Skip Navigation

BPR Interviews: Stewart Baker

Stewart Baker was the first Assistant Secretary for Policy at the Department of Homeland Security under President George W. Bush and the former General Counsel at the National Security Agency. He now specializes in technology law and telecommunications.

Brown Political Review: In light of former Secretary Clinton storing emails on a private server, do you think the United States prioritizes cybersecurity highly enough?

Stewart Baker: I don’t think that anybody prioritizes cybersecurity sufficiently, in light of the intrusions that we’ve seen. And I’m not quite sure that cybersecurity experts would have caught this right away — the use of a private server — but to the extent that the government knew about the private server, there were certainly very strong cybersecurity reasons not to use it.

BPR: Do government officials receive training about cybersecurity risks?

SB: I fear that many people think cybersecurity law is just one more painful set of bureaucratic requirements that, when you get high enough in the organization, get in the way of accomplishing some other goal. The problem is, unlike many other rules, [in cybersecurity] there is an active adversary who is waiting for you to cheat.

BPR: Do terrorist organizations have the capacity to threaten the cybersecurity of the United States?

SB: Our defenses are very weak against two kinds of attack. One is cyberespionage — stealing information — and another is cyber-sabotage or cyberwar — making systems that depend on digital networks fail in ways that cause real harm. That doesn’t mean we’re weaker than other countries. Cybersecurity is a field in which it’s easy to have a good offense and difficult to have a good defense. Our offense is much better than our defense.

BPR: What is the biggest cybersecurity threat to the United States?

SB: The biggest threat is that an organization or nation with little or nothing to lose will decide to attack the industrial control systems that make civilian life possible. This could recreate the kind of chaos we saw after Hurricane Katrina in New Orleans. Water, sewage, pipelines, refineries and power systems all depend on industrial systems that are vulnerable to attack. A very sophisticated attack could turn them all off in ways that will make it difficult to recover quickly. One of the reasons this hasn’t happened is that most of the people who have the capability to do this have something to lose and do not want to take a chance by launching an attack. But you can imagine that North Korea, Hezbollah or Iran could come to the conclusion one day that they had nothing left to lose and that, since the United States had already done its worst, they might as well do their worst.

BPR: How do government agencies like the NSA balance a concern for citizens’ privacy with the priority of maintaining national security?

SB: The NSA has been following, for a very long time, a set of principles adopted in the 1970s. These state that all [of the NSA’s] activities will be governed by law, and any activities that may concern the privacy of Americans will likely have to go under review by the Foreign Intelligence Surveillance Court. There is strong legislative oversight from leaders and committee members from both parties, and there is judicial oversight to ensure that the agency actually adheres to the law. There is a very aggressive set of training and compliance efforts inside the Department [of Defense] to make sure that individual employees adhere to the restrictions. That’s the broad solution — careful and strict rules for intelligence efforts that may affect Americans, more general restrictions for intelligence gathering that focuses on foreigners and an internal compliance regime to make sure these restrictions are followed.

BPR: Do you believe that this set of rules works today?

SB: In general, yes. The idea that intelligence efforts that target Americans or that occur on American soil should be the subject of court review can be maintained even with a lot of changes in technology. There’s no doubt that Edward Snowden’s disclosures led to questions about whether the regime for oversight was functioning properly. He deliberately released information designed to shock Americans and withheld information that would have reassured Americans that there were constraints in place.

BPR: What is the biggest misunderstanding that US citizens have about cybersecurity policy?

SB: One misperception is that there isn’t really a big problem and that the government agencies and contractors instead want a new enemy to scare Americans into spending more on defense. However, I think that a declining number of Americans believe that, as we have seen more and more intrusions that have bigger and bigger impacts over the last 15 or 20 years.

BPR: How has the world of cybersecurity and American cybersecurity policy changed since you were at the NSA in the 1990s?

SB: When I was at the NSA, cyberattacks and even cyberespionage were embryonic. Now they have become the tool of choice for every intelligence agency in the world and have become the war-fighting strategy of a large number of countries. These tools are very realistic and dangerous weapons. Exactly how dangerous, we don’t know. They may turn out to be not quite as nightmarish as they could be, but they will certainly cause civilian harm. The good news is that we have become much better at identifying our attackers in cyberspace, and so people launching attacks have to worry about a response from us. The bad news is we still have no strategy for winning a conflict that involves cyberattacks.

BPR: Is cyber instability what we should expect for the future?

SB: Yes. We should expect it because cyber instability is a great weapon for those in a conflict with the United States. It is asymmetric since it hurts the United States more than it hurts our adversaries. It is a weapon that can be modulated. Unlike terrorism and nuclear weapons, there is no taboo against using it, and it can be used to influence domestic and public opinion quite dramatically. You can demonstrate that there will be costs to the American people for the foreign policy and military decisions taken by their leaders, which is a way of separating American leadership from the country. That could turn out to have a profound impact on what exactly we’re willing to do with our military around the world.

SUGGESTED ARTICLES