The nature of World War One was clearly foretold in the Russo-Japanese war that occurred a decade earlier. The character of the Second World War was adumbrated in the conflicts of the mid and late 1930s. In both cases, the forms that would evolve – for example, trench warfare, massed artillery, coordinated air-ground operations and strategic bombardment were only barely observable. But they were there. As new operational concepts were developed based on nascent capabilities, technologies matured and the result wads a change in the nature of war.

Today, we have seen the future of war and cyber operations will play an important role in it. This was underscore by the recent massive cyber attacks on Estonia and Georgia. While these events inflicted only limited damage or disruptions they are certainly a portent of things to come. Although there is not incontrovertible proof, the educated guess is that the Russian government was behind the recent attacks. It is possible that these attacks were not carried out directly by Moscow, but rather by the BNN under contract to the Russian intelligence services or the Ministry of Defense. Chinese military doctrine refers to something called “The Assassin’s Mace,” which a number of experts believe is a massive, preemptive cyber attack designed to render an opponent’s military, governmental and major infrastructure systems inoperable.

The IT revolution is putting new weapons in the hands of hostile interests. Terrorists, criminal organizations and rogue regimes can now access military-quality communications, information and targeting capabilities that only a few decades ago were solely the province of a handful of intelligence and military agencies. Groups have arisen, such as the Russian Business Network (BNN), which specialize in cyber crime.

What is even more ominous is the rapid advancement that has occurred in sophisticated and automated tools for attacking networks and computers. As a result, those seeking to attack networks do not need to recruit computer experts. Virtually anyone with access to a computer can now serve as a foot soldier in hacking attacks. There is a significant and growing asymmetry between cyber offense and cyber defense.

The U.S. effort to appreciate this new form of warfare and develop relevant policies and plans for both offensive and defensive actions in cyberspace has barely begun. Moreover, the nature of the cyber domain suggests that a conflict conducted there will be quite different from any involving conventional or strategic forces. For example, understanding the cyber battlefield (as distinct from collecting intelligence) may require penetration of networks and data bases owned or operated not only by adversaries or military organizations, but commercial as well as governmental systems in the hands of neutrals, even allies. Most of this effort will have to be conducted in peacetime. It may be possible for a nation or group to conduct a successful preemptive attack, placing cyber “time bombs” in critical software or even in the processors that are at the heart of modern computers, days, months, weeks and even years before triggering them. The nation might not know that the war was over and had been lost until its adversary transmitted the terms of surrender. Even then, after the conflict was over, much less when it was underway, there might be difficulty establishing the adversary’s true identity.

The United States possesses enormous capabilities to conduct cyber operations. Our assets include not only various agencies of the federal government, but also a host of private companies such as Lockheed Martin, Northrop Grumman, General Dynamics, BAESystems, Raytheon, Mantech, SAIC, CACI, Dyncorp and L3. The problem is that the cyber security system is balkanized with little stovepipes and secret compartments that often prevent knowledgeable individuals in the same organization from talking to one another. The answer is not a White House czar but a strategy for conducting cyber operations, both offensive and defensive, and an organizational construct that can unify and focus our prodigious assets.

We’ve had a lively discussion the past few days on the blog. In all honestly, I’d been concerned that the techy details of the topic might scare off some of our experts, or be greeted with a yawn, but we’ve drawn a wide range of responses from experts, lawmakers, and skeptics. I’m going to provide a quick recap on some of the highlights, but I also wanted to pose another variation on the question, in order to bring in some of our military experts. Should the military devise what I’ll broadly call a “cyber war doctrine?” The Defense Department is planning to stand up a new Cyber Command, which will be headed by NSA director Lt. Gen. Keith Alexander, so maybe I’m asking a question that’s about to be answered. But what do our mil-wonks have to say on this? Is cyber a battlefield? If it is, what are the rules?

Onto the recap, I’d first like to point our readers to a spirited debate between guest blogger Jim Harper of the Cato Institute, and NJ expert Michael Jackson, the former deputy secretary of the Homeland Security Department. They’re at odds over whether the cyber threat is overblown, and to what extent government should be involved in security. Harper kicked off our discussion this week with a call for calm, and said that President Obama had loaded his recent speech on cyber security with “hyperbole.” That prompted a lengthy rebuttal from Jackson, in which he suggests that the federal government should certainly be playing in this space, and that it has three major tasks ahead of it. Harper responded to that with a post on Cato’s blog, in which he suggests that on cyber security, “There are no experts.” NJ blogger Ron Marks, take note: Your assertion that “Cyberterrorism is here to stay and will grow bigger,” also drew a skeptical response from Harper.

I’d also like to note that Harper pointed out what President Obama didn’t say in his recent speech on cyber security. “Missing from the speech was one of the most important cybersecurity policies of all: keeping truly critical communications off the Internet.” Perhaps someone would like to take up that notion in a future post. I have a feeling that we’re going to see more on this from the administration and Congress.

Our other bloggers have given us much to chew on. Sen. Kit Bond calls upon Congress to get informed about the risks members face: Every Member of Congress…should request a briefing from the Intelligence Community on the cyber threat to the United States, including the threats to their own Congressional offices.” (Shameless plug, I wrote a cover story for NJ a while back on those very threats.)

Loren Thompson, who’s been writing on cyber lately, has come to three disquieting conclusions: “First, there is no way a lumbering, balkanized bureaucracy like the federal government will ever be able to keep up with cyber-threats….Second, of all the federal departments charged with addressing the threat, Homeland Security is the least likely to succeed. It's just not up to the challenge. Third, our defensive problems go far beyond not being able to trace attacks to their source -- we can't even say for sure how big or bad the overall threat is. It’s mostly conjectural.”

New addition to the blog, Jim Lewis, has a particularly noteworthy post. I say that because Jim helped put together CSIS’s major report on cybersecurity, which was briefed to the Obama team during the campaign, and has been taken up lately as a kind of new baseline for cybersecurity. I’m sure a lot of other groups out there who’ve also been hot on this topic might take issue with my characterization, but nevertheless, the CSIS report was a big deal, and it got a lot of high-level attention in the administration.

James Carafano draws attention to something that a number of pundits and journalists have apparently overlooked. The Obama administration isn’t appointing a “cyber czar,” he writes. “Rather, the new position in the White House looks like it will be what it should be a ‘policy coordinator.’” We’ll have to see how big a role semantics play in shaping policy, but I for one think James is right to draw our attention to the fact that words matter. (On that note, I point out that while the president said during the campaign that his new cyber (fill in the blank) would have “direct access to me,” he now says this official will have “regular access to me.” You will all appreciate the difference.)

That’s all for now. I’ll check in later in the week.

For many folks cyber terrorism exists only in the fictional world of Live Free or Die Hard where Bruce Willis takes on the bad guys and wins. But in an ever increasing Internet age – where families pay bills on line, companies conduct business via email, and the government uses computers to calculate benefits – the threat is very real and our government must act to improve our cyber security.

It all starts with awareness and understanding. The President’s focus on this national security challenge is an important step. And while there is an increasing amount of public information out there, much of the information about this topic necessarily remains classified. Every Member of Congress has a responsibility to be informed and should request a briefing from the Intelligence Community on the cyber threat to the United States, including the threats to their own Congressional offices.

We should also push the Administration to recruit the best possible cyber executives and staff at all levels—at this critical time of growth in our nation’s cyber security system, there is no substitute for great people.

Congress must also move past the turf battles that too often logjam progress. Right now the Administration’s cyber security staff must respond to approximately 90 congressional committees and subcommittees. This is ridiculous. Congress needs to find a workable and coherent way to coordinate congressional oversight of cybersecurity across the U.S. government. Several years ago the 9/11 Commission called the congressional oversight of the intelligence authorization and appropriations process “dysfunctional.” Unfortunately that’s still true today which is why last Congress I introduced a resolution to improve our intelligence oversight structure. Unless we can make some institutional changes soon, I am concerned that congressional oversight of cybersecurity is heading down this same dysfunctional path.

The White House wants to create yet another czar to handle coordination, but too often czars lack accountability to either Congress or the American people and lack the necessary authority to do the job right. Ordinarily I am not a fan of creating more government bureaucracy, but given the scope of cyber security issues, I believe Congress should explore creating an agency—or modifying an existing agency—to oversee the Government’s cyber security efforts. An agency – instead of a czar – would be responsive to a manageable number of congressional committees and would have the authority necessary to demand compliance across the government.

Finally, while the many new cyber security bills introduced is a good sign that my colleagues are interested in tackling this national security challenge, Congress has a lot of work to do. We must get started now to address the many overlapping legislative proposals that address bits and pieces of cyber security to get the best bang for our buck. There are a number of tough legal questions that we will have to deal with, including what the government can do in the name of cyber defense and the extent to which international law applies. Many of the laws on the books today were not written for the Internet age and, just as we learned with the Foreign Intelligence Surveillance Act, may need to be clarified or modernized.

Our enemies won’t wait for us to do our homework, solve our turf battles or modernize our laws before using the internet as a deadly weapon. In fact, as the President outlined in his recent address on cybersecurity, the attacks have already started. We don’t have another day to waste.

I recently wrote a brief study of cyber-threats -- it's on the Lexington web-site -- and in the process came to some personal conclusions about how to deal with the danger. First of all, there is no way a lumbering, balkanized bureaucracy like the federal government will ever be able to keep up with cyber-threats. There's so much malware on the net now that new versions may actually exceed the number of legitimate software releases. Second, of all the federal departments charged with addressing the threat, Homeland Security is the least likely to succeed. It's just not up to the challenge. Third, our defensive problems go far beyond not being able to trace attacks to their source -- we can't even say for sure how big or bad the overall threat is. It's mostly conjectural.

I have a gut feeling that NSA can take care of itself and the rest of the intelligence community. But when you hear the administration say that the top cyber officer at the White House will have "regular access" to the President -- which is code for saying he won't have direct access -- you know that the civil and commercial side of the threat isn't going to get addressed competently or completely. So I vote for outsourcing the whole civil side of the mission to a capable private-sector player like IBM or EDS. I guarantee you they will be more agile, responsive and competent than the feds could ever be.

So Far So Good on Cyber

All praise to the White House for what they have done so far on addressing the future of US cyber security. The recently released report has all the right kind of words—and most important (despite the inaccuracies in the press) the administration has correctly not appointed a “cyber czar.” Why anyone would want to mimic a century long defunct political oligarchy is beyond me, yet Czar-mania is all the rage these days. A czar for cyber is particularly stupid—as there are few challenges that are more complex, decentralized, and dynamic than dealing with cyber issues—no problem is less suited to a highly-structured, autocratic regime of governance. Rather, the new position in the White House looks like it will be what it should be a “policy coordinator.” Having such a position for cyber issues makes real sense since the federal government has offense, defense, classified, and unclassified programs that often don’t know that the other exist. Someone should know what everyone is doing and make sure they talk to each.

My only caution is that White House take care not to become a command post and get bogged down in operational details. The "3 am" phone calls make great commercials and everyone loves to watch the president save the world on "West Wing" and "Independence Day." But in real life if we have to wait for some one in the White House to make decision before we can start doing things during a crisis a lot of people are going to die horribly. And don't get me started on Iran-Contra. Running programs behind closed doors from the West Wing out of sight of Congressional oversight and public knowledge often ends badly--and rightly so.

Finally, most heartening for me was the report’s emphasis on research and education. The best weapon we have in the cyber war is the human mind. We need public and private sector leaders who understand the global environment, confident enough in their skills, knowledge, and attributes to relish competing in the cyber world rather than cowering behind their cyber walls. As we ramp up security and our competitive advantages, we also need to make sure we don’t kill the “cyber goose.” The Internet works so well because it is the 21st century version of the “wild west.” I’d hate to see innovation and competition be killed in the name of security. Like every other aspect of our global engagement, we need cyber policies that keep us safe, free, and prosperous.

It does little to promote serious discourse about the truly grave topic of cyber security threats to begin by ridiculing DHS and DOD as “grasping for power” or to suggest that President Obama has somehow been duped into basing his sensible cyber strategy on “a lame and corny threat model called ‘weapons of mass disruption.’" It shows ignorance of the facts to deny that cyber vulnerabilities do indeed present the possibility of “paralyzing results.”

Most of what one needs to know to become seriously impatient about achieving stronger cyber security now can be found in the public domain. This is not the place to summarize open source data, for example, about the systematic penetration and exfiltration of very sensitive government and commercial data by foreign state actors, to assess SCADA and other vulnerabilities that serve as a gateway for denial of service attacks against critical infrastructure, or vulnerabilities of the domain name server routing network serving all internet users. Beyond that, having exposure to a more detailed understanding of the relevant classified information makes one even more impatient to improve the nation’s cyber security.

But it is decidedly true that there is no silver bullet to these vulnerabilities – we must embrace iterative and aggressive improvements with a sense of urgency. What will work to protect government networks in some cases is different from – or outright inappropriate for – what must be done to protect other domains used by the private sector.

Where to Focus. I would argue that there are three high-level tasks for the federal government at this juncture:

1. Define the problems with clarity and explain the risk (threat, vulnerability and consequences).

2. Identify what must be protected – in both public and private sectors. Three distinct areas of focus must be pursued simultaneously, but with tools, policies, investments and timetables unique to each. The federal government has a primary responsibility for protecting its own networks and assets, and it must continue to develop the means to help protect the others.

a. Public sector federal assets. This includes the federal systems operating on .gov and .mil domains (and it goes without saying, the federal classified networks).

b. Public sector non-federal assets. State and local governments operating their systems on various domains, e.g., .gov, .us, etc.

c. Private Sector Assets. Commercial, defense industrial base, critical infrastructure operators, educational, non-profit and other private entities or individuals operating on multiple non-federal domains, e.g., .com, .biz, .edu, .org, .net, etc.

3. Implement a comprehensive plan to strengthen defensive capabilities to protect critical data, networks and infrastructure. The Administration must urgently obtain and/or devise the tools, institutions, policies, procurement strategies and financial resources needed to protect federal systems, while also beginning to establish a more robust architecture through which the federal government can work with owners of non-federal cyber assets to strengthen security for the rest.

This note does not attempt to unpack the more specific tasks of the intelligence community (IC) related to cyber security threats, although the larger IC certainly plays an essential role in supporting and integrating its efforts appropriately to the tasks led by the White House, DHS, DOD and FBI and others, as described below. Without trying to burden this blog with too much on that score, deciding how to establish an appropriate, legal and nimble operational relationship between the IC and the DHS, DOD and FBI is essential. But it is not actually all that difficult to get it right, while scrupulously respecting the IC’s existing mission boundaries. Nor does it require intruding as a government nanny to monitor the flow of data on non-federal networks.

Near-term Path Forward. Fourteen activity clusters, mostly focused at the outset on protecting federal assets, should consume a large measure of the near-term federal effort:

1. Decisively strengthen and extend information exchange and coordination with citizens and stakeholders (this is an ongoing imperative collectively to shape effective policies, protect privacy rights, exchange real-time operational information and strengthen both public and private sector defensive capabilities).

2. Monitor better the outbound USG cyber traffic flow (DHS’s Einstein program on steroids: to include rapid, iterative improvements of Einstein deployed across all federal networks to detect successful attacks aimed at illegal information exfiltration, Botnet activity, etc.).

3. Recover rapidly from successful attacks (identify and remove malware from successful attacks on federal networks; immediately plug vulnerabilities across all federal networks).

4. Improve post-attack impact analysis (enhance forensic capabilities to assess the consequences of successful penetration/exfiltration operations targeted at the USG).

5. Implement quickly the Administration’s initial defensive architecture (limit number of Internet portals, consolidate and strengthen system platforms and sites; require improvements in core hardware and software defensive tools across all federal networks, for example, strengthen Domain Name Server security).

6. Monitor inbound USG cyber traffic flow (design and deploy policies and technology for “Einstein II” to intercept and prevent the full range of disruption and exfiltration attacks against the government’s own systems).

7. Enhance law enforcement capabilities (for detection, disruption and prosecution of cyber attacks domestically and internationally).

8. Strengthen supply chain management for federal IT procurements (address the risk to federal systems, especially for foreign-manufactured hardware and software; understand other public and private sector risks).

9. Secure core Internet infrastructure external to the USG (focus on cables, ISPs, root server vulnerability, wired and wireless interfaces, and other vital physical infrastructure and software).

10. Strengthen DHS’s 24/7 cyber operations center capabilities (U.S. CERT on steroids: enhance command and control capabilities at U.S. CERT, to include enhanced operational integration across the USG, but particularly with DOD, DOJ and DNI assets).

11. Deploy nimble, continuous improvement capabilities across all federal networks (lessons learned at the cyber operations center must drive policies, budgets and adequate investments; changes must be implemented with dispatch and accountability – fundamental USG institutional change is needed to coordinate this, as USG networks are “only as strong as our weakest link”).

12. Coordinate closely and operate effectively with relevant intelligence community assets.

13. Increase applied research and development (focus on the rapid incubation of both software- and hardware-based defensive tools).

14. Train extensively and exercise capabilities routinely (work with federal, state, local, international and private sector stakeholders).

The threats are, unfortunately real and they are grave. This will require the very highest focus and capabilities that the federal government can muster. It will take the best minds and innovative skills of the private sector. Yes, it does require a public-private partnership sculpted for this need. Good people are working hard on these matters, and they deserve our unwavering financial and personal support. For now and for the long-term.

I think the Obama Adminstration has put the right cast on the cyberthreat situation and its handling within and without by the USG. It is, as with "hard target" defense, a part of the overall civil defense of the United States in the 21st Century and cannot be put on the back burner..

I understand that, in the first blush of 9/11, cyberterrorism was rightly cast aside for "hard target" concerns leading to a policy of "guns, guards and gates." It is, however, eight years after the event, and while there is no ignoring hard targets -- those who threaten also know that the net is an ever increasing part of our lives and they intend to exploit it. Cyberterrorism is here to stay and will grow bigger.

First, however, let's get the facts straight vice the hyperbole. Few cyber attacks are ever going to be as painful to America as an attack of weapons of mass destruction. However, a successful cyber attack against the US banking system or an array of power grid structures, etc ain't gonna be a good thing -- and make no mistake that whatever claims are made about countermeasures, the ubiquitous "they" are as smart as us and sometimes smarter. And, remember, a simultaneous cyber and "hard target" attack is not out the realm of possibilities.

Second, we really need a clearly coordinated structure within the USG to deal with this matter. The current plan seems to have some legs with a well qualified NSA in the lead and good coordination (at last) out of the NSC under Melissa Hathaway. FBI, DHS, and other Intelligence Community members will also have a role under this plan. However, I am still not sure where the government long pole -- DOD -- is in this tent. The US Strategic Command has the lead there and it has established the Joint Task Force-Global Network Operations. Coordination with DOD is always tough involving civilian interest. The "cyber czar" is likely to have a cyber-headache on this one.

Third, and this one is crucial, the US Government has to reach out to the private sector in a broad and comprehensive way. The Bush Administration never got this effort off the ground relying more on volunteerism for what is a clear government role. The American business community is craving some specific instruction on what is considered the government "gold standard" for protection. Businesses also need information on threats -- and the USG needs to move beyond the silly, self inflicted rules of information sharing to get them what they need.

Here's a new comment from Jim Harper, director of information policy studies at the Cato Institute:

Please, everyone, just settle down. Take a deep breath. You're getting into a lather.

The Internet is important. It is a useful, powerful, and resilient communications medium. But it is not "the backbone of global commerce, communications, and our basic way of life." That metaphor is chosen to imply something that can be broken with paralyzing results. Witness Senator Rockefeller's recent statement briefly questioning whether we would have been better off without the Internet given the "fearsome, awesome problem" of securing it.

The Internet is the opposite of that. It's more like a circulatory system, or skin. It's really not even a thing. It's an agreement to use a standard protocol for communicating across networks - thousands of them all over the world. The Internet was specifically designed to route communications packets around damage, making it much harder to break than the telephone and broadcasting systems that preceded it. The Internet is also constantly being tested and regularly being repaired.

So let's make the problem harder: "cyberspace." It's a perfectly obtuse concept that roughly refers to: a) the Internet, b) all data, c) all computers, and d) all computer programs. Now there's something to worry about! Everything!

"Everything" truly is the backbone of global commerce, communications, and our basic way of life. "Everything" is a strategic national asset, because without everything we'd have nothing. The Obama administration's 60-day cyber security review bit off more than it could chew - precisely as it was instructed to do - and the results were a good effort to achieve an impossible goal.

We are entering a new age - the Information Age - but asking for a quick review of the problems we'll encounter is like asking a team of scholars in 12th century b.c. what to do about the Iron Age. Nobody then tried to figure out how to deal with all the problems that would emerge during the relentless march of progress, and nobody now can figure it out for our future either. As then, thousands of different problems will be handled in thousands of different ways by millions of different people over hundreds and hundreds of years. "Securing cyberspace" means tackling thousands of technology problems, business problems, economics problems, and law enforcement problems. If it takes decades to come up with solutions, that's fine. If it takes less than that, chances are we'll be getting it wrong.

If anything is needed, it's not a centralized strategy for "securing cyberspace." It's a discussion one level removed: about the systems that will figure out how to secure cyberspace.

In Washington, the assumption is that regulation or "public-private partnerships" (a pea in the same pod) are a good way to wrestle with cybersecurity. This appeals to politicians, regulators, and lobbyists all because it puts them at the center of the action, feasting on profound intellectual challenges . . . - and steaks!

An alternative is to use distributed systems that draw solutions from the intelligence at the ends of the network. Contract and tort liability divide up risks of loss between parties who are dealing with one another and among those who are not. Both forms of liability drive responsibility for security to the actors best positioned to provide it. And liability systems evolve relatively well as new knowledge comes forth. (Regulation gets calcified by advantage-seeking in Washington and state capitols.)

There aren't answers yet, and President Obama's cybersecurity speech was thin on prescription - as it had to be. But it laid down some clear limits: "My administration will not dictate security standards for private companies," the President said. And elsewhere: "Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic." These are welcome guardrails against the grasping for power and personal information that the Departments of Homeland Security and Defense will certainly do when the President, the Congress, the press, and the people aren't looking.

Something missing from the speech was one of the most important cybersecurity policies of all: keeping truly critical communications off the Internet. The Internet is but one communications system. There are others, and more can be created. When security is truly important - such as in military communications, back-end financial services, and so on - communications can and should be on separate, dedicated networks.

Something that wasn't missing from his speech was the hyperbole that is Washington, D.C.'s stock in trade. President Obama marched out the spectre of terrorist attacks over the Internet, citing a lame and corny threat model called "weapons of mass disruption." As to the $8 billion he says Americans lost to cyber crime in the last two years? That amount is a rounding error on the funds surging out of Washington since the Bush and Obama administrations agreed that propping up failed businesses is a good policy.

It would have been nice when bailout mania got started for everyone to settle down, take a breath, and avoid lather. Let's hope we do better with cybersecurity.

One thing I've been wondering about is why the endless repetition of threadbare arguments when it comes to cybersecurity. I was at a conference last week and got to hear about cyber-insurance, public private partnership, and information sharing all over again. Some of us thought we should hold up cards with the year we first heard some of these ideas - 1996, 1998, etc. The Obama administration report does a fair job of avoiding many of the pitfalls of cyber-think, but we can be sure that the old ideas will come up in discussion.

Most of the antiques involve the role of the private sector and the nature of cyberspace. Yes, it's new, different, and so on, but we've overcomplicated the problem (perhaps intentionally, in some cases). We got off to a bad start with the dawn of the commercial internet. First, there were the cyber libertarians - remember John Perry Barlow's peroration about how those tired giants - governments - should stay out of cyberspace? The internet was to be some new untrammeled space where the human spirit could innovate and soar, and so on. If nothing else, no other government has paid attention to this nonsense, but that does not mean the US can avoid tying itself into knots. Ultimately, cyberspace is anchored to some physical location where governments can act, and other countries have already started work on how to shrink the illusion of borderlessness in cyberspace. There were a lot of bad ideas abou the new technology, they were extinguished when it came to business as the dot-coms went bust, but they linger on for security.

Cyber libertarians were part of the dot-com era, when IT companies rode high and had easy access to the White House. They repeated two lines repeated like mantras - technology moves too fast for government, and since the private sector owns the infrastructure, it should lead in protecting it. A blog isn't the place for taking these arguments apart, but both seem to be largely dodges invented to avoid any constraints on private sector behavior. It's easier to see this with the second mantra - the private sector owns most of the aircraft in the US, but we don't ask the airlines to defend our airspace. There has been this long ideological commitment to partnership and voluntary action (a blend of Barlow and Grover Norquist) when it comes to cybersecurity, but this ideology will produce solutions that are no more adequate to ensure the public interest in cyberspace than voluntary regulation was on Wall Street.

Finally, the emphasis on an electronic Pearl Harbor probably threw us off - we have been looking for the wrong kinds of threat. My favorite quote from these days is "Osama has his finger on the trigger, but his grandson wil have it on the keyboard." This statemtn is an admirable rhetorical device but it is damned poor analysis. The misestimation of cyberthreats (note I did not say overestimation) might have been part of the larger problem with homeland security in the last eight years - the national slogan could well be "no threat too improbable." Silliness isn't the right term - it's more of a lack of strategic insight when it comes to thinking about new kinds of eapons and risks.

So the Obama administration inherits a decade of outdated or inadequate thinking when it comes to cybersecurity, how to work with the private sector, and how to operate in the new environment of cyberspace. If it puts too much faith in the nostrums of an earlier age, it will not succeed. Avoiding this will not be an easy task - not only will the White House have to come up with new ideas, but it will have to deal with distractions from the advocates of the old ideas. One of the tests for the Obama policy is whether it can move beyond the clichés and actually define a useful role for government. It may take - I hate to say it - a Goldilocks approach. Too much government intervention and you get gridlock. Too little government intervention and you get meltdown. But there is little agreement on how to find something in between and whether it is a czar or a coordinator, they face a daunting task.