In Search of Cyber Peace: A Response to the Cybersecurity Act of 2012

The Cybersecurity Act of 2012 recently introduced in the Senate Homeland Security and Governance Affairs Committee has been touted as the latest bipartisan attempt to enhance the nation's cybersecurity. If enacted, the bill would grant new powers to the Department of Homeland Security (DHS) to oversee U.S. government cybersecurity, set "cybersecurity performance requirements" for firms operating what DHS deems to be "critical infrastructure," and create "exchanges" to promote information sharing. In its current form, the bill is a useful step in the right direction but falls short of what is required. Fundamentally, the bill misconstrues the scale and complexity of the evolving cyber threat, defining critical infrastructure too narrowly and relying too much on voluntary incentives and risk mitigation strategies. In this, it might improve on the status quo, but it will not foster genuine and lasting cybersecurity.

Dozens of bills have been proposed over the years to shore up U.S. cybersecurity. None have so far been enacted, or even reached the floor for a vote, in part because legislation dealing with cybersecurity faces daunting prospects on Capital Hill given that the issue involves over 40 committees. How does this Act stack up against past cybersecurity reform efforts? There are more similarities than differences. Information sharing remains voluntary. Tax breaks for upgrading cybersecurity defenses are glaringly absent, even though the 2011 House Cybersecurity Recommendations encouraged Congress to consider expanding existing tax credits. Audits would be conducted by the firms themselves and self-reported. But there are a few glimmers of hope.

One is the focus on critical national infrastructure (CNI), which is encouraging given its importance to U.S. national security. But what exactly constitutes critical infrastructure? There's little agreement. The original President's Commission on Critical Infrastructure Protection identifies five such institutions; the European Commission identifies eleven. When the U.S. Department of Defense unveiled declassified portions of its strategy for cyberspace, Deputy Secretary of Defense William J. Lynn announced that everything from the electric grid to telecommunications and transportation systems constitute critical national infrastructure, stating that a cyber attack against "more than one [of these networks] could be devastating."

How does the Cybersecurity Act treat this thorny issue? The bill designates an industry as "critical" by deciding whether "damage or unauthorized access to... [a] system or asset could reasonably result in... the interruption of life-sustaining services... ; catastrophic economic damages to the United States... ; or severe degradation of national security." But the Act omits "information technology products," including both hardware and software. These exceptions hamper the effectiveness of the bill, and are a result of kowtowing to industry. There are multiple vulnerabilities even in protected systems, and attackers can enter just as easily through compromised commercial hardware as they can through a virus. Recent reports have cited supply chain concerns about hardware and have found components embedded with security flaws.

Despite the watering down of the Cybersecurity Act, there are signs of further backpedaling. Senator McCain and a group of seven other senators have introduced a competing cybersecurity bill, the SECURE IT Act, which would give DHS less regulatory power over private businesses managing critical infrastructure and grant the National Security Agency more authority to manage cyber attacks. But the legislation has been criticized for being too weak on security given its over-reliance on voluntary information sharing. The debate continues, especially given concerns of over-regulation, privacy and civil liberties protections, though some of these concerns are tempered by procedures that the DHS is charged with developing under the Cybersecurity Act.

In 3001: the Final Odyssey, Arthur C. Clarke envisions a future in which humanity had the foresight to rid itself of the worst weapons of mass destruction that it had created and place them in a vault on the Moon. A special place in this vault was reserved for the most malignant computer viruses that, in his speculative fiction, had caused untold damage to humanity over the centuries. Before new cyber attacks do untold damage to our Information Society, it is in our own best interest to educate and regulate our way to a steady state of cybersecurity where we can all enjoy the benefits of an open and secure cyberspace. Part of this process involves broadening the definition of CNI in the Cybersecurity Act and deepening public-private partnerships, including more robust information sharing. If there's one thing that science fiction has taught us, it's the wonder of the future, both good and bad. Whether or not that future includes the security and prosperity of cyber peace is up to us, including for better or worse the U.S. Congress.

Read the full article, In Search of Cyber Peace by Scott J. Shackelford, at the Stanford Law Review Online.