Cybersecurity

Some (hopefully constructive) thoughts on cybersecurity

by on February 16, 2012 · 0 comments

Ahead of today’s cybersecurity hearing in the Senate, I wanted to jot down some thoughts on the issue. For over a year now, I’ve been questioning the need for federal intervention in cybersecurity and calling for a slower and more deliberate process. Perhaps I come across as a refusenik, but I hope that I’m at least lending some balance to the debate.

First, let me say that I fully recognize that the U.S. faces serious cyber threats. [Here is](http://selil.com/archives/2985) one of the best (and most honest) cases for being worried that I’ve seen. I get it.

That said, what I try to point out is that the existence of a threat [does not necessarily mean](http://techliberation.com/2012/02/16/too-big-to-face-incentives/) that regulation is necessary. In many cases, the threat [can be internalized](http://techliberation.com/2012/01/24/is-there-a-market-failure-in-cybersecurity-its-not-an-open-and-shut-case/) by affected private actors. Even if we determine that some private actors are not internalizing the costs, prescriptive regulation can sometimes do more harm than good. The best thing we can do is not try to prevent harm at all costs, but instead make sure that we are resilient so that no single threat can destroy us. And we [may be more anti-fragile](http://mercatus.org/publication/beyond-cyber-doom)–more resilient and more capable of adaptation–than we’re led to believe.

That brings me to the other thing I try to point out: that the rhetoric surrounding cybersecurity is often unnecessarily alarmist. Introducing the Cybersecurity Act of 2012, Sen. Rockefeller equated the cyber threat with the nuclear threat. I’m sorry, but I don’t think that’s right. It does scare people, however, and I’m afraid that we will be sold an expensive bill of goods based on fear.

So I’m happy to see that both the Senate and the House have begun to take more realistic approaches to cybersecurity. For example, the [Rockefeller-Snowe bill](http://www.opencongress.org/bill/111-s773/show) from last congress would have required the Department of Commerce to develop “a national licensing, certification, and periodic recertification program for cybersecurity professionals,” and would have made certification mandatory for anyone engaged in cybersecurity. I’m happy to see that’s gone in the new bill. I’m glad that there is no “[Internet kill switch](http://techliberation.com/2011/02/19/the-internet-kill-switch-debate/).” I’m also happy to see that the bill includes a way for private industry to appeal its inclusion in the regulatory regime.

Where do I think there may be a role for government? Information sharing certainly comes to mind. There is no doubt that there’s a lot that the public and private sectors can learn from each other. And to the extent that private actors are prevented by privacy laws to cooperate on cybersecurity, there should be a way to facilitate cooperation without endangering consumer protections. Additionally, requiring disclosure of security breaches is not a bad idea. It would allow insurance markets and other markets serve as an alternative to regulation, or as Cass Sunstein calls it, regulation through transparency.

SHARE: 0 comments

Too big to face incentives

by on February 16, 2012 · 1 comment

Here, in one sentence, is what’s wrong with [Stewart Baker’s testimony](http://www.skatingonstilts.com/skating-on-stilts/2012/02/testifying-about-cybersecurity-legislation.html) on cybersecurity before the Senate Homeland Security committee today:

>If an asset is not designated as “covered critical infrastructure,” then the owner has no obligation under the bill to guard against attack by hackers, criminals, or nation states, leaving those who depend on the asset unprotected.

The logic here is that if a private network is not forced by government to protect itself, then it will be left unprotected and wide open for attack. There is no private incentive to secure one’s investment, the argument seems to be. If you’d like an explanation of why this isn’t logical, see Eli Dourado’s [paper on cybersecurity market failure](http://mercatus.org/publication/there-cybersecurity-market-failure-0).

One more thing: according to Baker, present network insecurity “could easily cause the United States to lose its next serious military confrontation.” I understand asymmetric threats, but here is a l[isting of military spending by country](http://en.wikipedia.org/wiki/List_of_countries_by_military_expenditures). “Easily” doesn’t come to mind.

SHARE: 1 comment

We’re not kidding about overheated cybersecurity rhetoric

by on February 14, 2012 · 1 comment

Tate Watkins and I have [an essay in Wired today](http://www.wired.com/threatlevel/2012/02/yellowcake-and-cyberwar/) looking at how the overheated rhetoric and unsupported claims around cybersecurity inflate the threat and may lead us to a new cyber-industrial complex. It’s the same theme we explore in our recent Harvard National Security Journal article and also in a feature in Reason a few months ago.


What do we mean by overheated rhetoric that serves more to scare than to inform? Here are some statements from Sen. Jay Rockefeller introducing the comprehensive cybersecurity bill on the Senate floor today:

>”The experts are warning us that we are on the brink of something much worse. Something that could bring down our economy, rip open our national security, or even take lives. The prospect of mass casualty is what has propelled us to make cybersecurity a top priority for this year, to make it an issue that transcends political parties or ideology. …

>”Admiral Mike Mullen, former Joint Chiefs chairman, said that a cybersecurity threat is the only other threat that is on the same level as Russia’s stockpile of nuclear weapons. …

>”We are on the brink of what could be a calamity. A widespread cyber attack could potentially be as devastating to this country as the terror attacks that tore apart this country 10 years ago. …

>”Think about how many people could die if a cyber-terrorist attacked our air traffic control system, both now and when it’s made modern, and our planes slammed into one another. Or rails switching networks were hacked causing trains carrying people, and more than that perhaps hazzardous material, toxic materials, to derail or collide in the midst of our most populate urban areas like Chicago, New York, San Francisco, Washington, DC, etc.”

He also touch on pipeline explosions and electricity blackouts, of course, and said that we needed to act immediately. It seems that some GOP senators are [calling for a delay on the bill](http://thehill.com/blogs/hillicon-valley/technology/210671-gop-senators-call-for-delay-on-cybersecurity-bill). Stay tuned.

SHARE: 1 comment

Senate Cybersecurity Bill Nukes Privacy Protections

by on February 9, 2012 · 0 comments

My seen-it-all cool was shaken yesterday when I examined how a Senate cybersecurity bill would scythe down legal protections for privacy. Anyone participating in government “cybersecurity exchanges” would have nearly total immunity from liability under any law. No Privacy Act, no ECPA, no E-Government Act, no contract law, no privacy torts. The scuttlebutt is that Senator Reid (D-NV) may push this especially hard as payback to the Internet for the SOPA/PIPA debacle.

In the push for cybersecurity legislation, Congress is driven far more by its desire to act (and D.C. lobbyists’ desire to have Congress act) than by any plausible contribution it can make to the difficult problem of securing computers, networks, and data. That’s why this cybersecurity bill, and all others I have seen, have greater costs than benefits.

Read about the devastation for privacy and the rule of law on offer in a current draft in “The Senate’s SOPA Counterattack?: Cybersecurity the Undoing of Privacy.”

SHARE: 0 comments

FBI Hacked While Congress Ponders Cybersecurity Legislation

by on February 6, 2012 · 0 comments

Over at TIME.com I take a look at the different approaches to cybersecurity now being considered by Congress:

>But what can congress do to improve cybersecurity? One line of thinking reportedly embodied by the Senate legislation, though details of that bill are not yet available, would tell network owners how to protect their systems. The Department of Homeland Security would be charged with creating security rules and punishing companies that did not comply. Such a prescriptive approach may not be very helpful, however. …

>The bipartisan approach moving forward in the House, on the other hand, takes a different approach. At the center of the PRECISE Act is the creation of a non-profit National Information Sharing Organization (NISO) that would serve as a clearinghouse for the voluntary exchange of cybersecurity threat information between government and industry. Under the NISO umbrella, as long as they only share information for cybersecurity purposes, industry and government would be exempt from privacy laws that today restrict collaboration.

Read the whole thing at TIME.com.

SHARE: 0 comments

Book Review: Liars & Outliers by Bruce Schneier

by on January 24, 2012 · 1 comment

My latest Forbes column is entitled “Why Doesn’t Society Just Fall Apart?” and it’s a short review of Bruce Schneier’s latest book, Liars & Outliers: Enabling the Trust that Society Needs to Thrive.  It’s an interesting exploration of the societal pressures that combine to ensure that (most!) societies don’t go off the rails and end in anarchic violence. In particular, he identifies and discusses four “societal pressures” combine to help create and preserve trust within society. Those pressures include: (1) Moral pressures; (2) Reputational pressures; (3) Institutional pressures; and (4) Security systems. By “dialing in” these societal pressures in varying degrees, trust is generated over time within groups.

Of course, these societal pressures also fail on occasion, Schneier notes. He explores a host of scenarios — in organizations, corporations, and governments — when trust breaks down because defectors seek to evade the norms and rules the society lives by. These defectors are the “liars and outliers” in Schneier’s narrative and his book is an attempt to explain the complex array of incentives and trade-offs that are at work and which lead some humans to “game” systems or evade the norms and rules others follow. Continue reading →

SHARE: 1 comment

Is there a market failure in cybersecurity? It’s not an open and shut case

by on January 24, 2012 · 1 comment

Cybersecurity is one of the issues that the President may touch upon tonight in his State of the Union speech, and Senate Majority Leader Harry Reid has said he is ready to move on comprehensive cybersecurity legislation soon. This all raises the question: what is the problem we’re trying to fix?

In an important new working paper for the Mercatus Center at George Mason University, Eli Dourado asks if there is a market failure in cybersecurity that requires a government response. He concludes that policymakers may be jumping to conclusions a little too hastily.

Proponents of cybersecurity regulation make the case that private network owners do not completely internalize cyber risks. The reason, they say, is that a loss stemming from a cyber attack, against a financial network for example, will affect not just the network owner, but thousands of consumers as well. As a result, private network owners won’t spend the socially optimal amount on to meet that risk. That is a market failure, they say, and only government intervention can ensure that we get the right amount of cybersecurity.

In his paper, however,Dourado shows that the presence of an externality does not necessarily mean that there is a market failure. Externalities are often internalized by private parties without government intervention. This is true both generally and in the realm of cybersecurity. Policy makers, he says, should therefore be careful not to enact cybersecurity legislation just because they observe an externality. Regulating when there is no market failure will likely have dire unintended consequences.

You can download the paper at Mercatus.org.

SHARE: 1 comment

The cyberattack that wasn’t

by on November 28, 2011 · 0 comments

Over at TIME.com, [I write](http://techland.time.com/2011/11/28/hackers-blow-up-illinois-water-utility-or-not/) about the “Russian hackers are in our water plants” min-panic that erupted last week. Turns out it was a false alarm, but that didn’t stop the rhetoric from going on overdrive. Check out [this story from Nov. 21](http://www.newsfactor.com/news/Stuxnet-Hit-on-Utility-Signals-New-Era/story.xhtml?story_id=111003TTUKBI&full_skip=1), one day before DHS and the FBI announced there was no attack, which said that a variant of Stuxnet had been used to attack the Illinois water plant and “caused the destruction of a water pump”. My takeaways from this incident:

>First, we shouldn’t jump to conclusions based on sketchy first reports of cyberattacks. Bad reporting tends to take on a life of its own. Two years ago, an electrical blackout in Brazil was similarly blamed on hackers, but the cause turned out to be [nothing more than sooty insulators](http://www.wired.com/threatlevel/2009/11/brazil_blackout/). That hasn’t stopped pundits, defense contractors and politicians from citing the debunked incident as evidence that we need comprehensive legislation to regulate Internet security.

>Second, although Bellovin was mistaken in believing the initial reports, he’s right that such an attack is possible. The discussion should be about the possible magnitude of attacks and what can be done to prevent them. Although the rhetorical engines of those who want new cyber-legislation were spinning into overdrive before the facts abruptly shut them down, this incident, if it had been a cyberattack, would not have shown a dire need for new rules. Instead, it showed that the damage was not catastrophic and that the water utility worked well with federal authorities under existing law.

Read [the whole thing](http://techland.time.com/2011/11/28/hackers-blow-up-illinois-water-utility-or-not/) at TIME.com.

SHARE: 0 comments

How the Internet Evolves to Overcome Censorship

by on November 21, 2011 · 0 comments

Over at TIME.com, I write that while Congress mulls an Internet blacklist in SOPA, there are efforts underway to reengineer parts of the Net to make communications more decentralized and censorship-proof. These include distributed and decentralized DNS systems, currencies, and social networks, as well as attempts to circumvent ISPs using mesh networking.

>It’s not a certainty that these projects will all succeed. Most probably won’t. Yet these far-out efforts serve as proof-of-concept for a censorship-resistant Internet. Just as between Napster and BitTorrent there was Gnutella and Freenet, it will take time for these concepts to mature. What is certain is the trend. The more governments squeeze the Internet in an attempt to control information, the more it will turn to sand around their fingers.

Read the whole thing here.

SHARE: 0 comments

Why SOPA Threatens the DMCA Safe Harbor

by on November 18, 2011 · 25 comments

The Stop Online Piracy Act (SOPA), a controversial bill before the House of Representatives aimed at combating “rogue websites,” isn’t just about criminal, foreign-based sites that break U.S. intellectual property laws with impunity. Few dispute that these criminal websites that profit from large-scale counterfeiting and copyright infringement are a public policy problem. SOPA’s provisions, however, extend beyond these criminal sites, and would potentially subject otherwise law-abiding Internet intermediaries to serious legal risks.

Before moving forward with rogue websites legislation, it’s crucial that lawmakers take a deep breath and appreciate the challenges at stake in legislating online intermediary liability, lest we endanger the Nozickian “utopia of utopias” that is today’s Internet. The unintended consequences of overbroad, carelessly drafted legislation in this space could be severe, particularly given the Internet’s incredible importance to the global economy, as my colleagues have explained on these pages (123456)

To understand why SOPA could be a game-changer for online service providers, it’s important to understand the simmering disagreement surrounding the Digital Millennium Copyright Act (DMCA) of 1998, which grants certain online service providers a safe harbor from liability for their users’ copyright infringing actions. In exchange for these protections, service providers must comply with the DMCA’s notice-and-takedown system, adopt a policy to terminate users who repeatedly infringe, and meet several other conditions. Service providers are only eligible for this safe harbor if they act to expeditiously remove infringing materials upon learning of them. Also ineligible for the safe harbor are online service providers who turn a blind eye to “red flags” of obvious infringement.

The DMCA does not, however, require providers to monitor their platforms for infringing content or design their services to facilitate monitoring. Courts have held that a DMCA-compliant service provider does not lose its safe harbor protection if it fails to act upon generalized knowledge that its service is used for many infringing activities, in addition to lawful ones, so long as the service provider does not induce or encourage users’ infringing activities.

Defenders of the DMCA safe harbor argue that it’s helped enable America’s Internet-based economy to flourish, allowing an array of web businesses built around lawful user-generated content — including YouTube, Facebook, and Twitter — to thrive without fear of copyright liability or burdensome monitoring mandates.

Conversely, some commentators, including UCLA’s Doug Lichtman, argue that the DMCA inefficiently tips the scales in favor of service providers, to the detriment of content creators — and, ultimately, consumer welfare. Pointing to a series of court rulings interpreting the safe harbor’s provisions, critics argue that the DMCA gives online intermediaries little incentive to do anything beyond the bare minimum to stop copyright infringement. Critics further allege that the safe harbor has been construed so broadly that it shields service providers that are deliberately indifferent to their users’ infringing activities, however rampant they may be.

What does SOPA have to do with all of this? Buried in the bill’s 78 pages are several provisions that run a very real risk of effectively sidestepping many of the protections conferred on online service providers by the DMCA safe harbor.

Continue reading →

SHARE: 25 comments

← Previous Entries

Next Entries →