The Internet is a fascinating place. A near infinite maze of networks and systems, it unites a transnational polity of multinational corporations, government agencies, and individual actors — a global colloquy hosted by the digital common denominator.
In stark contrast to our “lead-pipe” systems of yesteryear, this digital labyrinth functions as a multicursal puzzle. The Internet is comprised of a complex branching of ambiguous routes that continually reshape conventional communications media such as telephone, music, film and television. It presents a fathomless choice of path and direction, running like water through stone and sand, coursing forward in an ever-expanding “network of networks” that connects people, places and ideas.
But it also sets the scene of a 21st century battleground, where a multivariate host of attacks on our shared cyber-networks has matured into a serious threat to our economic and national security. According to federal warnings, our nation’s computer systems are susceptible to critical strikes against public and private sectors alike. In recent months, FBI Director Robert Mueller has reiterated his January testimony before the Senate Select Committee on Intelligence that new cyber-threats would exceed terrorism as the nation’s top security concern.
But much like our response to the phantasmal specter of “global terror” demands innovative and versatile tactics, defense against the multidimensional menace of cyber-assault remains a work in progress.
Now, the battle for cyber-security has found its way to the United States Congress, where lawmakers and the White House are rousing fears of cyber-cataclysm if elected officials don’t defend our virtual shores. Two competing bills have emerged in the Senate — the first being the “Cybersecurity Act of 2012,” co-authored by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), that would require computer systems from “critical industry” sectors meet security benchmarks established by the Department of Homeland Security. A competing bill — titled “SECURE IT” — was subsequently introduced by Sen. John McCain (R-Ariz.), who agrees in principle with a legislative response to the danger of cyber-attacks, but worries about the potential drawbacks of arbitrary, or ineffectual, regulatory burdens on private enterprise. His bill promotes an information sharing architecture between the public and private sectors.
Make no mistake, this is no easy fix. “Cyber-security” implies an international reply to threats large and small, and demands construction of a policy regime that staunches complex fissures between industry and government through effective global risk management. All the while, it remains incumbent upon legislators to steer clear of muddling audits, assessments and standards that retard growth and innovation of those companies judged to be “covered critical infrastructures” by the savants at DHS.
Although he’s now backing the Lieberman-Collins bill, President Obama has failed to adequately address threats to our federal cyber-environment. According to the Office of Management and Budget, nearly 42,000 reported cyber-attacks harried federal networks in 2010. These strikes represented a 39 percent uptick from the previous year. DHS, the Department of Defense, and other national security agencies have been successfully targeted by dozens of high-profile cyber hack-tics.
Conversely, during the same time period, the number of successful cyber-assaults on private networks decreased by 1 percent, suggesting modest gains in the digital trenches of the citizen sector.
Lest we content ourselves with the notion that private industry is potentially capable of managing its own house more effectively than the feds, Sen. Lieberman and co-sponsor Sen. Jay Rockefeller (D-W.Va.) have busily conjured looming terror attacks on our national infrastructure, against the political backdrop of September 10, 2001, presumably with their hair on fire:
Think about how many people could die if a cyber terrorist attacked our air traffic control system and planes slammed into one another […] or if rail-switching networks were hacked — causing trains carrying people, or hazardous materials — to derail and collide in the midst of some of our most populated urban areas, like Chicago, New York, San Francisco or Washington.
It smacks of a familiar narrative employed by some politicians who forecast untold disaster they can’t be held responsible for if we are unwilling to surrender, post haste, to their authority. It also presupposes the dubious claim that federal bureaucracy could stay abreast of technology — as opposed to private enterprise, fueled by its own best interest to keep profitable networks secure. Rather than supporting the development of private security technologies, as a major consumer of products and services, the federal government (under the auspices of DHS) could simply “commandeer private infrastructure into its regulatory regime simply by naming it ‘covered critical infrastructure,'” writes the Cato Institute’s IT guru, Jim Harper.
In an op-ed piece penned for the Hill, Sen. Ron Johnson (R-Wisc.) writes, “Cyberexperts have warned that it could take eight to 10 years for DHS to develop cyber regulations. Ten years is a millennium in technological terms; 10 years ago, there was no iPad, no Wii and most Americans had never heard of the ‘cloud.'” This speaks to the main problem with regulation where it concerns a vibrant industry like technology — it demands impossible prescience to protect against unknown threats, arising in the unspecified future.
Should we succumb to our well-intentioned, but short-sighted, inclination to bind intricate knots of very different threats into a byzantine policy posture, we may handcuff our own defense. Worse yet, we may never know what hit us, until well after the fact. DHS is rarely praised for its deft touch, pro-activity, or technological savvy. As such, there’s every reason to presume new benchmarks and audits will simply create an instantly archaic “check-list” of nominal cyber-defense that foists a false sense of security on American industry and the public.
Consider what we’re up against. Companies and foreign governments are already infiltrating American industry’s tech networks to steal trade secrets, and chip away at competitive advantages developed here, on our home soil. But this sort of cyber-crime has little to do with collaborative, international hack-tivist operations, such as Anonymous or Wikileaks. Likewise, the latter activities are wholly unrelated to the “kinetic” impact of a hypothetical cyber-plot to crash air-traffic control.
Cyber-security regulations often entail an unwieldy response to an amorphous crisis that cannot be solved with a “one size fits all” resolution. In a conversation with Jim Harper, of Cato, he posited the preposterous: “Imagine if Congress were to propose legislation promoting ‘Earth Security.'” Thus, the confounding nature of cyber-defense.
The private sector is quickly rallying behind McCain’s bill that prioritizes information sharing between government and industry, and the development of fluid protections of cyber-networks through “best practice” improvements. The bill eliminates arbitrary legal roadblocks that currently prevent interaction between the government and the private sector, while protecting industry from hectoring audits, frivolous lawsuits and limitations on civil liberties. Moreover, it demonstrates the private sector’s clear aversion to heavy-handed regulation amidst the complex and amorphous terrain of cyber-security.
If the Internet flows like water, it seems the private sector has the good sense to stay comparatively “liquid” when it comes to a proactive defense — while waiting for those who demand capitulation to get their own “cyber-house” in order before claiming responsibility for ours.