Cybersecurity Policy

As debates concerning national and international cybersecurity measures rage, I would like to take the opportunity to offer a frank, non-partisan view of some of the fundamental concepts concerning cybersecurity.

There are so many pertinent aspects of cybersecurity policy that I can’t get to them all in one post. I hope to be as thorough as possible while presenting the concepts in terms that everyone can understand. Please feel free to criticize or ask questions. I will do my best to be attentive and answer. Here we go…

Cybersecurity Policy at the National and Enterprise Level

To me, most of the cybersecurity debate hinges on issues of trust. Primarily, citizens must decide who they trust more with their information, companies or the government.

Whether you know it or not, there is already an ongoing power struggles between private industry and the government to control your personal information. The internet in the US is, in large part, advanced by private industry. Telecoms and ISPs are responsible for the creation of significant portions of the US’s information infrastructure. Unfortunately, without legal limitations, business functions will seek to do with your information whatever maximizes profit. This may include a large array of customer hostile practices like storing personal information on unsecure networked information systems, using deep packet inspection methods to monitor communications, as well as selling information to third parties.

One way in which the federal government attempts to curb these tendencies is by passing legislation that creates regulation for certain industries or types of organizations. For instance, Gramm-Leach-Bliley (GLBA) regulates financial institutions, Sarbanes-Oxley (SOX) regulates publicly traded organizations, and the Health Insurance Portability and Accountability Act (HIPAA) regulates the healthcare industry. All of these regulations have an infosec component. In general, businesses do not like regulation. They argue that it is prohibitively expensive, often times nonsensical, and forces unnatural IT development on organizations that may have better, more organic means of security. This micro versus macro debate is a key component to the national discussion concerning cybersecurity.

As of writing this, CISPA (H.R. 624) is an hot button issue. CISPA enjoys major industry support due to its relative lack of regulation in comparison to other cybersecurity bills lurking in congress. In fact, one major reason President Obama has threatened to veto CISPA in its current form is its lacks regulations for critical infrastructure.

Cyber Threats: Begin the Threatdown!

In cybersecurity we tend to think in two broad terms; vulnerabilities and threats. Vulnerabilities are flaws in systems that can be taken advantage of to compromise the confidentiality, integrity, or availability of a system or the information on a system. Threats are actors who could take advantage of vulnerabilities to attack. I won’t go too far into vulnerabilities in this post but here is my assessment of the some major threats which exist today.

<Stephen> Begin the Threatdown! </Colbert>

1: Advanced Persistent Threats (APT): APT are organizations that exhibit a high degree of organization, large amounts of resources, and advanced technical ability. These are normally government sponsored organizations. China, the US, and Israel have all demonstrated the ability to launch and conceal attacks against enemy digital resources.

2: Organized Crime: Organized crime syndicates are largely responsible for the world supply of malware, viruses, phishing, and spam. Computer fraud is now a worldwide, multibillion dollar industry. Through examining supply chains we know that many organized crime syndicates have evolved into organizations as complex as many major globalized corporations. Many syndicates operate Botnets (groups of infected computers usually controlled by a central server) comprised of millions of private computers. Some experts believe more advanced hacking rings like LulzSec belong here.

3: Cyber Terrorists: Perhaps not as well funded as other threats, cyberterrorists utilize digital resources to generate asymmetric damage. This could be affected through attacks on SCADA and other aspects of critical infrastructure. SCADA systems are networked systems which allow the remote administration and collection of information of devices. Many worry that as much critical infrastructure is networked using SCADA systems, terrorists could use digital attacks to disable critical utilities, or actively harm a large number of citizens. Critics argue that it would still be cheaper and more effective just to use conventional weaponry against infrastructure. Nevertheless, successful attacks against infrastructure (most notably Stuxnet) have shown that this may be an emerging threat.

4: Industrial Espionage: Pretty straight forward. Industrial espionage is cloak and dagger cyberops designed to steal trade secrets, or hamper rivals.

5: Petty thieves: Individuals working on their own to steal, extort, or otherwise utilize digital assets for their own gain.

6: Script kiddies, Hackers, Hacktavists: Individuals or groups that normally deface or alter the functionality of websites (including DoS attacks). Groups or individuals who alter the functionality of digital devices. Anonymous, Geohot, etc…

7: Pirates: Now almost entirely localized into a subset of Game of Thrones Fanbois (and girls). You know who you are ;)

Motivations for Cybersecurity Legislation:

The enlightenment era principles upon which this country was found stipulate that benevolent governments should ensure citizens both rights to protection and rights to privacy (en masse from many enlightenment philosophers and filtered through the writings of Franklin, Adams, and Jefferson). Cybersec is one area in which these two rights bump up against each other.

A quick note concerning privacy: Concepts of privacy have been made explicit in US law only relatively recently (Privacy Act of 1974). Concepts of digital privacy are newer, and were first implemented with the Electronic Communications Privacy Act of 1986 (ECPA). There is little in the Bill of Rights which directly concerns privacy. This leads many to believe it an ‘inferior’ right in comparison to those guaranteed in the Bill of Rights. One likely explanation for this is that it was not till our society switched away from rural agrarianism (country farming) that we began to miss privacy country living afforded. Thus, I feel, though many would disagree, that privacy is a deeply ingrained human right.

I think one of the most fundamental misconceptions regarding cybersecurity legislation is a failure to connect the threat to the motivation for the legislation. When we weigh cybersec legislation we do it on a scales with security on one side and privacy on the other.

I feel that the average citizen looks at the threat side of the scales and sees Anonymous. At best lovable, cyber-Robin Hoods publically flaunting what many of us are thinking. At worst, digital vandals, hacking our sites and costing us money. We do not see the thousands of daily attacks on American corporations originating from China and elsewhere which may be contributing to economic stress and the loss of American jobs. Indeed, many argue that a significant portion of the new Chinese industrial revolution is fueled by stolen trade secrets. Likewise, we do not see the potentiality for disruption of critical infrastructure, or the alarming damage it might cause.

What many politicians fail to see is that citizens may be giving up fundamental rights to privacy for trivialities like defaced websites, or the marginal improvement of the entertainment industry’s bottom line (Take My Money HBO!).

Concerning CISPA and other Cybersecurity Legislation

We can respond to threats in a number of ways. We can build castles around information, or we can try doing it dynamically. In general, castle building alone has not worked. This leaves many experts and organizations skeptical of further regulation. Legislation like CISPA tries to improve the dynamics of cybersecurity by allowing companies to circumvent provisions of ECPA by willfully sharing suspected ‘cyber threat information’ without a warrant. ‘Cyber threat information’ is pretty clearly defined in H.R. 624 as information shared to protect that organization’s resources, or vulnerabilities or threats to a network. This sort of cooperation, combined with strong cybersecurity controls, may be instrumental in securing the US’s digital infrastructure. On the other hand it may be disastrous to civil liberties.

In the past, telecommunications organizations have shared private information related to terrorism with the NSA without a warrant. The actions of many of these organizations were exonerated through the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008. This act granted retroactive immunity to companies that cooperated with the NSA. Like many controversial intelligence issues it is unclear exactly how helpful information sharing was.

Many fear that giving private organizations the ability to monitor for threats might give private organizations carte blanche to monitor all communications. This is particularly prevalent at the dawn of a new cloud computing age in which remote storage and software as a service drive consolidation of data and processing away from user machines and on to corporate assets. It is conceivable that this might shift citizens away from a paradigm in which we fear governmental intrusion to one in which we fear industrial erosion of civil liberties.

Moving Forward

To policy geeks like me the next few years will be very interesting. I think that people are generally starting to become aware of cybersecurity as a national issue. I love the debate I am hearing. I do not foresee a future devoid of cybersecurity legislation. I believe President Obama and the legislative bodies anticipate the passage of meaningful national cybersecurity legislation in the near future.

It is clear that the American people will face many new cyber issues in the coming years. Military cyber weapons, the emergence of new cyber powers, and the establishment of worldwide cyber law all loom just over the horizon.