March 7, 2011

Cybersecurity needs complete plan

The Internet has nurtured a remarkable amount of innovation, commerce, freedom of expression and economic connectivity. But these great benefits are accompanied by an ever-growing number of serious cybersecurity threats.

Cybercrime has put our country on the losing end of what could be the largest illicit transfer of wealth in world history. Whatever its form — copying source code, industrial espionage of military product designs, identity theft, online piracy or outright theft from banks — cybercrime cripples American innovation, kills jobs, undermines our economic security and violates individual privacy. The most dangerous threat is the potential for a hostile nation to use cyberattacks to weaken our military capabilities or to sabotage our critical infrastructure — from our electric grid to our banking system.

These cybersecurity threats are not going away. Cyberattacks are relatively easy and low risk for cybercriminals and hostile foreign agents. All you need is a room full of hackers. And the potential rewards are enormous: As early as 2007, cyberintrusions at U.S. agencies and departments resulted in the loss of data equal to the entire Library of Congress.

I am glad that Majority Leader Harry Reid (D-Nev.) and the chairmen of the relevant Senate committees have recognized the need for legislation to address this growing threat. Working together in a bipartisan manner, we can find a solution that makes America safer from cyberthieves and cyberterrorists.

One important focus should be the proper structure and distribution of government authorities. Resolving this crucial issue will enhance our effectiveness in combating cybersecurity threats. But it is merely one of many technical, legal, and political issues our nation faces in the cybersecurity realm. Six areas need particular attention.

First, the public has little awareness about cyberthreats. Threat information affecting the .gov and .mil domains is largely classified, while entities in the .com, .net and .org domains often consider the information proprietary. Companies worry that shareholders, customers and regulators would look dimly on news that they have suffered a major cyberintrusion.

If the public knew the stakes — that cybercriminals have pulled off bank heists that make Willie Sutton look like a petty thief — they would demand swift action.

We cannot prevail against our cybersecurity threats without public support. Congress should ensure that legislation includes mechanisms to bring the public out of the dark.

Second, we need to improve the means for industry sectors to deploy common defense strategies — like the westward pioneers circling their wagons. We should also enable industries to work more effectively with the government when appropriate. These conversations need to be made “safe” for industries.

The courts also have a role to play in this corporate self-defense. Creative technical experts and lawyers at Microsoft, for example, were able to mount an impressive counterattack against the Waledac botnet, which had created a network of zombie computers to send spam. They obtained a federal court order requiring VeriSign, the domain name registrar, to cut off domains associated with the botnet — effectively disabling it. Private corporations can achieve remarkable cybersecurity goals through the courts.

Third, we need to provide end-users, ISPs and software and hardware suppliers with basic rules of the road. The vast majority of cyberattacks can be defeated with off-the-shelf technology. There would also be a national security advantage if the federal government focuses its cybersecurity efforts on the remaining more complex threats.

Fourth, we must provide the federal government adequate authority and capability to protect critical private infrastructure — including our financial, communications, transportation and energy sectors.

Cyberattacks happen at the speed of light, so the best defense requires speed-of-light awareness and response. We need to evaluate when and where it would be appropriate to pre-position some defensive capabilities.

For example, we should consider creating secure domains in which cybersecurity defenses could be both lawful and effective. This would obviously have to be done in a transparent manner, subject to very strict oversight.

Fifth, we must put more cybercriminals behind bars. For all the laudable efforts of the Justice Department, the FBI and other agencies, law enforcement needs more tools. A lot more.

Finally, we must more clearly define the rules of engagement for covert action against cyberthreats. The president must have access to as many lawful and appropriate tools as possible — subject to clear executive policies and procedures, as well as vigilant congressional oversight.

Our American way of life depends on networked information technologies. The expansion of this powerful new cybertechnology has meant great things for our world — but it also makes us uniquely vulnerable. We must prepare our nation for this new threat.

By: Sheldon Whitehouse