In the last two years, approximately 50 cybersecurity-related bills have been introduced in Congress. In May the White House released its own cybersecurity legislative proposal. The Federal Communications Commission and the Commerce Department have each proposed cybersecurity regulations of their own. Last year, Senate Armed Services Committee Chairman Carl Levin (D-Mich.) even declared that cyberattacks might approach “weapons of mass destruction in their effects.” A rough Beltway consensus has emerged that the United States is facing a grave and immediate threat that can only be addressed by more public spending and tighter controls on private network security practices.
But there is little clear, publicly verified evidence that cyber attacks are a serious threat. What we are witnessing may be a different sort of danger: the rise of a cybersecurity-industrial complex, much like the military-industrial complex of the Cold War, that not only produces expensive weapons to combat the alleged menace but whips up demand for its services by wildly exaggerating our vulnerability.
The Regulatory Urge
The proposals on the table run the gamut from simple requests for more research funding to serious interventions in the business practices of online infrastructure providers. The advocates of these plans rarely consider their costs or consequences.
At one end of the spectrum, there have been calls to scrap the Internet as we know it. In a 2010 Washington Post op-ed, Mike McConnell, former National Security Agency chief and current Booz Allen Hamilton vice president, suggested that “we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment—who did it, from where, why and what was the result—more manageable.” Former presidential cybersecurity adviser Richard Clarke has recommended the same. “Instead of spending money on security solutions,” he said at a London security conference last year, “maybe we need to seriously think of redesigning network architecture, giving money for research into the next protocols, maybe even think about another, more secure Internet.”
A re-engineered, more secure Internet is likely to be a very different Internet than the open, innovative network we know today. A government that controls information flows is a government that will attack anonymity and constrict free speech. After all, the ability to attribute malicious behavior to individuals would require users to identify themselves (or be identifiable to authorities) when logging on. And a capability to track and attribute malicious activities could just as easily be employed to track and control any other type of activity.
Many current and former officials, from Clarke to FBI Director Robert Mueller, have proposed requiring private networks to engage in deep packet inspection of Internet traffic, the online equivalent of screening passengers’ luggage, to filter out malicious data and flag suspicious activity. The federal government already engages in deep packet inspection on its own networks through the Department of Homeland Security’s “Einstein” program. Mandating the same type of monitoring by the Internet’s private backbone operators—essentially giving them not just a license but a directive to eavesdrop—would jeopardize user privacy.
There have also been proposals at the FCC and in Congress for the certification or licensing of network security professionals, as well as calls for mandating security standards. While certification may seem harmless, occupational licensing mandates should never be taken lightly; they routinely restrict entry, reduce competition, and hamper innovation. Politicians have also called for substantial new government subsidies, including the creation of regional cybersecurity centers across the country to help medium-sized businesses protect their networks.
Many of the bills would mandate a new cybersecurity bureaucracy within either the Department of Homeland Security or the Defense Department. Many would also create new reporting requirements. For example, the administration’s proposed legislation requires that private firms deemed by the head of Homeland Security to be “critical infrastructure” must develop cybersecurity plans and have those plans audited by federally accredited third parties.
With proposals as intrusive and expensive as these, you might think the case for federal intervention is overwhelming. But it isn’t. Again and again, the regulators’ argument boils down to “trust us.”
The CSIS Commission
One of the most widely cited arguments for more federal involvement in online security was made by the Commission on Cybersecurity for the 44th Presidency, which unveiled its report in December 2008. The commission, assembled by the Center for Strategic and International Studies (CSIS), a foreign policy think tank, in February 2008, served as a sort of cybersecurity transition team whoever the new president turned out to be. It was chaired by two members of Congress and composed of security consultants, academics, former government officials, and representatives of the information technology industry. Their report concluded that “cybersecurity is now a major national security problem for the United States” and urged the feds to “regulate cyberspace” by enforcing security standards for private networks.
Yet the commission offers little evidence to support those conclusions. There is a brief discussion of cyberespionage attacks on government computer systems, but the report does not explain how these particular breaches demonstrate a national security crisis, let alone one that “we are losing.”
The report notes, for example, that Defense Department computers are “probed hundreds of thousands of times each day.” Yet it fails to mention that probing and scanning networks are the digital equivalent of trying doorknobs to see if they are unlocked—a maneuver available to even the most unsophisticated would-be hackers. The number of times a computer network is probed is not evidence of a breach, an attack, or even a problem.