No Cybersecurity Act is Better Than a Flawed One


No Cybersecurity Act is Better Than a Flawed One

Why the government's solutions to cybersecurity threats need rethinking

Displeased with the failure of the Cybersecurity Act of 2012 in the Senate, President Obama has signaled that he intends to move forward, possibly forcing businesses to implement many of the bill’s provisions through executive order.

This is distressing news. The bill itself, tabled after a motion to bring it to a vote failed to muster the needed 60 votes, had drawn criticism both civil liberties groups including the Electronic Frontier Foundation, which feared the bill would lead to more government snooping, and business groups such as the U.S. Chamber of Commerce, which had concerns about the extra costs the bill would impose on the private sector.

Cybersecurity concerns the protection of electronic data that’s either proprietary to the organization, or data to which organization has been entrusted. This includes documents and records as well as data and software processes critical to operations. Obama, Congress and the Defense Department want to ensure that critical U.S. infrastructure assets – telecommunications, power grids, banking systems, air traffic control – which depend on a functional Internet, secure private networks and hardened data protection, cannot be disabled by an electronic attack, such as a virus or malware.

U.S. vulnerability to cyberattack should indeed be taken seriously. The objective of the Cybersecurity Act, which likely would be mirrored in any White House order, is not the problem. But solutions that the current government plan proposes are.

The security countermeasures spelled out in the Cybersecurity Act relied on top-down government mandates, a blind faith in surveillance and identification technology, and centralized management and control of both the network and information. In short, the U.S. government plan for cybersecurity involves a massive deployment of video, data and software analytic and biometric systems that would collect and collate of data on the everyday lives, transactions and movements of citizens. In the event of an attack, the U.S. government would assume control of the entire Internet infrastructure in the U.S., including a “kill switch” that would, at least in theory, separate the U.S. network from the rest of the world.

The original version of the cybersecurity bill was vague as to how the government would be permitted to use, share or search this data, which concerned most civil liberties groups. Data protection provisions were added during mark-up that address these criticisms but did not allay all concerns.

Still, supporters of the bill were never clear on how all these surveillance measures would safeguard national systems, or why a government-controlled Internet “kill switch” was needed when any enterprise can disconnect itself from the greater Internet if necessary. This is one reason the bill failed. Talk to most information technology security professionals and they will say regulations and technology will only get you so far. Surveillance is useful for forensic investigation. After an attack, if you want to find out who did it, surveillance data will help you. Biometrics are good for identifying and managing who comes in and out of a secure facility, but they are woefully flawed when it comes to matching random faces in a crowd to photos in a database.

In a recent survey of 1,861 IT professionals by Bit9, a market research firm, only 7 percent said Government regulation and law enforcement have the biggest impact on improving the state of cybersecurity, and just 15 percent identified better technology.

Too bad the White House remains sold on the hype. The real hacker world isn’t 24, Bourne or Mission: Impossible, where hackers can break through corporate firewalls and decode encrypted data in a matter of seconds. If anything, it’s more like Burn Notice, where the protagonists engage in social engineering-basically manipulation, misrepresentation and outright lying to get someone on the inside to unwittingly give them access to network or data. Physical or virtual, it’s far easier to go around the firewall than through it. Just ask the guy who took down his company’s network when he clicked on an email attachment labeled “Scarlett Johansson Naked.”

The real solution is at the granular employee level. In the Bit9 survey, 58 percent of IT professionals said implementation of best practices and better security policies have the biggest impact on cybersecurity improvement. Another 20 percent pointed to individual employee training.

This, of course, is more difficult, and doesn’t make for a neat sound bite for a president or senator. And despite the worry about cyberattack from foreign government, the predominant threats come from criminals and malicious hackers. In the Bit9 survey found, only 31 percent said a state-sponsored attack, namely from China, were among the top three likely threats. Even fewer-17 percent–named Russia or another country. By and large, respondents identified the most likely attackers as hacker groups such as Anonymous (61 percent) or cybercriminals (55 percent).

The private sector understands it vulnerability to cyberthreats. It also is way ahead of the government sector in terms of implementing security policies and procedures. This is why Obama’s cybersecurity vision, which would greatly expand the role of government in formulating these procedures going forward, brings to mind the Biblical admonition that before criticizing the speck of sawdust in your neighbor’s eye, you should take care of the plank lodged in your own.

For example, just last week, the U.S. Government Accountability Office (GAO) reported that federal data breaches involving unauthorized disclosures of personally identifiable information increased by 19 percent, or about 13,000 to 15,500, from 2010 to 2011. As if to punctuate the GAO findings, last week the Environmental Protection Agency separately disclosed that a security breach exposed the personal information, including social security numbers, banking information and home addresses of some 8,000 people, mostly agency employees. (Again, the hack was not sophisticated; an employee opened an email attachment containing malware.) Moreover, while the breach was discovered in March, the EPA waited until last week to notify the affected individuals of the breach. Such a delay in the private sector would likely result in fines and other legal liabilities.

Add this to the hundreds, if not thousands of laptops containing personal and private information that have been lost by the Transportation Security Administration, The Department of Energy, the National Institute of Health and the Bureau of Alcohol, Tobacco and Firearms and you’re forced to ask what credibility does the U.S. government have to set regulatory standards for industrial cybersecurity.

It should be vice-versa. Instead of collecting data on citizens and creating Internet kill switches, the government needs to adopt policies based on industry best practices. Good policy, at heart, protects the information infrastructure-and by extension consumers, individuals and enterprises-by raising awareness and changing behavior. Cybersecurity in the private sector improved once managers got serious about educating and enforcing rules about taking laptops home, leaving passwords on Post-It notes, allowing individuals entry without “badging in.”

In voting down the cybersecurity bill, the Senate gave the White House a chance to formulate new approach to cybersecurity based on defense of the U.S. network infrastructure and the information assets it contains. But Washington needs to see to its own house first, securing government agencies from breach and attack. It can then, with the input of our nation’s infrastructure owners, advise on the security and protection of critical assets, never forgetting that these assets, be they physical or virtual, belong to private individuals and their ownership rights must be respected.

Steven Titch is a policy analyst at Reason Foundation.