By Jonathan Mayer and Edward W. Felten
Special to The Bee
No state has more at stake on cybersecurity than California. From Hollywood’s intellectual property to the Central Valley’s water reserves to Silicon Valley’s cloud services, the Golden State is at singular risk. But, as the world’s innovation capital, California also has a unique opportunity to advance cybersecurity.
At last week’s State of the Union address, President Barack Obama announced a new federal cybersecurity agenda. Except … it wasn’t so new. It was a portfolio of unpopular old proposals, dusted off and relabeled. The odds of clearing Congress: low. The odds of materially improving security: even lower.
That’s a shame. Events over the past year – most prominently, the breach at Sony Pictures in Culver City – have highlighted the growing importance of cybersecurity. Attacks are more frequent, better organized and increasingly sophisticated. And intruders are driven by a diverse range of motives – greed, malice, national security or even national pride. America’s consumers, businesses and government agencies are undeniably under threat.
While the federal government is stalled, however, the states have an opportunity to lead. California could blaze a trail for effective cybersecurity policy.
The Golden State is, in fact, already an innovator on technology security and privacy. In 2002, California passed the nation’s first data breach notification law. If a company leaks personal data, it has to fess up and provide warning. Forty-six other states now have similar laws on the books. In 2003, California mandated that online services make commitments about how they handle consumer data. That farsighted policy has contributed to numerous law enforcement actions, both federal and state, where a business has bungled security or privacy.
Demonstrated successes aside, there are other reasons for California to step up. One of the greatest concerns in cybersecurity policy is critical infrastructure, such as power and water. Even brief disruptions in service could have extraordinary economic and human costs. Remember the Northeast blackout of 2003? It may have claimed dozens of lives and cost the economy billions of dollars. And it was caused, in part, by a software bug. California should not tolerate a fraction of that risk from cybersecurity threats.
Utilities are already subject to extensive state legal requirements, and they already answer to a powerful state regulatory commission. Addressing security and privacy would be a sensible application of existing authority.
Critical infrastructure increasingly relies on industrial automation systems. And those systems are often vulnerable – they keep a default password, for instance, or are accessible from the public Internet. These are not subtle or sophisticated errors. Fixing them requires basic due diligence, not rocket science. Requiring the state’s critical infrastructure providers to undergo regular security audits would be straightforward and inexpensive – especially relative to the enormous risks.