How to build effective cyber defenses
August 13th, 2012
05:30 PM ET

How to build effective cyber defenses

By Jennifer Granick, Special to CNN

Editor’s note: Jennifer Stisa Granick is director of civil liberties at the Stanford Law School Center for Internet and Society. Previously, she was counsel with the internet boutique firm Zwillgen, and civil liberties director at the Electronic Frontier Foundation. The views expressed are her own.

Top Obama administration officials have been pressing the U.S. Congress hard for legislation to improve network security for the computer systems that run the nation’s critical infrastructure. The House passed the Cyber Intelligence Sharing and Protection Act (CISPA), while the White House supported the 211-page Cybersecurity Act, which failed to get a vote in the Senate before legislators went on recess. Citizens now have the summer to ask some important questions before supporting any such legislative effort.

The big question, of course, is what problem are we trying to solve? Administration officials justify cybersecurity legislation by coining words like “cybergeddon” and telling tales of terrorists shutting off the nation’s electricity or causing dams to malfunction, flooding our communities.

Although I’m skeptical, these are serious issues that suggest particular solutions. The problem is that there are other online problems – like economic espionage or copyright infringement – that are getting lumped into omnibus cybersecurity legislation. These are very different issues that arise for different reasons, and justify different solutions. Improving critical infrastructure security will be both politically easier and more effective if we focus on that particular problem. It also decreases the risk that we will stifle innovation or invade privacy for insufficient reasons.

With this in mind, it’s worth asking whether legislation is really the answer. Our free market principles mean that much of America’s computer infrastructure is private and decentralized. Though these networks may be critically important, private industry tends to underinvest in security in favor of bells and whistles that customers will happily pay for. In short, there are instances of market failure.

Bringing federal agencies up to par won’t, however, require new laws. President Obama could implement much of the Cybersecurity Act via executive order. Further, government may be able to raise standards for critical infrastructure networks through regulation rather than legislation. In most critical industries, electricity, nuclear power, chemical plants and water safety are already heavily regulated by the government. So why, for example, did NASDAQ get hacked in 2011? When we, or Congress, understand this, we can apply the tool that would improve the situation, whether it’s Securities and Exchange Commission regulation or new laws.

Where important businesses fail to comply with security practices that would make America more secure, mandatory standards are one possible solution. Mandatory breach notification or civil liability are other tools. Yet, the U.S. Chamber of Commerce has vigorously objected to any law that would hold private industries’ feet to the security fire.

Whether and how to mandate security standards is, of course, a nuanced business, depending on whether we are talking about a microblogging service, a telecommunications provider or a nuclear power plant. There’s real risk of over-regulation, but if Congress can identify specific critical infrastructure industries that are falling short, regulation could be one of many useful and necessary tools to improve that sector’s security practices.

By focusing on security practices for utilities, water plants, dams, financial services and the like, Congress can address the scary doomsday cyberwar problems that administration officials and the military say animate their concern, without overreaching into online services that carry Americans’ personal data and communications. Congress is less likely to get pushback from either the Chamber of Commerce or privacy concerned citizens if it appropriately narrows the scope of proposed legislation.

Free exchange of information about computer security flaws and how to fix them is essential to network security. If I discover a problem on my network, you’ll want to know about it so you can fix your systems. My experience during an attack can help others identify that same attack on their systems. I’ve spent a good portion of my career fighting for researchers who want to publish their discoveries of flaws in popular software and routers for exactly this reason.

Our current privacy laws don’t interfere with the vast majority of such sharing. Publicly traded companies must disclose when they have been attacked, for example. A company that finds malware on its systems, even if that code contains IP addresses or other information that would identify attackers or their command and control servers, may freely disclose that information under U.S. law.

Only in narrow circumstances would U.S. law regulate disclosure of threat information. Providers of electronic communication services to the public may not voluntarily disclose to anyone, including government, the contents of user emails under the provisions of the Electronic Communications Privacy Act (ECPA). Nor may they disclose transactional data about communications or user account information to law enforcement without legal process.

Obviously, many critical infrastructure providers and employers aren’t public electronic communications services and are therefore not subject to ECPA. Before Congress votes “yes” on any legislation that says “notwithstanding any particular privacy law,” we should know exactly how and why supporters believe that protection interferes with threat sharing. I haven’t heard one good reason yet.

Regardless, privacy and civil liberties must be respected, and we must remember that the ultimate goal is to build a secure and trustworthy network. That means secure from attackers and governments, including ours. People rightly worry that officials, or an untrustworthy employee, will use our private information to chill freedom of expression, for discriminatory enforcement of laws, or punitive administrative actions. Americans want to research their health problems, look for new jobs and purchase 50 Shades of Gray without having to feel shy. Around the world, the lives of Egyptians, Syrians and other activists are at risk over online activism of the sort we saw during Arab Spring.

For these reasons, when private internet data is collected to be shared with the government, the definition of that data should be narrowly focused on information that makes the network more secure, and shared only for that purpose. No mission creep. NSA or other military agencies shouldn’t have direct access to private communications networks or data. Specifically, this means that any new law must prevent government from using providers as surrogates to perform surveillance that investigators couldn’t lawfully do themselves.

Despite the lack of public knowledge and oversight, private interests succeeded in including language in CISPA that would immunize them from the consequences of cyberattack techniques, despite the fact that these “hack back” approaches can cause damage to innocent parties whose systems have been hijacked by bad guys.

Our government is also developing cyberwarfare capabilities that are both defensive and offensive. For example, the U.S. has developed some of the most sophisticated malware ever developed, namely the Stuxnet virus. That virus has, inevitably, migrated from the Iranian systems we targeted to infect computers around the world, including in the United States. It’s a bitter irony that commentators crying out for federal intervention in private security practices cited Stuxnet as a reason, before the U.S. government’s role in creating and releasing it was fully known. We’ve seen the enemy, and guess what guys? It’s us.

There has not, and may never be, a robust public or congressional debate on the wisdom of offensive cybertechnology. As a result, legislation intended to secure the network should neither encourage nor immunize private or public actors from the ramifications of such strategies.

Post by:
Topics: Technology

Next entry »
soundoff (9 Responses)
  1. Joseph McCarthy

    This is exactly what the Russians, Chinese and Iranians need to learn how to do since the goons in Washington D.C. have decided to militarize cyberspace among other things. As long as we keep electing the wrong people into office, this nonsense will continue and this nation will stay broke!

    August 13, 2012 at 7:18 pm | Reply
  2. Carlota Dualde Barbat

    Enviado desde mi iPhone

    El ago 13, 2012, a las 2:30 p.m., Global Public Square escribió:

    > >

    August 13, 2012 at 9:28 pm | Reply
  3. deniz boro

    NO COMMENT

    August 14, 2012 at 2:20 pm | Reply
  4. JesterJames

    Hype the threat, get all the businesses and people to sign up for the cyber security from big brother. Why sneak around to illegally spy on your citizens(as if you're doing something immoral and wrong) when you can walk in the front door and do it all legal like, and get the good rap of protecting them?

    August 15, 2012 at 6:27 am | Reply
  5. Joseph McCarthy/Quigley/LyndsieGraham/krm1007 ©™/Joe Collins/J. Foster Dulles/Marine5484

    I am a useless piece of camel dung. I post anti American, anti GB, anti semite, anti India, anti modern anything because I am a good moooooslem. I steal people's monikers because I am so ashamed of myself and post the most stupid comment. When people get angry with me, I claim insanity. I am the same guy.

    August 18, 2012 at 8:38 am | Reply
  6. beregn boligsikring viborg

    I've been surfing online more than 3 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. In my opinion, if all website owners and bloggers made good content as you did, the internet will be a lot more useful than ever before.

    December 17, 2012 at 1:47 am | Reply
  7. Layne Tumbleston

    Microblogging; it may sound small due to the "micro" word; but I tell you; it's one of the giants on the internet when it comes to traffic, promotion and sales for your blog. You must know which microblogs can give you the best benefit. Without even visiting the web-page, a good Keyword Analyzer will have a module that will tell you whether or not links on the page use "NoFollow" tags. This lets you avoid you from wasting your time on building links from sources where you receive no search engine benefits. It's otherwise known as Follow or No follow.`^^:

    Remember to go and visit our own internet site <http://caramoan.ph/index.php/

    July 10, 2013 at 12:46 am | Reply

Post a comment


 

CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.

Next entry »
Follow

Get every new post delivered to your Inbox.

Join 4,582 other followers