U.S. Must Adopt Strong Cybersecurity Measures to Protect Homeland, Say Experts
Defense of the U.S. homeland against cyber attacks calls for a strong military role instead of a public-private partnership, speakers said at a Heritage Foundation forum. Others expressed misgivings. The debate Thursday occurred as Senate negotiators worked on an omnibus bill that will determine whether the federal government or industry leads cybersecurity efforts.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The discussion was one of several events that Heritage sponsored last week on the future of homeland security. Cybersecurity is a classic market failure in that the costs are passed on to those using the Internet, not those making it, said Geoff Cohen, a computer scientist with Elysium Digital, a technology-litigation consulting firm. ISPs fear cyberattacks and are begging for people to defend them, he said. But the complex nature of the Internet makes defense difficult, more similar to urban warfare than to traditional war, he said. The Internet involves civilians, not soldiers, and identifying combatants is difficult, said Cohen. The infrastructure of the Internet -- its routers and cables -- are physical objects that are within nation states, making control complicated or even impossible, he said.
ACLU Policy Analyst Jay Stanley warned against giving the federal government too much control over cybersecurity. “The idea of the government and military spreading its tendrils into the private network are one of the main concerns we have. There seems to be a push to do that,” he said, citing the Wednesday release of a DoD paper detailing a cyberattack by a foreign power. There is a tremendous amount of hype about cybersecurity, and the threats of espionage and attacks on critical infrastructure conflate threats, Stanley said. The success -- and vulnerability -- of the Internet stem from its open architecture. The real question is how to defend it without “killing the goose,” he said.
Americans should be very concerned about a strong federal role in civilian cybersecurity, Stanley said. For example, some would argue that the National Security Agency has the technical expertise in identifying cyber threats and defending against them. But it also has a history of domestic spying and violating privacy, he said. Drastic actions such as the federal government shutting down the Internet would interfere with free speech and must be justified through checks and balances, he said.
The U.S. is rushing toward cybersecurity policy without thinking it through, said Paul Rosenzweig, a Heritage visiting fellow who moderated the discussion. Americans’ reaction to market failure is federal control, but that will suffocate the free speech of the Internet, he said. “It’s a wicked problem with no neat solutions,” said Rosenzweig. Without a national strategy, the solution will arise from whoever offers it first, fast and best, he said. Right now those are the NSA and U.S. Army’s Cyber Command, perceived as having the most expertise in cybersecurity, he said. Rosenzweig suggested a public-private entity for the Internet such as a “Cyberspace Assurance Corporation” similar to Fannie Mae.
The U.S. must change its preconceived notions on war to defend cyberspace, said Alejandra Bolanos, an assistant professor at the National Defense University. Traditional combat involves a foe that’s identifiable, but cyberthreats are hard to attribute, she said. Armed conflict has a state-centric approach that isn’t practical when nations and terrorist groups can use proxies to launch cyberattacks, she added.
New legal terms must arise to fight cyber enemies that aren’t traditional nation-states, said Steven Bucci, former deputy assistant secretary for homeland defense at the Department of Defense. The most likely opponent isn’t a nation-state but a terrorist group launching a cyberattack with the help of organized crime, he said. A terrorist attack on a smaller scale -- perhaps a chemical factory instead of the nation’s electrical grid -- is very likely, he said.
A national discussion on offensive cybersecurity needs to be held, said Herb Lin, a chief scientist with the National Research Council’s Computer Science and Telecommunications Board. There are many questions that need to be answered, he said. For example, what constitutes an armed cyber attack? Nonviolent events such as stealing from a national treasury or disrupting an election? What kinds of weapons should the U.S. use, cyber or military? How should it determine who is an innocent bystander given the billions of users of the Internet? And when do you take action against wrongdoers? Only after they strike first? “We need a national discussion,” he concluded.