Cybersecurity Theater vs. The Real Thing

Computer attacks cost mid-to large size businesses $3.8 million annually on average , and generate massive global damage.

Some homeland security and cybersecurity specialists even warn of a “digital pearl harbor,” or can’t seem to rule it out.

But that doesn’t mean anything goes, when it comes to dealing with the matter. A proposed presidential “kill switch”to take critical infrastructure offline, so to speak, has caused consternation, particularly in the wake of Egypt’s “pulling the plug.”

Yet politicians persist in leaning toward establishing “national strategies.”

For example, Rep. Jim Langevin (D-RI) is introducing his Executive Cyberspace Coordination Act today, to create a National Office for Cybersecurity.  (Coincidentally, speaking of national plans, today is also the anniversary of the Federal Communications Commission’s “National Broadband Plan.)

He’s far from the first; the Obama Cyberspace Policy Review’s assertion that “The White House Must Lead the Way Forward” exemplifies this stance.

It seems always the same default when we get worried:  national strategies; cybersecurity coordinators, agencies and programs; public/private partnerships; millions in cyber research grants and to steer students toward cybersecurity research (the Langevin bill, for its part, calls them Cyber Challenge Programs).

In truly national defense, no one that I know of argues there’s no government role. But the wrong cyber-laws can mean government locking in inferior security technologies and procedures.  For example, disclosure and reporting techniques can be appropriate—or they might do more harm than good. Besides, the really bad guys, apart from commercial interests that need to perform, won’t obey the law anyway, and are probably overseas, besides.

Some proposals have entailed a formal readiness mandate on the private sector that would parallel some disclosures required during the Y2K transition. But if a CEO certifies a security report, following the letter of the law, and there’s a breach, what happens? One suspects that the hammer would fall on companies blamed in the event of a cyber attack; but who can doubt that Homeland Security officials will gain even more power if an attack happens under one of their own “green light” advisories?

We must be on guard against cybersecurity becoming cyber-pork as well. Apart from steering students—whom the market is perfectly capable of  steering via higher salaries—security dollars thrown at contractors is not always the same as actual protection. Such proposals have included calls for a government-funded early warning system about cyber hazards, a national media campaign to promote home safety tips, and even our “Cyber Security Month,” the cyber-equivalent of the Department of Homeland Security’s color-coded threat level advisory system. I’m not sure such things are always encouraging.

Industry and policy groups have weighed in. “Improving our Nation’s Cybersecurity through the Public-Private Partnership” is a comprehensive white paper (from the Internet Security Alliance,TechAmericaCDTBSA and the Chamber of Commerce) with an appropriate nod toward partnerships in key areas but stressing the discipline of “market incentives.” Such incentives can be done well, or poorly; if government’s always steering, it’s the latter.

Whatever officials’ frustrations, it’s not clear what government’s capabilities really are with respect to private infrastructure cybersecurity, regardless of resources. Ensuring that nothing blocks markets from reacting as fluidly as possible rather than oversteering cybersecurity should be the guiding principle.

Indeed, agreement even on fundamentals with respect to where to allocate resources and know-how isn’t assured: the relative likelihood of physical vs. cyber-attacks, for example; or of cyber-terror vs. cybercrime aimed at banks or other institutions.

A proper cyberspace protection plan would highlight the need to deregulate critical infrastructure network assets like telecommunications and electricity networks as job #1, yet that’s not even on the agenda. The proper appreciation of the relationship between cybersecurity and overly regulated critical infrastructure simply does not exist; otherwise policymakers would have liberalized electricity networks years ago, to allow more investment and a more robust grid via the all-important property-rights incentive and competition. And today, they would without hesitation forbid compulsory the “net neutrality” in the telecommunications industry that threatens sound network evolution and armor-plating. Instead, they seek to extend the concept even to emergent mobile networks.

Policymakers more attuned to cybersecurity would also emphasize relaxation of antitrust. One of the more non-controversial cybersecurity tasks often ascribed to government is the role of coordinating (certain) ) information sharing (of course it can be done poorly also). But there may be artificial impediments to improved voluntary information sharing; we should examine the extent to which antitrust laws may inhibit needed coordination among firms.

Relaxing antitrust constraints could also allow firms to enhance reliability and security not just by sharing information but though “partial mergers” of the kind that would make today’s antitrust enforcers squirm. In yet another policy arena, overly aggressive interpretations of the Freedom of Information Act also may inhibit certain private information sharing.

Washington does have a substantial overarching role, but it entails protecting government’s own insecure networks and setting reasonable internal government software and security product standards. It involves arresting computer criminals, not cyber-regulating. It means making sure government doesn’t increase its own culpability in cybersecurity risk by undermining individual privacy in this age of proposed national ID cards, biometrics, RFID, and weak cloud-computing and mobile-device privacy.

Private sector experimentation in cybersecurity is messy but completely necessary. The decentralized, experimental marketplace increasingly finds itself forced to address cybersecurity and learn lessons that should handily outperform overly centralized government “Cyberspace Policy.” Companies are automating and outsourcing security; biometrics are restricting access to critical facilities. It goes on and on.

Experimentation is necessary with respect to what counts as appropriate and inappropriate information sharing; the tug of war between anonymity vs. authentication needs to proceed. And fragile, frontier institutions of insurance and liability are emergent. Moreover, lessons learned from today’s online privacy and digital piracy conflicts will inform cybersecurity more generally.

Speaking of that privacy, another imperative is to better recognize and allow for distinctions between commercial and political anonymity. Outlawing online anonymity is no answer for cybersecurity and a non-starter; but private sector “regulation” of anonymity via developing authentication technologies far more capable than those of today can be critical in commercial settings. If we were building the Net from the ground up knowing what we know today, authentication might have figured into the core in a way absent today. Or maybe not; that’s the nature of experimentation and trade-offs.

One problem today is that few stand in any position to make security guarantees on an Internet with a built-in, open and trusting architecture. Cybersecurity legislation mustn’t undermine the evolution and experimentation needed to support those emergent guarantees. Neither immunity nor imposed liability are appropriate, yet both have been proposed by policymakers who think they are making a case for cybersecurity.

When the iterative marketplace screws up it’s easier to swiftly change course than bad legislation. Entrenched regulation that straighjackets how we respond to cyber threats can means that genuine security advancements, however imperative as conditions change, simply cannot occur when we need them most.