Stanford CIS

How to build effective cyber defenses

By Jennifer Granick on

An op-ed from CNN.

Top Obama administration officials have been pressing the U.S. Congress hard for legislation to improve network security for the computer systems that run the nation’s critical infrastructure. The House passed the Cyber Intelligence Sharing and Protection Act (CISPA), while the White House supported the 211-page Cybersecurity Act, which failed to get a vote in the Senate before legislators went on recess. Citizens now have the summer to ask some important questions before supporting any such legislative effort.

The big question, of course, is what problem are we trying to solve? Administration officials justify cybersecurity legislation by coining words like “cybergeddon” and telling tales of terrorists shutting off the nation’s electricity or causing dams to malfunction, flooding our communities.

Although I’m skeptical, these are serious issues that suggest particular solutions. The problem is that there are other online problems – like economic espionage or copyright infringement – that are getting lumped into omnibus cybersecurity legislation. These are very different issues that arise for different reasons, and justify different solutions. Improving critical infrastructure security will be both politically easier and more effective if we focus on that particular problem. It also decreases the risk that we will stifle innovation or invade privacy for insufficient reasons.

With this in mind, it’s worth asking whether legislation is really the answer. Our free market principles mean that much of America’s computer infrastructure is private and decentralized. Though these networks may be critically important, private industry tends to underinvest in security in favor of bells and whistles that customers will happily pay for. In short, there are instances of market failure.

Bringing federal agencies up to par won’t, however, require new laws. President Obama could implement much of the Cybersecurity Act via executive order. Further, government may be able to raise standards for critical infrastructure networks through regulation rather than legislation. In most critical industries, electricity, nuclear power, chemical plants and water safety are already heavily regulated by the government. So why, for example, did NASDAQ get hacked in 2011? When we, or Congress, understand this, we can apply the tool that would improve the situation, whether it’s Securities and Exchange Commission regulation or new laws.

Where important businesses fail to comply with security practices that would make America more secure, mandatory standards are one possible solution. Mandatory breach notification or civil liability are other tools. Yet, the U.S. Chamber of Commerce has vigorously objected to any law that would hold private industries’ feet to the security fire.

Whether and how to mandate security standards is, of course, a nuanced business, depending on whether we are talking about a microblogging service, a telecommunications provider or a nuclear power plant. There’s real risk of over-regulation, but if Congress can identify specific critical infrastructure industries that are falling short, regulation could be one of many useful and necessary tools to improve that sector’s security practices.

By focusing on security practices for utilities, water plants, dams, financial services and the like, Congress can address the scary doomsday cyberwar problems that administration officials and the military say animate their concern, without overreaching into online services that carry Americans’ personal data and communications. Congress is less likely to get pushback from either the Chamber of Commerce or privacy concerned citizens if it appropriately narrows the scope of proposed legislation.

Free exchange of information about computer security flaws and how to fix them is essential to network security. If I discover a problem on my network, you’ll want to know about it so you can fix your systems. My experience during an attack can help others identify that same attack on their systems. I’ve spent a good portion of my career fighting for researchers who want to publish their discoveries of flaws in popular software and routers for exactly this reason.

Our current privacy laws don’t interfere with the vast majority of such sharing. Publicly traded companies must disclose when they have been attacked, for example. A company that finds malware on its systems, even if that code contains IP addresses or other information that would identify attackers or their command and control servers, may freely disclose that information under U.S. law.

Only in narrow circumstances would U.S. law regulate disclosure of threat information. Providers of electronic communication services to the public may not voluntarily disclose to anyone, including government, the contents of user emails under the provisions of the Electronic Communications Privacy Act (ECPA). Nor may they disclose transactional data about communications or user account information to law enforcement without legal process.

Obviously, many critical infrastructure providers and employers aren’t public electronic communications services and are therefore not subject to ECPA. Before Congress votes “yes” on any legislation that says “notwithstanding any particular privacy law,” we should know exactly how and why supporters believe that protection interferes with threat sharing. I haven’t heard one good reason yet.

Regardless, privacy and civil liberties must be respected, and we must remember that the ultimate goal is to build a secure and trustworthy network. That means secure from attackers and governments, including ours. People rightly worry that officials, or an untrustworthy employee, will use our private information to chill freedom of expression, for discriminatory enforcement of laws, or punitive administrative actions. Americans want to research their health problems, look for new jobs and purchase 50 Shades of Gray without having to feel shy. Around the world, the lives of Egyptians, Syrians and other activists are at risk over online activism of the sort we saw during Arab Spring.

For these reasons, when private internet data is collected to be shared with the government, the definition of that data should be narrowly focused on information that makes the network more secure, and shared only for that purpose. No mission creep. NSA or other military agencies shouldn’t have direct access to private communications networks or data. Specifically, this means that any new law must prevent government from using providers as surrogates to perform surveillance that investigators couldn’t lawfully do themselves.

Despite the lack of public knowledge and oversight, private interests succeeded in including language in CISPA that would immunize them from the consequences of cyberattack techniques, despite the fact that these “hack back” approaches can cause damage to innocent parties whose systems have been hijacked by bad guys.

Our government is also developing cyberwarfare capabilities that are both defensive and offensive. For example, the U.S. has developed some of the most sophisticated malware ever developed, namely the Stuxnet virus. That virus has, inevitably, migrated from the Iranian systems we targeted to infect computers around the world, including in the United States. It’s a bitter irony that commentators crying out for federal intervention in private security practices cited Stuxnet as a reason, before the U.S. government’s role in creating and releasing it was fully known. We’ve seen the enemy, and guess what guys? It’s us.

There has not, and may never be, a robust public or congressional debate on the wisdom of offensive cybertechnology. As a result, legislation intended to secure the network should neither encourage nor immunize private or public actors from the ramifications of such strategies.