Building Legal Frameworks For Cybersecurity Change
October marked the sixth annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security. It came and went with little fanfare, maybe because signing proclamations is one thing while making significant change in Washington, D.C. is a different matter.
A lot of Joe Citizens might not know it, but at this moment corporate America is facing a huge threat to its way of doing business.
In cyberspace there is a way for third parties to shut down the infrastructure business runs upon -- whole data centers, networks and systems. Clearly, the White House gets this message -- hence the proclamation. And yet the leaders on the Hill and executive leaders are sitting back and doing not enough to neutralize the threat to commerce in a meaningful way.
No Effective Policies
The government has no effective cybersecurity policy when it comes to commerce and individuals -- for the most part our government has focused on protecting government systems. But the country runs on the back of private infrastructure. It is private companies that run power grids, control money, keep most hospitals running, and much more. If the networks of these private companies are taken out, then we face an interruption to our way of life.
And even as cybercriminals are building more and more effective attacks, the nature of politicians on the Hill is to wait until catastrophe strikes before taking action. The aurgument can be made the elected officials are so busy managing two wars --healthcare reform and economic stimulus -- that cybersecurity is a back burner issue.
But in many ways, the cybersecurity threat to our infrastructure is very much analogous to where we were with credit default swaps before things went crazy last year. If politicalleaders would have addressed the economic problems when they first saw it in 2000 or 2001, they could have headed off our current situation. As the head of a security technology company, I feel like I am watching the same thing happen in the cybersecurity arena. We need our leaders to act now before things spin out of control and become a national disaster.
A Patchwork of Laws
Cybersecurity needs a radical game changer when it comes to policy. Part of the problem right now is that industry has tried to deal with the problem, but government keeps getting in the way.
There exists right now an insane patchwork of laws that has created an environment where non-government entities are barred from effectively protecting themselves in cyberspace. For example, the typical Internet Service Provider could take a lot of actions to protect its customers from the criminal element, but most attempts to do so would trigger retribution from the ACLU and other privacy advocates.
The thinking is that it would be an invasion of privacy for the ISPs to look at the traffic across its infrastructure, that it would hurt the electronic privacy of individuals. I recently found out at a cyber conference that ISPs do in fact provide this kind of service, but only to large enterprises. It doesn’t provide it to consumers or even small businesses. They provide it to large corporations under the concept that employees at these companies have no expectation of privacy. Unfortunately, this means that there are still plenty of individual computers out on the Internet wide open to attack and easily yoked within a botnet.
Protecting Customers
I believe that a balance needs to be struck, sort of a cyber Good Samaritan law that allows ISPs protecting their customers to be given safe harbor for their actions. Perhaps the radical game changer could be to give ISPs the power to have customers opt-in to an alternate ‘secure Internet,’ one which they give up some level of privacy rights for the sake of security. Those consumers would be protected from external attacks and could have their machines disinfected at will. And those who choose not to opt into the ‘secure Internet’ would then be subject to potential legal liability for the action of their computer if that machine is compromised by a bot and used in an attack.
This kind of radical shift isn’t impossible. In fact, it is happening in Australia already. Reports from Down Under show that lawmakers there are drafting a bill that will offer the legal framework to shield ISPs from privacy laws when engaging in security and defense activities.
I believe that it will take courage, but that we need to start thinking about similar types of legal frameworks here in the United States. Take the bureaucratic position of the White House cybersecurity advisor, a vacant position that it seems the President has had a difficult time filling since he announced the job was up for grabs last spring. Part of the problem is the non-viability of the job -- it’s a lose-lose position that not many people, particularly the ones qualified to fill it, really have aspirations to take. As an appointed bureaucrat, the next cyberczar does not have enough authority or the budget to truly be an agent of action.
If the President is truly serious about making a real difference in our cybersecurity policies and procedures, I believe he needs to get together with leaders in Congress to draft a true legal framework that will empower the cybersecurity czar to do what needs to be done.
These ideas may seem extreme, but that is only because the problem we face is extreme. We need to truly recognize how disastrous an attack on our computing infrastructure would be to our national economy. It could be as devastating to our national psyche as any attack the U.S. has faced. Such a drastic danger calls for drastic actions.
About the Author
Philip Lieberman is a 30-year veteran of the software industry and is president of Los Angeles-based Lieberman Software.