain that the human and digital worlds are being totally integrated.
The opinions expressed here are solely those of the author.
About the Author
Jane Harman, the Director, President, and CEO of the Wilson Center, is an internationally recognized authority on U.S. and global security issues, foreign relations and lawmaking. A native of Los Angeles and a public-school graduate, she went on to become a nine-term member of Congress, serving decades on the major security committees in the House of Representatives. Drawing upon a career that has included service as President Carter’s Secretary of the Cabinet and hundreds of diplomatic missions to foreign countries, Harman holds posts on nearly a dozen governmental and non-governmental advisory boards and commissions.Read More
Digital Futures Project
Less and less of life, war and business takes place offline. More and more, policy is transacted in a space poorly understood by traditional legal and political authorities. The Digital Futures Project is a map to constraints and opportunities generated by the innovations around the corner - a resource for policymakers navigating a world they didn’t build. Read more