Cybersecurity steps, missteps


Last week was a banner week for cybersecurity policy in Washington. After years of incessant talk in the capital, there appears to be some momentum toward defending the nation's computer systems and networks, but unfortunately it's not all heading in the right direction.

In conjunction with his State of the Union Address on Feb. 12, President Barack Obama issued an Executive Order on Improving Critical Infrastructure Cybersecurity.The next day, the Cyber Intelligence Sharing and Protection Act of 2013 was introduced in the House of Representatives by Reps. Mike Rogers (R-Mich.) and C.A. "Dutch" Ruppersberger (D-Md.).

CISPA 2013 is identical to CISPA 2012, which was passed in the House last year but died after a companion bill was shot down in the Senate. If you work for a large telecommunications or technology company, your employer almost certainly loves this legislation and, in your executive leadership role, you probably do too. But in your role as a citizen, you may want to consider its ramifications.

CISPA encourages companies to share cybersecurity threat information (CTI) with government agencies, including top secret ones like the National Security Agency, which can then use it for purposes other than cyber defense. Part of the bill's danger is that the language is vague--for example, what is CTI limited to? Worse, the bill takes away the incentive to comply with privacy laws by providing companies with broad immunity to monitor, gather and share cyber threat and response information with the government.

Unlike CISPA, President Obama's executive order has the potential to add to the country's cyber defenses without trampling on our inalienable right to privacy.  It directs federal agencies to share threat information with relevant companies.  It requires agencies to include privacy and civil liberties safeguards, based on the Fair Information Practice Principles, in their cybersecurity activities.  It directs the National Institute of Standards and Technology to spearhead the development of a framework for reducing cyber risks, and it sets in motion a voluntary program to help companies implement the framework.

These are promising steps, by and large, and a critical infrastructure protection plan that is voluntary is certainly better than one that is mandated. But it is troubling that these steps were taken in a unilateral decree rather than a vote by lawmakers. Despite being voluntary, the cybersecurity program will come with incentives to participate, and ultimately the incentives could be too good for a company to refuse. Also troubling is the order's absence of clear definitions of terms like "cyberthreat."

Solutions to today's security threats are necessarily complex, and they deserve the concerted attention of lawmakers and the full, open, deliberative processes afforded the passage of laws. Too many federal powers have been expanded--at the expense of civil liberties--with the help of political maneuvering, legislative sleights of hand and fear-mongering. (The mother of all of these power expansions being the USA Patriot Act, of course.)  As I've argued in this space before, any further expansion of federal surveillance power requires a better justification than those we've been given. And don't be mistaken, the kind of fear-mongering conducted to promote last year's failed Cybersecurity Act of 2012, complete with dubious claims of a $1 trillion price tag associated with cyberthreats, does not constitute justification.

Network intrusions are not motivated by too little communications surveillance or by a lack of information-sharing between the private and public sectors. They're motivated by the vast ocean of security flaws in our systems and networks and by our unwillingness to invest in fixing them. Critical infrastructure would be more secure if software programmers wrote more secure code and if corporations invested in training employees to recognize and avoid malware.

By all means, the government should let a company know if it's about to be attacked, and the White House should be applauded for making that happen. But it remains unclear, at best, how expanding the already expansive surveillance machine, giving companies immunity from liability for violating privacy rights or compelling companies to follow "voluntary" security practices, would make the country better off. - Caron