Poindexter was more worried about foreign spies and terrorists than about high-schoolers. But in cyberspace, the threat was all the same.
The presidential directive, which Reagan signed without fanfare, set up several layers of committees and staff to deal with the government’s end of the problem—the gaps in its own systems. But buried within the technocratic language was a single line that proposed a radical shift. A national committee, chaired by a senior Pentagon official and composed of representatives from the FBI, the CIA, the State Department, NSA, the military services, and the NSC staff, among others, would identify systems that handled “sensitive, non-government information,” which, if lost or exploited, “could adversely affect the national security interests.” Where appropriate, the committee would assist the private sector “in applying security measures.”
Poindexter wanted the government to take control of protecting the nation’s network. And, as skeptical outsiders in the electronic-privacy community soon pointed out, Poindexter himself wanted to be in charge.
To control the new cyberbureaucracy, the directive installed a “steering group” chaired by the President’s national-security adviser. Poindexter was just the deputy then, but he’d long since divided the duties of running the NSC staff with his boss and fellow Academy man, Robert “Bud” McFarlane, who handled the political tasks of the job, particularly meeting with Congress and the media. Poindexter actually managed the guts of the National Security Council. He was the behind-the-scenes power.
Not a single piece of paper that touched national-security policy moved through the West Wing without Poindexter’s eyes falling on it. In 1986, Reagan elevated him to the top slot, national-security adviser to the President. But even before that, soon after Reagan signed the cyberdirective, it didn’t take long for Poindexter’s enemies in the privacy community to single him out and dub him a would-be “computer czar.”
Poindexter’s plan for cybersecurity was extraordinary on two levels: It inserted government supervision into private affairs, and it asserted a national-security interest in unclassified information.
Poindexter realized that secret information wasn’t the only target on the network, and perhaps it wasn’t even the most important. But his strategy for addressing the threat struck some as one step too far. Even the General Accounting Office, Congress’s investigative arm, found that the order vaguely defined the term “sensitive but unclassified information” in such a way that innocuous facts used to make policy decisions could be swept behind a curtain of secrecy. One expert witness told Congress that under the broad presidential directive, the government might try to classify important public information such as flight-safety reports or monetary-policy data held by the Federal Reserve.
Poindexter had tripped the thin line separating public and private interests. It was the first indication that to strike a balance between security and liberty, the government and its citizenry would take opposite sides. Poindexter invited the struggle.
He took up that fight again almost 20 years later. After the 9/11 terrorist attacks in 2001, Poindexter led a Defense Department research program that he dubbed Total Information Awareness. It aimed to take his 1980s concept for harnessing the collective intelligence power of government to a new level. TIA wouldn’t just sift through government databases for signals of imminent crises; it would gain access to private data as well. Poindexter imagined searching through flight reservations, credit-card receipts, and even veterinary records for patterns of transactions that indicated some stage of a terrorist plot.
Once again he traded blows with the civil libertarians who had ridiculed his cyberplan in 1984. The country became embroiled in an argument that would outlast Poindexter’s tenure in the Reagan administration: Should the government be allowed to monitor its own people—and control their information—in order to protect them?
Poindexter posed the question, and McConnell took it up a quarter century later. But another leader would give the answer.
May 2009: The White House East Room
Barack Obama had been hacked once. Over a two-month period at the end of his presidential run, intruders accessed his e-mails and campaign files, including policy position papers and the candidate’s travel plans. Law-enforcement officials later theorized that the hackers either were based in China or were working for its government. The teenage hackers of War Games had been replaced by old-fashioned spies hip to a new game. They’d concluded that it was easier to crack a nation’s secrets with a keyboard and a mouse than with a mole and a bag of cash. The same hackers who gamed Obama were believed to have busted his rival, John McCain. The cyberspies wanted to cover their bases by hitting both campaigns.
The incident hadn’t embarrassed Obama. It emboldened him. He stood before lawmakers, Cabinet officials, and journalists in the East Room and came clean: “I know how it feels to have privacy violated, because it has happened to me and the people around me.” Obama admitted that his computers had been hacked, and he said that it fit a pattern of stealthy activity that imperiled American security.
The President had called the conference to announce his new national cybersecurity strategy. Obama hardly needed to be convinced of the transformative power of the Internet. His campaign had organized much of its support, including its vaunted fundraising apparatus, in cyberspace. But now he’d become acquainted with the dark side of the Net, both from the campaign hacking and from some advice he’d received from a sage of the cyberwars.
After Obama had secured the Democratic presidential nomination, Mike McConnell, still director of national intelligence, gave the candidate his first secret-level national-security briefing. Toward the end of the meeting, which focused mostly on terrorist threats, Obama asked McConnell what else should be on his radar if he won the election. Cybersecurity, McConnell told him. For all the work the Bush administration had done to shore up the national defenses, it was merely a first step.
Obama aimed to get ahead of the threat. The crowd in the East Room hoped to hear the President pick a new cybersecurity coordinator, based at the White House, which the techno-cognoscenti had already dubbed the “cyberczar.” The United States needed a new commander in the digital war.
Obama met their demands, but only halfway. During his campaign, he had pledged to appoint a cyberchief who’d report directly to him. But now the President said the so-called czar would have “regular access.” It was a demotion. The job would also sit lower on the totem pole of the National Security Council staff and report to two masters—the national-security adviser, Jim Jones, and the director of the President’s National Economic Council, Larry Summers.
In the months before the unveiling of the cyberstrategy, Summers had prevailed upon the President to bifurcate the position. Those close to the White House’s evolving take on the role of the cyberczar saw Summers trying to exert control over any new regulations that the security official might dream up. Clinton-era officials had taken the same tack in the 1990s. Although experts forcefully warned the administration about the blooming security risks posed by an interconnected world—and Mike McConnell, as director of NSA, was among their ranks—President Clinton was reluctant to take any action that could stymie business and technological innovation on the fast-expanding Internet. Security has always been the bane of creativity.
But Obama was moving publicly, in a way no President ever had, because the stakes had never been higher. “Every day we see waves of cyberthieves trolling for sensitive information,” Obama said. “The disgruntled employee on the inside, the lone hacker a thousand miles away, organized crime, the industrial spy, and, increasingly, foreign intelligence services.” Obama cast the net wide, framed the threat for what it was—all-encompassing.