With the spate of cyber-attacks that have been Page One in the media (Sony, Anthem et.al.), industry experts are wondering whether we have reached the long-awaited cyber “inflection point”, the point where the nation takes collective action about computer intrusions from abroad and from within.
In December, I spoke at the Department of Justice & Georgetown Law School Cybercrime Forum, where the question was asked: When will legislation be passed to make us less vulnerable to cyber-attacks? http://www.c-span.org/video/?323068-5/discussion-congress-cyber-crimes
On Capitol Hill, it has long been said that it would take a “Cyber 9/11”, that is, a disastrous computer attack with real, devastating physical effects, in order to realign political will to the point where significant action would be taken. Have we reached that inflection point?
Recently, Congress passed a slew of cyber-security bills. http://www.insideprivacy.com/united-states/congress/congress-passes-four-cybersecurity-bills/. Not too shabby. These bills mostly deal with establishing lanes for agencies, and encouraging the development of best-practices and standards. In addition, last week the President released his second major Executive Order on Cybersecurity. This new one is aimed at “critical infrastructure”, the types of industry that would cause major damage to the country if a cyber-attack hit them. The EO can be found here:http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
The upshot of the EO is that government and private industry should be sharing more information, and the government should be bringing in more individuals from private industry on a temporary basis to help with training and development. This is a welcome change from the Administration’s last Executive Order on Cybersecurity, which was widely viewed as an ineffectual attempt at top-down management of the problem. But this new EO still misses the mark.
Private industry is on the front lines of the cyber wars. Private companies have the wealth that draws the attacks, and the talent, the knowledge, to help defend against the attacks. Government agencies, with their own role to play, generally do not develop the software that they use on a daily basis. Private industry does. Waiting for the government to issue an alert can be frustrating, and depending on them to develop a response is a crapshoot. For years, cyber experts have been saying, on and off the Hill, that information sharing between private companies is what is required to coordinate effective defense and response to cyber-attacks. http://www.ecommercetimes.com/story/81644.html
For example, if an email service company sees a cyber-attack, it would be useful to share the raw information with another email service, and pool resources to defeat the attack. However, attorneys for these companies are concerned about liability issues if companies were to send raw data to another company. What if some private information about a client is released in some way? It would expose the company to the risk of expensive litigation. How can we encourage companies in the “cyber-neighborhood” to look out for one another?
The answer is to grant liability protection for companies that share data relating to cyber-security. The law can, and should, be constructed so as to prevent companies from using such information exchanges for monopolistic purposes, or for other nefarious purposes. This simple fix would enable private industry to help react to cyber-intrusions, rather than wait for the government to issue guidelines and warnings.
In Congress, various committees touch on the Cyber issue. However, two committees are of key importance: The House and Senate Judiciary Committees. The House Judiciary Committee distributed a draft of legislation last year that would provide the liability protection necessary for companies to share information. However, any legislation dealing with cyber in the Judiciary committees must contend with privacy advocates, who wish to increase the protections against release of information. In addition, some Representatives and Senators will request trade-offs for other cyber-legislation, such as changing the Computer Fraud and Abuse Act (CFAA). These legislative currents rip apart any effort to move forward one issue at a time.
We have finally begun a serious conversation about cyber-security in the United States. However, the path to effective defense (and maybe even offense) runs through Congress and the Judiciary Committees. The question remains: Are we scared enough yet to do what’s necessary?