In this week’s State of the Union address, President Obama acknowledged a reality that has become obvious to many in the technology world: we are now at the brink of World War III, with our technological infrastructures as the main target and an enemy which is hard to see.
The acknowledgement of cyberwarfare comes at a time when incidents appear to come at an increasing pace. Just in the last few weeks, we’ve seen Twitter, the New York Times, the US Department of Defense, and the Federal Reserve targeted by hackers. We’ve seen the Department of Homeland Security issue security warnings about Java and CERT provide similar warnings about UPnP. And every day, news of another attack or another vulnerability comes up.
In its initial iteration, the internet was built around concepts of mutual trust and openness but as it gained popularity, bad actors, whether they are Nation-States like China and Russia, activists groups like LOLSEC and Anonymous, or plain old organized crime, have increasingly chipped away at that that openness, forcing us to erect increasingly high walls to keep them out.
And on Tuesday, Obama laid down the law: In an Executive Order entitled Improving Critical Infrastructure Cybersecurity, the president laid out the basic foundation for the US response to such attacks; And during his State of the Union address, he urged Congress to
“[pass] legislation to give our government a greater capacity to secure our networks and deter attacks.”
So what does that framework look like? And what does legislation mean?
The framework in itself is a public-private partnership to trade information and best practices, ensuring that critical electronic infrastructures ranging from internet companies to the electrical grid are protected from unauthorized access, exploitation or harm. Who are the targets? At this time, it looks like this falls in the “To Be Determined” column as the order gives the Secretary of Defense 150 days to “identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”
The framework also attempts to balance threats to our electronic infrastructure against the potential threat an over-reach could create to citizens’ privacy and civil rights. This appears to have please organizations like the ACLU, which endorsed the executive order.
A difficult balance
But while the executive order seems to strike the delicate balance between increasing security on our online infrastructures while avoiding civil rights pitfalls, legislation currently making its way back towards the US Congress may actually do more harm than help.
The Cyber Intelligence Sharing and Protection Act (CISPA), now making its way back into the House of Representatives is a bill that was first introduced and passed by the House in 2011 but failed to gain traction in Senate, due to heavy criticism from civil liberties groups like the ACLU and the EFF. Those groups argue CISPA contains too few limits on how and when the government may monitor a private individual’s Internet browsing information, increasing fears that such new powers could be used to spy on the general public rather than to pursue malicious hackers.
Because of the lack of privacy controls, many groups and prominent individuals have opposed the bill. For example Tim Berners-Lee, the inventor of the web, said that it:
“is threatening the rights of people in America, and effectively rights everywhere, because what happens in America tends to affect people all over the world. Even though the SOPA and PIPA acts were stopped by huge public outcry, it’s staggering how quickly the US government has come back with a new, different, threat to the rights of its citizens.”
… and while it is being reintroduced in the House without any change, the bill is bound to find the same opposition it encountered the first time, including a threat by Obama that he would veto the legislation.
In the Senate, the Cybersecurity and American Cyber Competitiveness Act of 2013 was recently introduced to provide more information sharing capabilities and tries to balance privacy rights with protection ones. A version of the bill was introduced and defeated in 2012 as privacy advocates worried it was not going far enough to protect personal communications and businesses were worried about increased regulations.
The latest proposal has drawn support from Janet Napolitano, the secretary of the Department of Homeland Security, who recently told legislators that we should not wait for a “9/11 in the cyber world.” These words echo former National Coordinator for Security, Infrastructure Protection Richard Clarke‘s recent concern (Clarke was one of the few people to sound the alarm on 9/11 prior to the events).
With the president’s support, it now seems clear that the level of support needed to prevent a 9/11 in the cyber world is crystalizing in a solid effort that will leave the country’s electronic infrastructure safer while ensuring that the ideals of free speech and civil rights embedded in the US constitution continue to be protected in that sphere.