The Cybersecurity Act of 2012, which was recently introduced in the Senate Homeland Security and Governance Affairs Committee, is the latest legislative attempt to enhance the nation’s cybersecurity. If enacted, the bill would grant new powers to the Department of Homeland Security (DHS) to oversee U.S. government cybersecurity, set “cybersecurity performance requirements” for firms operating what DHS deems to be “critical infrastructure,” and create “exchanges” to promote information sharing. In its current form, the bill is a useful step in the right direction but falls short of what is required. Fundamentally the bill misconstrues the scale and complexity of the evolving cyber threat by defining critical infrastructure too narrowly and relying too much on voluntary incentives and risk mitigation strategies. The Act might improve on the status quo, but it will not foster genuine and lasting cybersecurity. Still, it is preferable to the softer alternative SECURE IT Act proposed by senior Republicans.
Some background on the multifaceted cyber threat is needed to understand the contours of the proposed legislation. Cyber attacks are often broken down into four categories: cyber terrorism, cyber war, cybercrime, and cyber espionage. The most pressing problems are cybercrime and cyber espionage. Although virtually every terrorist group has a web presence, true cyber terrorism remains rare. Similarly, there has not yet been a genuine cyber war. But the Obama Administration has cited estimates that cybercriminals stole as much as $1 trillion in 2008, a figure greater than the global market in illegal drugs, though the cybercrime estimates are contested. Such figures prompted U.S. Senator Sheldon Whitehouse, a Democrat from Rhode Island, to suggest that “we are suffering what is probably the biggest transfer of wealth through theft and piracy in the history of mankind.” Another facet of cybercrime is “hacktivism,” such as that carried out by the Anonymous group and others not out for the money but to make a political point. The recent arrests of hackers linked with Anonymous and its progeny demonstrate that governments are taking cybercrime more seriously, but a recent study published by Arbor Networks found that confidence among respondents that law enforcement could stem the tide of hacktivism is at an all time low. Espionage sponsored by nations such as China and Russia is an equally daunting concern. James Lewis of the Center for Strategic and International Studies has called cyber espionage “the biggest intelligence disaster since the loss of the nuclear secrets [in the late 1940s].”
These four categories define policy and legal responses to cyber attacks and parse attacks by motive and means, but they neglect the extent to which both actors and paradigms overlap. The Cybersecurity Act does not treat each of these categories equally. An entire section is devoted to cybercrime, while “espionage” is only referenced once (in relation to training for federal employees), and “terrorism” only appears in the findings section. States, non-state actors, criminal groups, and hactivists regularly launch attacks against systems of all types and levels of sophistication, eschewing easy classification. Thus far, the U.S. government has not done enough to stem the tide, prompting Lewis to note: “We have a faith-based approach [to cybersecurity], in that we pray every night nothing bad will happen.”
Dozens of bills have been proposed over the years to shore up U.S. cybersecurity, including the Lieberman-Collins Bill, which would require DHS to develop a government-wide security strategy, as well as the Rockefeller-Snowe Bill, which relies more on incentivizing the private sector to collaborate with the government on developing standards to secure critical national infrastructure. None have been enacted so far, in part because legislation dealing with cybersecurity faces daunting prospects on Capitol Hill given that the issue involves more than forty committees. To cut through the morass, John McCain, a Republican Senator from Arizona, proposed the creation of a Select Committee on Cybersecurity and Electronic Intelligence Leaks, which would produce comprehensive legislation on the subject. But so far the idea has enjoyed little traction.
There are more similarities than differences between the Act and past cybersecurity reform efforts. Information sharing remains voluntary. Tax breaks for upgrading cybersecurity defenses are glaringly absent, even though the 2011 House Cybersecurity Recommendations encouraged Congress to consider expanding existing tax credits. Audits under the bill would be conducted by the firms themselves and be self-reported. But unlike previous bills such as Lieberman-Collins and Rockefeller-Snowe, the Act would not give the President the power to shut down sections of the private Internet in an emergency—the so-called Internet “kill switch.” Much of the media coverage of the bill to date has focused on this absence of a kill switch, ignoring other considerations such as the scope of critical infrastructure and complexity of the problem.
The focus on critical national infrastructure (CNI) in the Act is encouraging given its importance to the U.S. economy and to U.S. national security, and the fact that there is some evidence that these sectors are being targeted increasingly frequently by attackers. But what exactly constitutes critical infrastructure?
Defining CNI in the cyber context is difficult, to say the least. The original President’s Commission on Critical Infrastructure Protection identifies five such institutions; the European Commission identifies eleven. When the U.S. Department of Defense unveiled declassified portions of its strategy for cyberspace, former Deputy Secretary of Defense William J. Lynn III announced that everything from the electric grid to telecommunications and transportation systems constitute critical national infrastructure, stating that a “cyber attack against more than one [of these networks] could be devastating.” The U.K. Center for the Protection of Critical National Infrastructure defines CNI as including communications, emergency services, energy, finance, food, government and public services, health, transport, and water. The benefits of taking an expansive view toward CNI classification are obvious, but drawing the line is difficult.
The Cybersecurity Act designates an industry as “critical” by deciding whether “damage or unauthorized access to that system or asset could reasonably result in the interruption of life-sustaining services . . . ; catastrophic economic damages to the United States . . . ; or severe degradation of national security.” But it explicitly omits “commercial information technology product[s], including hardware and software.” These omissions hamper the ultimate effectiveness of the bill. There are multiple vulnerabilities even in protected systems, and attackers can enter just as easily through compromised commercial hardware as they can through a virus. Recent U.S. government reports have cited supply chain concerns about hardware and have found components embedded with security flaws.
Another concern is that the Cybersecurity Act relies too much on voluntary disclosure. Relying on firms to “self-certify” and granting them immunity from suit if they are attacked but meet DHS standards is an apt political compromise, but it does not go far enough. Provisions were watered down because IT firms balked at stronger language, and some worry that well-meaning regulations may force companies to focus more on compliance than security. Even if some sectors complain about burdensome compliance standards, however, such regulations do play a vital role in firms’ security investment decisions. For the time being, Congress is shying away from more centralized information sharing in favor of incentive-based approaches. Even President Obama has said that his administration would “not dictate security standards to private companies.” But there is an argument to be made that cybersecurity failings represent a market failure given the presence of free-riding firms that maximize individual profit but not necessarily the public good, and that Congress should not hesitate to fill this governance gap. Already, though, there are some signs of backpedaling in what initially looked to be likely bipartisan support, and as of this writing hearings continue on the proposed legislation. Senator McCain and a group of seven other Republican senators have released the SECURE IT Act, a competing cybersecurity bill that would give DHS less regulatory power over private businesses managing critical infrastructure but would grant the National Security Agency more authority to manage cyber attacks in real time. Proponents argue that SECURE IT is preferable because it creates less new regulation, relying instead on voluntary information sharing and focusing on federal contractors, but this amounts to even less of a game changer than the Cybersecurity Act. The debate continues, especially given concerns of overregulation, privacy, and civil liberties protections, though some of these concerns are tempered by procedures that the DHS is charged with developing under the Cybersecurity Act.
If we want to change the status quo, accountability and responsibility must be increased throughout the system. Government regulations are a necessary part of that process. But given political realities and the magnitude of the problem, reform must also include relying on the competitive market whenever possible to proactively foster best practices, providing market-based incentives and cyber risk mitigation techniques to firms operating CNI, negotiating new international norms, and educating users to avoid becoming victims of social-engineering attacks like phishing. Cybersecurity cannot truly be enhanced without addressing the myriad governance gaps, which include incomplete regulation of CNI; technical vulnerabilities in the physical, logical, and content layers of the Internet; and legal ambiguities ranging from liability for data breaches to the applicability of international law to cyber attacks. One Act cannot accomplish all that—not even close. But being honest about the magnitude of the problems we face would help to begin a national conversation about what needs to happen next.
In 3001: The Final Odyssey, Arthur C. Clarke envisions a future in which humanity had the foresight to rid the world of its worst weapons of mass destruction by placing them in a vault on the moon. A special place in this vault was reserved for the malignant computer viruses that, in Clarke’s speculative fiction, had caused untold damage to humanity over the centuries. Before new cyber attacks do untold damage to our information society, it is in our interest to educate and regulate our way to a steady state of cybersecurity. Part of this process involves broadening the definition of CNI in the Cybersecurity Act and deepening public-private partnerships through more robust information sharing. Science fiction teaches us that our future world can be either a wonderful or a dystopian place. Whether or not the future includes the security and prosperity of cyber peace is up to us—including, for better or worse, the U.S. Congress.