Government 'Net Grab Is Not The Path To Better Security
By Michael Tanji | August 29, 2009
It was recently reported that in the Senate there is a bill, that if signed into law, would give the government control over Internet service providers and commercial computer systems during national emergencies. While I'm sure everyone's heart is in the right place, this is one idea I hope gets sent to the bit bucket.Normally in such power grabs there is at least some semblance of high ground upon which the claimant stands, so let's looks at the government's foundation:
- The government has national and service-level cyber commands, a national cyber security center, a JTF-GNO, and a Comprehensive National Cybersecurity Initiative . . . but it can't get a passing grade in security.
- To oversee governmental efforts in the cyber security arena a "czar" position has been created, but the job has been open and gone begging for months. The usual suspects for such a job have all demurred because it's a job with a lot of responsibility but no authority. Just the sort of situation one should NOT be in if a cyber security emergency were declared.
- The government doesn't run things that don't lend themselves to the bureaucratic approach well. I won't pick on any specific agency or governmental function, but writ large, when is the last time you had a fast, efficient, effective time with any government agency? The Internet is pretty much the exact opposite of a government bureaucracy, but they would presume to assume even temporary control without adverse results.
On a more basic level however, we don't have any idea of what constitutes a threat sufficient to trigger an emergency declaration. If, as a wide range of officials have noted, Internet-connected systems are being attacked thousands of times a day (or hour, depending on who you listen to), shouldn't an emergency have been declared years ago? If, in a color-coded threat-matrix sort of fashion, 'Red/Severe' is the new 'Yellow/Elevated,' when does the state of emergency end?
The Internet isn't a right, but it is major part of our lives from a personal, commercial, and national security perspective. The government is right to want to keep us safe (and its powers during crisis make this bill look positively tame), but government-as-cyber-security-Shogun doesn't improve security or our collective response to threats. Commercial networks are attacked constantly and major security breaches hit the news every few months. These entities know how to mitigate the effects of such attacks and recover to full operational capability because not doing so means going out of business. The government doesn't have a problem causing a self-inflicted denial-of-service on itself because the bureaucracy drives on with or without the Internet. That's not the sort of mindset you want when the digital balloon goes up.
If the government is truly serious about improving cyber security (and get off the ten-year cycle of caring/not-caring), then it needs to:
- Set standards for cyber security. NIST is already doing a fine job in that area and they could probably stand additional resources to keep up the good work.
- Pass laws that require that online entities of national import follow the aforementioned standards. It should rigorously enforce those laws and prosecute those who intentionally endanger systems of national import, just as they would anyone who compromised national security in a physical manner (something that isn't done with anywhere near the intensity as it should).
- Enable the ability of commercial network owners to share security information with each other and the government without fear of penalty or backlash from an economic perspective. No one shares because no one wants to deal with negative publicity or a lawsuit. There is a way to share meaningful information w/o worrying about privacy, but after a decade+ even I get tired of talking to brick walls.
- Encourage the development and promulgation of network services at low-levels. Just as communities and even individuals can generate their own electrical power and sell the excess back to the grid, so too should smaller entities be able to provide their own network connectivity and support network traffic other than their own during a crisis. Such a move adds complexity to the system (making it harder for an adversary to understand and thus fully nullify) and increases resilience regardless of the nature of a crisis.
The way to deal with a cyber security emergency on a national level is not consolidation, but distribution. That's kind of the reason the 'Net was invented in the first place: to make sure if one node in a network was taken out, information could flow to its intended destination regardless. Centralized management provides the illusion of control, but it doesn't make things more secure; it just makes things more brittle. When such systems do break - and they will - the damage will be more severe and it will take longer to recover.
I don't think anyone, regardless of their party, wants that.