From a domestic perspective, the most frightening thing about this whole Georgian cyber-attack situation isn't that we're vulnerable to a similar onslaught of legions of cyber-warriors, government-sponsored or not, it's that Washington doesn't really know what it's doing.
According to a recent report in the Wall Street Journal, the State Department, Pentagon and private-sector minds convened a meeting two months ago in order to figure out how American foreign policy should properly deal with cyber-warfare.
The meeting's result?
Among the group's conclusions was that because no government entity is responsible for establishing foreign policy on cyberwarfare, it isn't getting done, said O. Sami Saydjari, president of the Cyber Defense Agency, a consulting firm.
"Everyone was, in an unspoken way, looking forward to the next presidency to try to resolve the ownership issue," he said, noting that he had attended a similar meeting about five years ago.
So the holdup for public policy on cyber-security is too little bureaucracy and a dash of presidential politics? Seriously?
The best part of all of this is that the Pentagon is now saying that it will delay and possibly kill the nascent Air Force Cyber Command, which had been scheduled for an Oct. 1 start. (To be fair, the Associated Press also reports that this may get moved to U.S. Strategic Command, instead of just being the Air Force's bailiwick.) Either way, color me unconvinced.
Still, experts seem to agree that the U.S. isn't nearly as vulnerable as Georgia or Estonia.
As CNN reports:
The Web sites of key government security agencies, such as the Pentagon and the Central Intelligence Agency, are difficult to bring down, experts said. So are the computer networks of large American banks. But experts say a successful, large-scale attack on U.S. computer systems could hobble electric-power grids, transportation networks and industrial-supply chains. "You'd see some disruption of essential services, like electricity. You'd definitely see espionage," said James A. Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. "Would it be decisive? No. Nobody's going to win a conflict with the United States in cyberspace. But would it be disruptive and irritating? Yes."
But then again, we've been working on a military command structure to deal with cyber-attacks for nearly a decade, and we still haven't gotten it right. This is, of course, despite the fact that we've used cyber-attacks in an offensive manner against Serbia in 1999, and an Air Force colonel even called for an American offensive botnet just three months ago.
So it's instructive to compare Washington's muddled response to cyber-warfare over the last decade with Estonia's response after its own cyber-attack last year.
After the cyber-dust settled in early May 2007, and Estonia's servers were humming along as they normally do, the Estonian government got to work in a very collaborative way. It lobbied Brussels to quickly set up the NATO Centre for Excellence in Cyberdefence (forgive the British spelling). By the summer, part of an Estonian military base in the capital was assigned to be used for the new center. By the fall, the first international representatives arrived, including Kenneth Geers, a well-known American cyber-security expert.
By early 2008, NATO approved a cyber-defense policy that, according to the Wall Street Journal, "establishes a set of common principles recognizing the importance of cyberdefense and directing agencies within NATO to establish a coordinated approach." A year after the attacks, in May 2008, Estonia released a comprehensive five-year government strategy to deal with cyber-attacks on a military basis.
Most recently, during the Georgian attacks, Estonia quickly dispatched two members of its Computer Emergency Response Team to Tbilisi.
Back in Washington, we were putting our own Air Force Cyberspace Command on life support.