Today the Heartland Institute is publishing my policy brief, U.S. Cybersecurity Policy: Problems and Principles, which examines the proper role of government in defending U.S. citizens, organizations and infrastructure from cyberattacks, that is, criminal theft, vandalism or outright death and destruction through the use of global interconnected computer networks.
The hype around the idea of cyberterrorism and cybercrime is fast reaching a point where any skepticism risks being shouted down as willful ignorance of the scope of the problem. So let’s begin by admitting that cybersecurity is a genuine existential challenge. Last year, in what is believed to be the most damaging cyberattack against U.S. interests to date, a large-scale hack of some 30,000 Saudi Arabia-based ARAMCO personal computers erased all data on their hard drives. A militant Islamic group called the Sword of Justice took credit, although U.S. Defense Department analysts believe the government of Iran provided support.
This year, the New York Times and Wall Street Journal have had computer systems hacked, allegedly by agents of the Chinese government looking for information on the newspapers’ China sources. In February, the loose-knit hacker group Anonymous claimed credit for a series of hacks of the Federal Reserve Bank, Bank of America, and American Express, targeting documents about salaries and corporate financial policies in an effort to embarrass the institutions. Meanwhile, organized crime rings are testing cybersecurity at banks, universities, government organizations and any other enterprise that maintains databases containing names, addresses, social security and credit card numbers of millions of Americans.
These and other reports, aided by popular entertainment that often depicts social breakdown in the face of massive cyberattack, have the White House and Congress scrambling to “do something.” This year alone has seen Congressional proposals such as Cyber Intelligence Sharing and Protection Act (CISPA), the Cybersecurity Act and a Presidential Executive Order all aimed at cybersecurity. Common to all three is a drastic increase the authority and control the federal government would have over the Internet and the information that resides in it should there be any vaguely defined attack on any vaguely defined critical U.S. information assets.
Yet we skeptics recently gained some ammo. McAfee, the security software manufacturer, recently revised its estimate of annual U.S. losses attribute to cybercrime downward to $100 billion, just one-tenth of the staggering $1 trillion it estimated in 2009. This is significant because both President Barack Obama and Gen. Keith Alexander, head of U.S. Cyber Command, have invoked the $1 trillion figure to justify greater government control of the Internet.
To be sure, $100 billion is hard to dismiss, but the figure is comparable to other types of losses U.S. businesses confront. For example, auto accidents result in annual losses between $99 billion and $168 billion. So while cybersecurity is a problem that needs to be addressed, we should be careful about the way we enlist the government to do so.
We should start by questioning the rush to create new laws that have vague definitions and poor measurables for success, yet give the government sweeping powers to collect private information from third parties. The NSA’s massive collection of phone and ISP data on millions of Americans—all done within the legal scope of the PATRIOT Act—should itself give pause to anyone who thinks it’s a good idea to expand the government’s access to information on citizens.
What’s more, vaguely-written law opens the door to prosecutorial abuse. My paper goes into more detail about how federal prosecutors used the Computer Fraud and Abuse Act to pile felony charges on Aaron Swartz, the renown young Internet entrepreneur and co-creator of the social news site Reddit, for what was an act of civil disobedience that entailed, at worst, physical trespassing and a sizable, but not far from damaging, violation of the terms of MIT’s JSTOR academic journal indexing service.
There may indeed be some debate over the legal and ethical scope of Swartz’s actions, but they were not aimed at profit or disruption. Yet the federal government decided to use a law designed to protect the public from sophisticated criminal organizations of thieves and fraudsters against a productive member of the Internet establishment, threatening him with 35 years in prison and loss of all rights to use computers and Internet for life. Swartz, who was plagued by depression, committed suicide before his case was adjudicated. Prosecutors exonerated him posthumously by dropping all charges, but controversy over the handling of the case continues to this day. (Also, a hat tip to Jerry Brito’s conversation with James Grimmelman on his Surprisingly Free podcast.) .
Proper cybersecurity policy begins with understanding that there’s a limit to what government can do to prevent cybercrime or cyberattacks. Cybersecurity should not be seen as something disassociated with physical safety and security. And, for the most part, physical security is understood to entail personal responsibility. We lock our homes and garages, purchase alarm systems and similar services, and don’t leave valuables in plain sight. Businesses contract with private security companies to safeguard employees and property. Government law enforcement can be effective after the fact – investigating the crime and arresting and prosecuting the perpetrators – but police are not routinely deployed to protect private assets.
Similarly, it should not be the government’s job to protect private information assets. As with physical property, that responsibility falls to the property owner. Of course, we must recognize the government at all levels is an IT user and a custodian of its citizens’ data. As users with an interest in data protection, federal, state and local government information security managers deserve a place at the table—but as partners and stakeholders, not a dictators.
Since the first computers were networked, cybersecurity has best been managed through evolving best practices that involve communication across the user community. And yes, despite what the President and many members of Congress think, enterprises do share information about cyberattacks. For years they have managed to keep systems secure without turning vast quantities of personal data on clients and customers over the government absent due process or any judicial warrant.
In terms of lawmaking, cybercriminal law should be treated as an extension of physical criminal law. Theft, espionage, vandalism and sabotage were recognized as crimes long before computers were invented. The legislator’s job is first to determine how current law can apply to new methods used to carry off age-old capers, amending where necessary, as opposed to creating a new category of badly-written laws.
If any new laws are needed, they should be written to punish and deter acts that involve destruction and loss. The severity of the penalties must be consonant with the severity of the act. The law must come down hard on deliberate theft, destruction, or other clear criminal intent. Well-written law will ensure that prosecutorial resources are devoted to stopping organized groups of criminals who use email scams to drain the life savings of pensioners, not to relentlessly pursue a lone activist who, as an act of protest, downloaded and posted public-record local government documents that proved embarrassing to local elected officials.
Finally, my paper also addresses acts of cyberterrorism and cyberwar, which can exceed the reach of domestic law enforcement and involve nation-states or stateless organizations such as Al-Qaida. Combatting international cyberterrorism involves diplomacy and cooperation with allies—as well as rethinking the rules of engagement regarding response to an attack.
While it is wise to have appropriate defenses in place, before rushing to expand FISA courts or demand Internet “kill switches,” we need a calmer discussion of the likelihood of a devastating act of cyberterrorism, such as hacking into air traffic control or attacking the national power grid. Despite popular notions, attacks of this caliber cannot be carried out by a lone individual with a laptop and a public WiFi connection. An attacker would need considerable resources, the cooperation of a large number of insiders, and would have to rely on a number of factors outside his control. For more, I refer readers to a SANS Institute paper and a more recent article in Slate. Both discuss the logistics involved in a number of cyberterrorism scenarios. Suffice it to say, a terrorist can accomplish more with an inexpensive yet well-placed bomb than a time-consuming multi-stage hack that risks both failure and exposure.
The most important takeaway, however, is that today’s cybersecurity challenges can be met within a constitutional framework that respects liberty, privacy, property and legal due process. Author Eric Foner has written that since the nation’s founding, its most important organizing principle has been to maintain civil law and order within a structure of limited government powers and respect for individual rights. There is no reason this balance needs to be adjusted to favor state power at the expense of individual rights in combating computer crime or defending the nation’s information systems from foreign attack.