Boost national cybersecurity without stifling freedom
The US government should apply stricter control over its own network, but it should leave public networks alone.
Virginia Beach, Va. — For years, the US government has been fretting over national network vulnerabilities with banking and financial assets, government and military data, and the energy and utilities grid. Just last year, the Defense Department detected 360 million attempts to penetrate its networks, up from 6 million in 2006.
One such attack involved overseas hackers that breached both the nation's electricity grid and the Pentagon's biggest weapons program, the $300 billion Joint Strike Fighter, according to the Wall Street Journal.
"We are literally under attack every day as our networks are constantly probed and our adversaries seek to exploit vulnerabilities," Lt. Gen. William Shelton, the Air Force's chief information officer, told a House Armed Services Committee panel this week.
To be sure, America is so e-vulnerable in so many e-ways that security officials now say Washington has no other choice but to extend its national security efforts across the Internet. This makes sense at first glance. However, the "Cybersecurity Act of 2009" (introduced recently in the Senate and apparently lacking independent expert testimony) would advance a plethora of shady mandates that could impinge on America's freedom and actually put it at greater risk.
The bill requires federal agencies to take some needed steps to secure their computer networks. But it also essentially decrees the government grand overseer of Internet and network security, granting agencies such as the National Security Agency and Department of Commerce rights to regulate and impose their own universal security standards across public and private networks. It would even grant the president the most epic privilege: the ability to control and shut down any network the government wanted in the name of a "cyber emergency" – though that term isn't defined.
The government tried its hand at managing the national network infrastructure ( the system of digital networks that electronically link the electrical grid, defense systems and the White House) with The Federal Information Security Act of 2002 (FISMA). It enforced security rules for government information systems. But it seemed bent on compliance and report cards rather than on actual measurable performance.
Security experts later lambasted the act as a lethargic piece of legislation that stymied action and built nothing but paper fortresses. Even former White House security adviser Howard A. Schmidt admitted recently that despite laudable goals, FISMA "has not managed to solve security problems."
The Cybersecurity Act would be no better. It proposes uniform protocol that those companies it classifies as "critical infrastructure" must use. (Think websites in the sectors of public health, government, telecommunications, and finance). While politicians suggest that a federally mandated security scheme would benefit the national network infrastructure, lawmakers don't seem to foresee the inefficiency here, let alone the potential for great risk.
If companies were required by law to use identical security configuration across all systems as the bill proposes, it would make it easier for hackers to attack on a broad scale because then all networks would share the same weaknesses. Also, software companies could lose incentive to innovate beyond the federally mandated level, and overall network security would suffer.
The bill causes complications for IT professionals by requiring mandatory separate federal licensing if they work within "critical infrastructure." The problem with this is that the information technology world is already replete with ways to certify technological competence among individuals. These certification tests are authored either by the software/hardware vendors or by independent security groups, which do a good job.
The bill also calls for a study of "an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks." It holds an eerie verisimilitude to the controversial REAL ID Act of 2005.
The solution? While the government may be wise to reinforce stricter control over its own network infrastructure, it does not need to interfere in the network security of the public or private sector.
Lawmakers are hawking power-grabbing legislation on a topic that actually needs the weigh-in of independent security experts. Instead, we are flanked with justifications from the director of national intelligence, Homeland Security, former Bush administration officials, and government think tanks.
Independent experts would explain that the biggest problems in computer security are not sinister IT professionals and the way they configure firewalls, but are in the software we choose to run. Software isn't perfect, but it surely evolves. It's beautiful in function but once we find that bit of flawed code, we fix it and patch it; we thus grow smarter, and our software more stable and secure. In fact, it is through this process that the ideas and innovation which make the US are formed. We cannot afford to stifle that.
There is no bulletproof solution to computer and network security. Right now we must design our systems and networks accordingly. We must ponder the obstacles we face, and fitly fortify ourselves. The most practical way is not through sweeping government mandates, but by focusing on current software and hardware vulnerabilities, system design, and best industry practices at a local and regional level.
Certainly national security is something we should all be concerned about, but it doesn't mean forgoing common sense or freedom. The Cybersecurity Act of 2009 grants immense power without any judicial checks over a digital problem lawmakers can't fully understand without an independent coterie of real and competent security experts.
Before this Act goes any further, we all need to honestly ask whether the government should meddle in regulating the last frontier for free information.
Bryann Alexandros is a freelance writer and has previously worked as a systems administrator in the IT industry.