The Internet is a fascinating place. A near infinite maze of
networks and systems, it unites a transnational polity of
multinational corporations, government agencies, and individual
actors — a global colloquy hosted by the digital common
denominator.
In stark contrast to our “lead-pipe” systems of
yesteryear, this digital labyrinth functions as a multicursal
puzzle. The Internet is comprised of a complex branching of
ambiguous routes that continually reshape conventional
communications media such as telephone, music, film and television.
It presents a fathomless choice of path and direction, running like
water through stone and sand, coursing forward in an ever-expanding
“network of networks” that connects people, places and
ideas.
But it also sets the scene of a
21st century battleground, where a multivariate
host of attacks on our shared cyber-networks has matured into a
serious threat to our economic and national security. According to
federal warnings, our nation’s computer systems are susceptible to
critical strikes against public and private sectors alike. In
recent months, FBI Director Robert Mueller has reiterated his
January testimony before the Senate Select Committee on
Intelligence that new cyber-threats would exceed terrorism as the
nation’s top security concern.
But much like our response to the phantasmal specter of
“global terror” demands innovative and versatile tactics, defense
against the multidimensional menace of cyber-assault remains a work
in progress.
Now, the battle for cyber-security has found its way to
the United States Congress, where lawmakers and the White House are
rousing fears of cyber-cataclysm if elected officials don’t defend
our virtual shores. Two competing bills have emerged in the Senate
— the first being the “Cybersecurity
Act of 2012,” co-authored by Sens. Joe Lieberman
(I-Conn.) and Susan Collins (R-Maine), that would require computer
systems from “critical industry” sectors meet security benchmarks
established by the Department of Homeland Security. A competing
bill — titled “SECURE
IT” — was subsequently introduced by Sen. John McCain
(R-Ariz.), who agrees in principle with a legislative response to
the danger of cyber-attacks, but worries about the potential
drawbacks of arbitrary, or ineffectual, regulatory burdens on
private enterprise. His bill promotes an information sharing
architecture between the public and private sectors.
Make no mistake, this is no easy fix. “Cyber-security”
implies an international reply to threats large and small, and
demands construction of a policy regime that staunches complex
fissures between industry and government through effective global
risk management. All the while, it remains incumbent upon
legislators to steer clear of muddling audits, assessments and
standards that retard growth and innovation of those companies
judged to be “covered critical infrastructures” by the savants at
DHS.
Although he’s now backing the Lieberman-Collins bill,
President Obama has failed to adequately address threats to our
federal cyber-environment. According to the Office of Management
and Budget, nearly 42,000 reported cyber-attacks harried federal
networks in 2010. These strikes
represented a 39 percent uptick from the previous year. DHS,
the Department of Defense, and other national security agencies
have been successfully targeted by dozens of high-profile cyber
hack-tics.
Conversely, during the same time period, the number of
successful cyber-assaults on private networks decreased by 1
percent, suggesting modest gains in the digital trenches of the
citizen sector.
Lest we content ourselves with the notion that private
industry is potentially capable of managing its own house more
effectively than the feds, Sen. Lieberman and co-sponsor Sen. Jay
Rockefeller (D-W.Va.) have busily
conjured looming terror attacks on our national
infrastructure, against the political backdrop of September 10,
2001, presumably with their hair on fire:
Think about how many people could die if a cyber terrorist
attacked our air traffic control system and planes slammed into one
another […] or if rail-switching networks were hacked — causing
trains carrying people, or hazardous materials — to derail and
collide in the midst of some of our most populated urban areas,
like Chicago, New York, San Francisco or Washington.
It smacks of a familiar narrative employed by some
politicians who forecast untold disaster they can’t be held
responsible for if we are unwilling to surrender, post
haste, to their authority. It also presupposes the dubious
claim that federal bureaucracy could stay abreast of technology —
as opposed to private enterprise, fueled by its own best interest
to keep profitable networks secure. Rather than supporting the
development of private security technologies, as a major consumer
of products and services, the federal government (under the
auspices of DHS) could simply “commandeer private infrastructure
into its regulatory regime simply by naming it ‘covered critical
infrastructure,’”
writes the Cato Institute’s IT guru, Jim
Harper.
In an op-ed piece penned for the
Hill, Sen. Ron Johnson (R-Wisc.)
writes, “Cyberexperts have warned that it could
take eight to 10 years for DHS to develop cyber regulations. Ten
years is a millennium in technological terms; 10 years ago, there
was no iPad, no Wii and most Americans had never heard of the
‘cloud.’” This speaks to the main problem with regulation where it
concerns a vibrant industry like technology — it demands
impossible prescience to protect against unknown threats, arising
in the unspecified future.
Should we succumb to our well-intentioned, but
short-sighted, inclination to bind intricate knots of very
different threats into a byzantine policy posture, we may handcuff
our own defense. Worse yet, we may never know what hit us, until
well after the fact. DHS is rarely praised for its deft touch,
pro-activity, or technological savvy. As such, there’s every reason
to presume new benchmarks and audits will simply create an
instantly archaic “check-list” of nominal cyber-defense that foists
a false sense of security on American industry and the
public.
Consider what we’re up against. Companies and foreign
governments are already infiltrating American industry’s tech
networks to steal trade secrets, and chip away at competitive
advantages developed here, on our home soil. But this sort of
cyber-crime has little to do with collaborative, international
hack-tivist operations, such as Anonymous or Wikileaks. Likewise,
the latter activities are wholly unrelated to the “kinetic” impact
of a hypothetical cyber-plot to crash air-traffic
control.
Cyber-security regulations often entail an unwieldy
response to an amorphous crisis that cannot be solved with a “one
size fits all” resolution. In a conversation with Jim Harper, of
Cato, he posited the preposterous: “Imagine if Congress were to
propose legislation promoting ‘Earth Security.’” Thus, the
confounding nature of cyber-defense.
The private sector is quickly rallying behind McCain’s
bill that prioritizes information sharing between government and
industry, and the development of fluid protections of
cyber-networks through “best practice” improvements. The bill
eliminates arbitrary legal roadblocks that currently prevent
interaction between the government and the private sector, while
protecting industry from hectoring audits, frivolous lawsuits and
limitations on civil liberties. Moreover, it demonstrates the
private sector’s clear aversion to heavy-handed regulation amidst
the complex and amorphous terrain of cyber-security.
If the Internet flows like water, it seems the private
sector has the good sense to stay comparatively “liquid” when it
comes to a proactive defense — while waiting for those who demand
capitulation to get their own “cyber-house” in order before
claiming responsibility for ours.
