New Security Priorities for a New Decade

By Slade Gorton

September 11, 2014

More than a decade ago, the National Commission on Terrorist Attacks Upon the United States, commonly known as the 9/11 Commission, was officially established in a highly partisan manner—a fact critics never failed to point out. To the surprise of many, however, we did what was originally thought improbable at best. The five Republican and five Democratic members wrote a unanimous and bipartisan report. That unprecedented volume told the definitive history of how one of the greatest attacks upon American soil took place and proposed a set of policy changes that aimed to prevent any future attacks.

This year, the ten Commissioners reconvened as private citizens to reflect on the changes of the past decade and to reassess today’s national security threats. Many things have changed since September 11, 2001. The United States’ engagement in Afghanistan and Iraq is totally transformed, and the Arab Spring significantly altered the balance of power in the Middle East. Changes have even permeated our own government. As the 9/11 Commission recommended, Congress established the position of Director of National Intelligence, the multitude of intelligence organizations have created new information-sharing protocols, and the FBI has been transformed into an intelligence-driven organization aimed at prevention.

Yet while much has changed, much remains the same. Congress, for instance, has failed to consolidate its oversight authority, forcing huge administrative burdens on the various intelligence organizations. As the 9/11 Commission predicted in 2004, and as we see today, another change in the United States is the onset of “counterterrorism fatigue.” Our country is safer than it was a decade ago, and we are getting better at preventing major attacks on American soil. Our very success, however, has resulted in a loss of focus on the still very real threat of terrorism. The Commission urges Congress and the administration to communicate to the public the new and emerging threats in real and specific terms. We need to remind citizens of what is threatening to our way of life and what we, as a country, should be doing to ensure long-term security.

Principal among these new and emerging threats are the unprecedented cyberthreats to both our national security and economic well-being. One of the many security officials the Commission spoke to during our recent investigation said, “We are at September 10 levels in terms of our cyber preparedness.” This finding is consistent with that from another commission on which I recently served. The Commission on the Theft of American Intellectual Property (the IP Commission) noted that our vulnerable information systems are resulting in substantial losses of national security secrets, an increasingly vulnerable critical infrastructure system, and economic losses estimated at more than $300 billion annually. General Keith Alexander, former director of the National Security Agency and commander of U.S. Cyber Command, described this as the “greatest transfer of wealth in history.”

The threat to our information systems is not new. In 1997, the President’s Commission on Critical Infrastructure Protection concluded that the United States’ cyber vulnerabilities place both its national security and economic competitiveness at risk. The threat today, however, has reached levels unthinkable in 1997. Recent cyberattacks from China have resulted in a loss of national security secrets critical to our defense. Attacks from Iran have penetrated the networks of the U.S. Navy. And attacks against well-known retailers have left tens of millions of Americans vulnerable to identity theft.

Meanwhile, Congress and the administration are doing little to solve this real and urgent problem. Congress has repeatedly failed to pass critical cybersecurity legislation needed to solve even small problems, such as information sharing. The administration has apparently done what it can within the existing legal framework, but it is also clear that cybersecurity reform is not an agenda priority for the president. In May 2014, the U.S. Department of Justice indicted five Chinese hackers for economic espionage. As experts have noted, however, these indictments are likely to do very little, as the hackers will never be brought into the United States, let alone a courtroom. At best, this was an attempt to send a subtle message to China that our hackers are good enough to know who your hackers are.

What is truly needed is comprehensive cybersecurity reform. As the 9/11 Commission stated in our new report, Congress should enact legislation to enable companies to collaborate better with the government in jointly countering cyberthreats. The public and private sectors must be able to share information on cyberthreats without fear of liability. Finally, Congress should seriously consider granting private companies legal authority to take direct action in response to attacks on their own networks. The longer we fail to act, the longer we leave ourselves open to crippling cyberattacks that will compromise our security and weaken our economy for decades to come.

When the 9/11 Commission convened ten years ago, one thing became quickly apparent: Americans did not realize the true threat of terrorism until it was too late. I fear that history may be repeating itself regarding our nation’s cybersecurity infrastructure. The threat is real today, and today we need real solutions.