Architecting the Nation for Cyber Defense [Commentary] Gen. Keith Alexander delivers remarks at his retirement ceremony at the National Security Agency, on Fort George Meade, Md March 28, 2014. Official DoD photo by Sgt. Aaron Hostutler USMC (Released) Today, we face a new frontier of both opportunities and threats. The benefits of our increasingly technology-driven and networked world have been vast. Advances in computing and networking technology have put supercomputers — once the exclusive province of nation-states — into the hands of everyday citizens around the world, providing them consistent access to the tremendous wealth of information that these devices can store and process. These advances have afforded significant benefits for the cause of freedom and democracy around the world, as well as for the spread of free markets and innovative capacity to parts of the globe relatively untouched by prior cycles of rapid and widespread industrialization. With these benefits, however, have come challenges. Our collective and increasing reliance on technological devices and the networks on which they transmit and receive information makes the global community — at the individual, group and nation-state levels — more accessible and more vulnerable to threats aimed at those devices and networks. Cyberspace is a national (and international) asset that enables our communication, economic prosperity and national defense. But it has also become a digital battleground where nation-states, independent groups, terrorists, organized crime and “traditional” criminals seek to challenge, disrupt or destroy our defense, steal money and adversely impact our economic stability. And the threat is very real. While nation-states have long sought access to the critical systems of other nations for espionage and similar purposes, we’ve now seen an expansion to more aggressive actions, ranging from large-scale theft of private sector information for economic advantage, to the use of actual destructive attacks that have effects in both cyber and physical space. And while this activity is taking place at a relatively low rate at this time, the number of nations that now possess such capabilities is growing. Similarly, an increasing number of non-state groups are using cyber-enabled methods to advance their own agendas. Major organized crime groups use their growing cyber capabilities for fraud and outright theft. Terrorist groups seek to expand their cyber capabilities beyond mere communication, recruitment and incitement to obtain an asymmetric advantage over their enemies. Indeed, as modern society become more reliant on digital, connected devices, our networked infrastructure provides both an avenue and an incentive for these actors to seek a leg up on us. The potential impact of these threats on our industry and government highlight the need to focus on our joint cyber defense. Specifically, we must fundamentally rethink how the private and public sectors interact in cyberspace and recast the way in which we think of the respective roles of departments and agencies within the government and how they interact with private entities. We must learn how to work together in a cooperative environment and together confront the threats our nation faces. Just as the modern military has learned how to train, exercise, operate and fight in a joint, combined arms environment, our public and private sectors must learn how to train, exercise and operate cooperatively in cyberspace. In doing so, there are five key issues that policymakers should address now when it comes to cybersecurity. First, the government should work closely with industry to set the basic construct for a truly defensible national cyber architecture. Today, the basic expectation is that the private sector is responsible for defending itself in cyberspace regardless of the enemy, scale of the attack or type of capabilities employed. The reality, however, is that commercial and private entities cannot practically be expected to defend themselves against nation-state attacks in cyberspace alone. They simply do not have the capacity or capability to respond in a way that would be fully effective against a nation-state attacker or attacker with nation-state capabilities, whether from a deterrence or strategic perspective. In no other context do we expect corporate America to bear the burden of nation-state attacks. For example, we do not expect Target to employ surface-to-air missiles to defend itself against Russian planes dropping bombs in the United States. Rather, that responsibility belongs to the Department of Defense. In cyberspace, the expectation is flipped on its head. This does not make sense. Given the private sector’s role in running the infrastructure upon which our nation relies, there is no question that the government and private sector must collaborate to defend the nation’s cyber architecture. Second, we must work to create opportunities and pathways for collaboration both within the private sector itself, as well as between the public and private sectors. These collaboration pathways will allow us to develop a sector- and economy-wide collective defense capability. Third, it is critical that we work cooperatively to develop technical expertise and capabilities between the public and private sectors and that we exercise and train for response in advance of any large-scale, real-world event. Such preparation will help ensure that where such events are unavoidable, resilience, recovery and deterrence are built into our cyber ecosystem. Fourth, the government must work with industry to craft clear and consistent roles and responsibilities and rules of engagement for public and private sector entities, as they prepare to defend their own systems and networks, as well as to defend as those common systems and networks upon which the nation and our economy relies. Finally, the executive branch should work with Congress to create incentives and to provide the information necessary for the government and the private sector to make consistent and accurate assessments of the risks they face in cyberspace. This includes Congress and the private sector both allocating the resources necessary to adequately defend their respective systems and networks, as well as the underlying architecture upon which these systems and networks rely. This problem is not completely intractable. There are some very basic first steps that the government and private sector should take to help address the situation. While some of these issues may be difficult to resolve or may involve complicated questions of balancing national security with individual security and privacy, we have little choice. The reality is that cybersecurity is a shared venture between the government and the private sector. Given the threats and potential harm facing our nation going forward, we must be prepared to confront these hard issues and, where applicable, fundamentally change the paradigm we apply today. Our nation was created by “citizen soldiers,” and as we face this new area of threats in a rapidly changing environment, we need to once again look at the relationship between private citizens and our government in developing a common defense. Gen. (ret.) Keith B. Alexander is the former director of the National Security Agency and former Founding Commander, United States Cyber Command. Gen. Alexander currently serves as the president and CEO of IronNet Cybersecurity and recently completed service as a member of the President’s Commission on Enhancing National Cybersecurity. Jamil N. Jaffer is a former associate counsel to President George W. Bush and former counsel to the Assistant Attorney General for National Security at the Justice Department. Mr. Jaffer currently serves as vice president for strategy and business development for IronNet Cybersecurity and a visiting fellow at the Hoover Institution.