You live in a crime ridden city, yet you leave your doors and windows open, display your valuables in plain sight and then wonder why criminals walk in and steal your belongings. Your response is to share your sad story with your neighbors and complain about your loss of privacy. Sound familiar?
It should – this largely reflects the laws and policies the United States has selected for responding to the cybersecurity crisis that is threatening and sometimes even ravaging public and private internet users.
In recent months, major attacks involving hundreds of millions of U.S. users have occurred on financial institutions, retail companies, healthcare providers, movie companies, government organizations, a presidential candidate’s emails and, recently, the Democratic National Committee. A ransomware epidemic has become the latest threat to emerge on the internet. All the while, the use of the “Dark Web” for criminal and terrorist activities has continued to expand.
This is not to say that U.S. cybersecurity experts have been totally inactive. However, a majority of the executive and legislative branch policy documents and legislation that have been enacted have dealt directly with information sharing and privacy issues, while largely ignoring the broader issues associated with internet organization and governance of the internet itself. For example, in 2013 White House called for establishing a voluntary framework for cyber and critical infrastructure security and, information sharing, adoption of best practices and privacy provisions. The recent Cybersecurity Act of 2015 – elements of which had been debated by Congress for more than three years -- allows for private entities to operate defensive measures while sharing and receiving federal government cybersecurity information, liability protection for sharing this information, and privacy of non-cybersecurity threat information.
In the new cyber world order, government entities and businesses certainly represent lucrative targets. The growing Internet of Things will undoubtedly expose whole new vulnerabilities. But with recent legislation paying little attention to the cybersecurity of the individual, private citizens are left as “roadkill” on the information super highway, one "click" away from having their passwords or identities stolen.
What is needed is nothing less than a totally new way of thinking about the internet and cyberspace. Will the internet remain an information sharing platform with little real governance and few "rules of the road" other than those for managing technical protocols? Or will it become a utility -- such as the electrical grid -- with high reliability and closed systems for managing core functions? Perhaps a third path exists in which the two visions can co-exist, allowing the internet to remain open for information sharing while facilitating a closed partition of the system for those functions that require high assurance and high security. Such a landscape already exists for security and defense functions in which classified systems "tunnel through" commercial internet systems, establishing secure enclaves.
First and foremost, the future vision for the internet must be addressed. Moving forward, internet components must be designed with equal attention to openness and security. Today, when openness is measured in functionality and ease of use, the ability to connect at high speed takes precedence over the security of the transaction, the device, the network and the storage medium. Currently, entire databases with personal identifiable information are stored in single tables rather than dispersed where the information would be far less vulnerable. Emails are sent largely unencrypted with little security other than account passwords. Unsecured apps are routinely downloaded onto user devices. Internet hardware gets its security through passwords, rather than designed into the system. Multifactor authentication for secure communications is the exception rather than the rule for most transactions -- only sectors such as finance and banking routinely require such added security.
A 21st Century governance approach, which operates at or near the pace of the internet, should be the ultimate goal. Differences in the cyber domain mandate innovative ways of thinking about and managing cybersecurity. New strategies based on embedded security features, novel internet architectures, anomalous behavior detection and greater understanding of the vulnerabilities of the system will be key. These strategies must include enlightened approaches that protect individual privacies, yet do not permit this protection to become a veil behind which nefarious actors can hide.
Foundational elements and core values should be transplanted from areas where related operational protocols exist and it makes sense to do so. For example, laws governing privacy are based on 240 years of established precedent. These same precedents should also apply in cyberspace.
Likewise, deterrence and dissuasion are based on decades of reasoned thought. How can these theories be migrated into cybersecurity? The same is true for norms of acceptable behavior. Destructive attacks on critical infrastructure must be established as a violation of international law through treaties and arms control agreements. Statements of intent like those that have been signed by U.S. President Obama and Chinese President Xi Jinping are important but not sufficient.
This tall order requires a concerted effort from all branches of our government and intense collaboration with the private sector. The status quo has become unacceptable and will only become more so as our daily lives become more entwined with the cyber domain. Hard discussions will need to be had about the internet America has versus the internet it wants.
Daniel M. Gerstein is an adjunct professor at American University in the School of International Service. He was the former Under Secretary (Acting) and Deputy Under Secretary in the Science and Technology Directorate of the Department of Homeland Security from 2011-2014.
Image: US Air Force