Cyber Insecurity: Flip That Internet “Kill Switch” Plan

Unless there’s a major critical infrastructure failure, cybersecurity’s never going to be a pop culture concern like Cee-Lo Green or Christina at the Super Bowl. But the the idea that some in Congress seek an Internet “kill switch” has many alarmed on grounds of free speech, privacy and basic rationality and workability, as a new USA Today article attests.

Anticipated reintroduction of the “Protecting the Internet as a National Asset” is a hot issue now.  The bill contains controversial provisions to allow the president to assume control of critical private network assets in event of a “cyber-emergency.” Whether there’s a place for the president to actually to go to flip an Internet switch (and seemingly there’s not, unlike the greater ease with which Hosni Mubarak shut things down in Egypt), what is clear is that the proposal does allow the president to “prioritize” communications for the rest of us whether we’d want him to or not.

Policymakers should reject such proposals to centralize cybersecurity risk management. Just as TSA’s airport pageantry is often called “security theater,” this seems more like cybersecurity theater.

This year is only 2011.  Network technologies advance relentlessly–unless someone stops them.  The kind of Internet that will evolve if government can resort to a “kill switch” will be vastly different from, and inferior to, the safer one that will emerge otherwise.  Government must coexist with, rather than crowd out, private sector primacy in security technologies, strategies, network management, asset deployment, governance and final say-so.

Law enforcement’s role in punishing intrusions on private networks and infrastructure is critical. But the unmistakable tenor of the cybersecurity discussion today is yet more government steering while the market rows. Government interference ratchets upward but rarely downward.

The Internet is many networks, and increasingly may become more like “splinternets” in future decades with sensitive information separated from inconsequential information, and some networks armor-plated while others remain wispy. That’s a good thing. Myriad private sector “kill switches” can be appropriate where a centralized one  would not be.

Like other kinds of wealth creation, security “wealth creation” in communications and critical infrastructures is properly a competitive feature, one best advanced by non-political solutions. Firms face unrelenting competitive pressures from customers, upstream and downstream business partners and the capital markets to advance security. Cybersecurity technologies—from biometric identifiers to firewalls to encryption—and cybersecurity services—from consulting to liability insurance to network monitoring—thrive on competition.  Ill-conceived public policy that undermines the evolving and still-unrevealed array of security approaches could do grave damage.

Six Federal Steps to Strengthening Cybersecurity

This doesn’t mean Washington doesn’t have a role. Existing policies and disdain for private property and competitive pressure’s role in enhancing security point to options that could merit starting with a new bill.

Emphasize securing government networks: Government is a lead offender in network vulnerabilities, including the Department of Homeland Security itself, and its lack of respect for the sanctity of personal information is appalling. Washington should focus on protecting the government’s own networks and setting security standards for its own agencies and tracking and arresting actual computer criminals.

Don’t define what security is:As just one instance, interventions like the White House’s “authentication strategy” in its National Strategy for Trusted Identities in Cyberspace are overly presumptive in that they fail to acknowledge the legitimacy of anonymity strategies. Enough already with “national strategies” and the hubris of designating others’ private networks a “National Asset,” as in this cybersecurity bill.  In a free society, individuals should be able to present different faces to the world in different contexts, and networks should compete on the security features they offer. Inadequate authentication technologies and the inability to exclude bad actors are often at the core of of today’s cybersecurity problems. The competition between anonymity strategies and authentication strategies (particularly as biometrics advance) offer great hope for escalating security.

Stop interfering with the ability to make cybersecurity guarantees: Too often, firms want to make ironclad privacy guarantees but cannot do so on account of the same government claiming to seek security. Policymakers should reform many things, including outdated privacy laws that provide insufficient protections against governmental access to sensitive data, or to data that individuals share with commercial entities. In the same vein, policymakers should avoid the coercive data retention mandates, national identification schemes and warrantless Internet surveillance with which they’re so enamored.

Deregulate critical infrastructure networks such as telecommunications and electricity: Businesses in the high-tech sector increasingly demand better service and security. Properly fulfilling these demands will necessitate far greater liberalization of critical infrastructure assets like telecommunications and electricity networks, including the relaxation of antitrust constraints that prevent firms, intra-industry, from coordinating information security strategies and enhancing reliability of overlapping critical infrastructure. This is one element of the more-important need to enable myriad private “kill-switches,” properly understood, than one for a president.

Reject onerous privacy regulation: While government thwarts firms’ ability to make privacy guarantees, it regulates information collection and use in destructive and short-sighted ways. The new Congress is already gearing up to consider draft legislation that would govern how private companies can use data. It’s a huge topic, and Congress needs to explore how interference with information markets disrupts the need to enhance procedures to protect that information.

Reject compulsory net neutrality: Compulsory net neutrality, a hot topic in Congress now given the FCC’s rulemaking in the absence of any congressional authority to act, is incompatible with cybersecurity and should be explicitly ruled out by an act of Congress, by exercise of the Congressional Review Act, or by withholding of FCC appropriations to “enforce” it. Congress should hold hearings on the abysmal appreciation that the administration and agencies seem to have of network property rights and the creation of secure infrastructure wealth and content.

Few probably doubt that we need far greater cybersecurity and critical infrastructure security than we have, especially in an age of terrorist threats and relentless cyber-attacks on U.S. networks that do take place. Risks are very real, and current security practices are very lax. But proposals angling toward any sort of kill switch are not properly considered cybersecurity.

Cybersecurity’s not a popular topic. The right policies will best ensure that we stay safe and that in turn never becomes one.