HomeFeaturesDailyBriefingsRapidReconSpecial ReportsAbout Us
United States of America

From My Cold, Dead Hands

Government 'Net Grab Is Not The Path To Better Security

By Michael Tanji | August 29, 2009

It was recently reported that in the Senate there is a bill, that if signed into law, would give the government control over Internet service providers and commercial computer systems during national emergencies. While I'm sure everyone's heart is in the right place, this is one idea I hope gets sent to the bit bucket.

Normally in such power grabs there is at least some semblance of high ground upon which the claimant stands, so let's looks at the government's foundation:
  • The government has national and service-level cyber commands, a national cyber security center, a JTF-GNO, and a Comprehensive National Cybersecurity Initiative . . . but it can't get a passing grade in security.
  • To oversee governmental efforts in the cyber security arena a "czar" position has been created, but the job has been open and gone begging for months. The usual suspects for such a job have all demurred because it's a job with a lot of responsibility but no authority. Just the sort of situation one should NOT be in if a cyber security emergency were declared.
  • The government doesn't run things that don't lend themselves to the bureaucratic approach well. I won't pick on any specific agency or governmental function, but writ large, when is the last time you had a fast, efficient, effective time with any government agency? The Internet is pretty much the exact opposite of a government bureaucracy, but they would presume to assume even temporary control without adverse results.

On a more basic level however, we don't have any idea of what constitutes a threat sufficient to trigger an emergency declaration. If, as a wide range of officials have noted, Internet-connected systems are being attacked thousands of times a day (or hour, depending on who you listen to), shouldn't an emergency have been declared years ago? If, in a color-coded threat-matrix sort of fashion, 'Red/Severe' is the new 'Yellow/Elevated,' when does the state of emergency end?

The Internet isn't a right, but it is major part of our lives from a personal, commercial, and national security perspective. The government is right to want to keep us safe (and its powers during crisis make this bill look positively tame), but government-as-cyber-security-Shogun doesn't improve security or our collective response to threats. Commercial networks are attacked constantly and major security breaches hit the news every few months. These entities know how to mitigate the effects of such attacks and recover to full operational capability because not doing so means going out of business. The government doesn't have a problem causing a self-inflicted denial-of-service on itself because the bureaucracy drives on with or without the Internet. That's not the sort of mindset you want when the digital balloon goes up.

If the government is truly serious about improving cyber security (and get off the ten-year cycle of caring/not-caring), then it needs to:

  • Set standards for cyber security. NIST is already doing a fine job in that area and they could probably stand additional resources to keep up the good work.
  • Pass laws that require that online entities of national import follow the aforementioned standards. It should rigorously enforce those laws and prosecute those who intentionally endanger systems of national import, just as they would anyone who compromised national security in a physical manner (something that isn't done with anywhere near the intensity as it should).
  • Enable the ability of commercial network owners to share security information with each other and the government without fear of penalty or backlash from an economic perspective. No one shares because no one wants to deal with negative publicity or a lawsuit. There is a way to share meaningful information w/o worrying about privacy, but after a decade+ even I get tired of talking to brick walls.
  • Encourage the development and promulgation of network services at low-levels. Just as communities and even individuals can generate their own electrical power and sell the excess back to the grid, so too should smaller entities be able to provide their own network connectivity and support network traffic other than their own during a crisis. Such a move adds complexity to the system (making it harder for an adversary to understand and thus fully nullify) and increases resilience regardless of the nature of a crisis.

The way to deal with a cyber security emergency on a national level is not consolidation, but distribution. That's kind of the reason the 'Net was invented in the first place: to make sure if one node in a network was taken out, information could flow to its intended destination regardless. Centralized management provides the illusion of control, but it doesn't make things more secure; it just makes things more brittle. When such systems do break - and they will - the damage will be more severe and it will take longer to recover.

I don't think anyone, regardless of their party, wants that.

United States of America

1 Comment

Regarding "The Internet isn't a right..." and "...I'm sure everyone's heart is in the right place...":

I think that Amendments I and X in the Bill of Rights cover it:

"First Amndment: Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances."

"Tenth Amndmnt: The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people."

While the U.S. government has the constitutional power to stop speech that is substantially harmful to national security, the government has no authority to "take control of" an entire medium of communication.

Secondly, the government is a necessary evil. It is something we put up with, primarily for collective defense. It is not a surrogate parent for adults who value security over liberty. Politicians and bureaucrats are notorious for NOT having their hearts in the right place. They are control freaks. The response to this ought to be, "Hell no!"

Besides, from Katrina, we know the government isn't competent to handle emergencies anyway. Never have been, never will be. I and other Americans would do much better in an emergency if government would just get out of the way and let us take care of ourselves.

Leave a comment