Argument

Mission Accomplished. Finally.

Ten years after 9/11, it's time for President Obama to finally call an end to America's adventures abroad.

The long war provoked by the attacks of Sept. 11 is over. The congressional resolutions authorizing combat in Afghanistan and Iraq no longer justify military operations in either country -- or anywhere else. U.S. President Barack Obama gained office by denouncing his predecessor’s assertion of unilateral power to commit the nation to an endless war against terror. Yet, despite the absence of legislative authorization, Obama is moving down George W. Bush’s path to unilateral warfare. This is the real existential threat to American democracy. And it’s why the best way to honor the victims of 9/11 is for Americans to rededicate themselves to the Constitution, which requires the president and Congress to hammer out a new resolution defining war aims for a new decade.

The legal authority for America's present military engagements collapsed in two stages. The first involved Iraq. When Congress authorized the use of force in October 2002, it refused to give the president a blank check. Once Saddam Hussein fell, the 2002 resolution only authorized U.S. troops to operate as part of a U.N.-sponsored occupation force. When the U.N. Security Council planned to terminate this authority on Jan. 1, 2009, President George W. Bush's administration devoted its final months to a new agreement with Iraqi Prime Minister Nouri al-Maliki's government to legalize continuing military operations. But this time, it cut Congress entirely out of the negotiations.

Joseph Biden, then chairman of the Senate Foreign Relations Committee, responded with a proposal declaring that any bilateral agreement with Iraq "should involve a joint decision by the executive and legislative branches." This was not strong enough for Sen. Barack Obama, who signed onto a bill proposed by Sen. Hillary Clinton that would deny all funds to any agreement not approved by both houses. As she explained, it was "outrageous that the Bush administration would seek to circumvent the U.S. Congress on a matter of such vital interest to national security."

Bush simply ignored these protests and continued his end run around the Constitution. His lame-duck deal with Maliki went into effect on Jan. 1, 2009, and once they took office, Obama, Biden, and Clinton conveniently forgot their objections. They embraced the Dec. 31, 2011, pullout date established by the Bush-Maliki agreement, implicitly endorsing Bush's power grab.

A similar pattern is now unfolding in the battle against al Qaeda -- but this time, Obama will be solely responsible for the decision to cut out Congress. The legal authority for the war on terror is a congressional resolution, passed immediately after the 9/11 attacks, approving the use of force against groups that "planned, authorized, committed, or aided" the attacks on the Pentagon and World Trade Center. But a decade later, this resolution can no longer credibly support ongoing military operations.

Al Qaeda's operatives in Pakistan are currently reeling from drone attacks that have killed a series of top commanders. Their capacity to coordinate attacks on the United States has been decimated. Official estimates place the entire Pakistan contingent at 500 or less; and the number of al Qaeda operatives in Afghanistan is fewer than 100.

These undisputed facts are a tribute to America's success, but they severely undercut the legal basis of the current campaign in Afghanistan. The 2001 resolution targeted only the groups responsible for 9/11, and these are disintegrating before our eyes. While it also authorized assaults on countries and organizations that "harbored" the original terrorist attackers, this grant is also wearing thin. Originally, the Islamic Republic of Afghanistan provided safe harbor for Osama bin Laden, but the Taliban who then dominated the government have now fragmented into a loose coalition of rebel groups, each under independent leadership. Nobody can say which, if any, of these insurgent networks are "harboring" the tiny number of al Qaeda members remaining in the country. One thing is plain: The scale of the U.S. military effort is utterly disproportionate to the harboring problem, if there is one.

Terrorism remains a serious threat, warranting a serious strategic response. But it is no longer the Afghanistan-centered problem that Congress confronted a decade ago. If another attack hits the homeland, it will likely come from terrorists based in Somalia, Yemen, or some other failed state, acting independently of al Qaeda's increasingly disorganized "central command." Yet these new groups simply aren't within the scope of Congress's decade-old authorization. Now is the time for the president to declare victory in the war against al Qaeda and return to Congress for a new resolution dealing with the new threats of the coming decade, in a world where trillion-dollar wars are an unaffordable luxury.

Yet Obama seems reluctant to declare that, at long last, Americans have indeed earned the right to proclaim "mission accomplished" -- at least as far as this mission has been constitutionally defined by Congress on the statute books. While all presidents love to claim credit, there is something they like even more: power. As long as he pretends to be fighting yesterday's war against al Qaeda and its vaguely defined "affiliates," Obama can continue to wield the war-making powers granted him by the 2001 resolution. Once he declares that this mission has been accomplished, the Constitution gives him no choice but to deal with troublemakers in Congress in hammering out new strategic principles for the real-world threats we face.

But if Obama chooses to preserve his short-term freedom of action, the United States will pay a terrible long-term price. In using legal fictions to transform Congress's decade-old resolution into an open-ended authorization for unilateral war-making, he will be opening up a path for future presidents to launch major military initiatives without regard to the views of Congress or the American people. Is that what we really want?

JOHANNES EISELE/AFP/Getty Images

Argument

The Calm Before the Storm

Cyberwar is already happening -- and it's about to get much, much worse. A veteran intelligence official explains how America can prepare itself.

Revelations of wholesale electronic fraud and massive data heists have become weekly, even daily affairs. A multinational electronics corporation loses personal information on more than 100 million customers. Cyberthieves break into an international bank, counterfeit credit balances, and loot ATMs in four countries, grabbing $9 million in just a few hours. International gangs spread malicious code that conscripts unwitting computers into zombie armies of hundreds of thousands of similarly enslaved machines. Criminals then rent these armies, called "botnets," as easily as you can buy a time-sharing arrangement in a beach condo. No wonder the vast majority of Internet traffic is spam.

Yet the loss of personal information and related criminal fraud, intolerable as they are, are the least threatening face of electronic insecurity. The U.S. military's secret network is penetrated. Americans' corporate pockets are being picked clean of the intellectual property that makes the United States tick. And the electricity grid that keeps the lights on and makes everything move is dangerously insecure.

In one remote attack on the Pentagon's information systems about 10 years ago, the Chinese hauled away up to 20 terabytes of information. If the information had been on paper, they'd have needed a line of moving vans stretching from the Pentagon to freighters docked 50 miles away in Baltimore harbor just to haul it away. Had they done so, the military district of Washington would've become an active theater of operations for the first time since 1865, and the Navy would've blockaded the Chesapeake Bay. But the Chinese did it electronically, so who noticed?

Corporate espionage by both competitors and foreign intelligence services or their surrogates is also increasing. Intelligence officials see this but can't speak openly about the specifics, and I'm seeing it now in my law practice. The victims rarely admit it, for understandable reasons. Oracle, which successfully sued SAP for theft of its software code, was a prominent exception. Google was another.

When the Chinese penetrated Google in late 2009 -- yes, that operation was Chinese, and yes, it was done with the blessing of a member of the Politburo -- they weren't after customer information. They were after the source code that makes Google unique. Nor was Google the only victim: Thousands of U.S. and Western firms were penetrated in that affair. Foreign governments -- and not only the Chinese -- understand that they cannot compete with the United States militarily and politically if they cannot compete with it economically, so their intelligence services want to steal its corporate intellectual property. This is the technology that gives America its competitive edge, and often it has nothing to do with defense. Ordinary companies with valuable technology are now being targeted by nation-states. This is a new era. National security and economic security have converged.

The danger is not limited to the loss of technology and information, however. The owners and operators of the North American electricity grid are hooking up their control systems to the Internet as fast as they can. Exposing the grid to the Internet makes it marginally more efficient, but it also makes it dramatically more vulnerable to disruption. If you can remotely penetrate an electronic system to steal information, you can remotely penetrate it to shut it down or make it go haywire. This is why there is no longer a meaningful difference between information security and operational security. And the biggest operational risk is the grid. In contemporary society, nothing moves without electricity. If the grid goes out, the country stops.

As the Stuxnet affair demonstrated, remotely engineered disruption of industrial control systems is now a reality. That episode involved the successful electronic attack on the centrifuges in the Iranian nuclear program. Only a first-class intelligence agency could have pulled that off, but the blueprint for doing it -- the code itself -- is now public. Many American industrial control systems run on the same kind of equipment the Iranians were using, but unlike the controls on the Iranian centrifuges, the controls on the U.S. grid are now being connected to the Internet, making them easier to disrupt. Stuxnet was a watershed; there will be copycats.

Other industrial control systems will also be targets. Some already are. Air traffic control, railroad switches, and water and sewage systems are all electronically controlled now, and many are vulnerable. If an intruder can break into the right server electronically, he can remotely shut down production, send your goods to the wrong destination, and even unlock your doors -- and delete your log entries so he leaves no record of ever having been there.

The United States does not lack enemies who would attack it this way. Seized al Qaeda computers contain details of U.S. industrial control systems. In 2003, a group affiliated with the Pakistani terrorist organization Lashkar-e-Taiba -- the same gang that engineered the 2008 terrorist assaults in Mumbai -- plotted to attack the Australian grid. Other groups conspired to attack the British grid in 2004, 2006, and 2009. Yet the owners and operators of the North American grid continue willy-nilly to expose their control systems to the Internet instead of isolating and hardening it. This is folly of a high order.

Important conclusions for public and corporate policy follow from this vulnerable state of affairs. First, cyber insecurity has operational consequences. In the current and foreseeable states of technology, a high degree of assurance against electronic penetration of anything connected to the Internet is not achievable. Large, efficient, electronically connected organizations and nations are therefore vulnerable to remotely engineered disruption as well as information theft.

Second, this risk cannot be eliminated -- but it can be reduced and managed. As a nation, the United States should start by isolating the grid's controls from the Internet. Undoubtedly, there are marginal efficiencies to be gained by seamless connectivity over a publicly accessible infrastructure, but these gains are usually exaggerated and the risk this connectivity creates is staggering. The government and the major telecommunications carriers must also make the investment required to re-create the massive redundancies that made the wired telephone network so robust. Resilience and swift recovery should be the goal. If the consequences of cyberattacks were reduced, penetration would cease to matter.

Third, companies that wait for the government to "solve" their own security problems do so at their peril. The government is broke and the IT backbone is 85 percent private, so the government doesn't control it. The government's role in altering the status quo will be limited to setting standards, using its purchasing power to move vendors toward better security, and getting its own house in order. The government can neither secure corporate intellectual property nor protect firms against operational disruption.

Fourth, in a world in which everything cannot be protected, companies must determine for themselves what intellectual property and physical assets to isolate and safeguard. Those that approach this task seriously will quickly learn that technology is only one aspect of their insecurity and, in many cases, the easiest to deal with. Unless technology is integrated with personnel practices and operational security, it opens vulnerabilities that its users rarely understand. This kind of integration requires the automated enforcement of reasonable security policies and systematic workforce training; and that occurs only when management, the lawyers, and the technologists work closely together. This is an old-fashioned management challenge -- not a technological one. For their part, corporate boards need to take IT security seriously and launch audits that examine how their systems are actually implemented and used, not merely how they are designed. Because as the techies like to put it, the weakest link in any system is not the silicon-based unit on the desk; it's the carbon-based unit in the chair.

Win McNamee/Getty Images