Another Republican candidate has chimed in on the issue of cybersecurity. Yesterday, Ben Carson announced his new cybersecurity plan. It's relatively short and concise, but if you don't find yourself with the time to wade through the full report, his basic overarching recommendation is a proposal "based on one simple principle: unifying America's response to cyber threats."
Jeb Bush was the first Republican candidate to release a comprehensive cybersecurity plan, but many of the recommendations were vague calls to show "leadership," which apparently eschews the need for particular policy prescriptions. Many of his calls for public-private partnerships and information-sharing regimes echo the solutions found in Carson's plan, but Carson takes this all a step further with his proposal for a massive new federal bureaucracy: the National Cyber Security Administration (NCSA). Per the report:
"The NCSA is not a new federal bureaucracy. On the contrary, it is a consolidation and unification of the countless and often redundant programs, initiatives and offices which operate disjointedly throughout the government. This new administration would streamline our efforts and eliminate the stovepipes that make America's online efforts so ineffective. Such an agency must be kept separate from the military, but work with them when national security demands it. The NCSA will create a unity of purpose, not just across federal agencies, but in cooperation with 'We the People.' This will be America's venue to bring together experts and lay persons towards a common goal of securing the country, from the individual user at home to the highest government official."
So how would the NCSA "create a unity of purpose" and drive cybersecurity practices? Well, the specifics are relatively vague, but rest assured, the NCSA will indeed do a lot of things. Among these, the agency would be charged with:
- Supporting education efforts in the STEM space;
- Centralizing online best practices development;
- Researching security vulnerabilities and viruses;
- Providing certification of security standards;
- Collaborating with law enforcement and U.S. computer emergency response teams (CERTs) "to analyze traffic and breach trends to discern risk patterns;"
- Ensuring agencies and individuals are prepared for cyber emergencies with Cyber Emergency Preparedness and Continuity of Operations Plans;
- Coordinating with academic research centers on research and development;
- Incentivizing more public-private information sharing partnerships;
- Researching more advanced multi-factor authentication tools; and
- Streamlining and unifying the various federal advisory committees on privacy and civil liberties so NCSA "can serve as a focused, centralized resource for digital privacy and civil liberties issues across the government."
Whew. So that's, well, quite a lot to unpack.
To begin, the lack of specificity on how exactly the various components of the NCSA are to work in practice leaves me with a laundry list of outstanding questions and concerns (i.e. How will information sharing be "incentivized?" Will this agency's power trump the power of agencies like the National Institute of Standards and Technology, which is currently charged with setting encryption standards?, etc.). Rather than jumping down the wonky rabbit hole, however, I've selected a few choice quotes from Carson's plan that seem to define the overarching sentiments contained within, breaking down the endemic problems with each statement in relation to the broader proposal of establishing the NCSA.
1. "Consolidating confusing and sometimes conflicting executive branch activities into one central administration can bring focus to our government's online activities, and give the American people a single point of access."
Carson contends that America is currently in the midst of a "Cyber Space Race" with other state, and non-state, actors, hence the need for this Apollo-style undertaking. Between Carson's daring cyber "moonshot" initiative and Hillary Clinton's "Manhattan Project" to break encryption, technology policy is really bringing out the desire for big government-funded projects from both the left and the right this election season. Nonetheless, Carson's approach, like Clinton's, is unlikely to address the real problems associated with network security while potentially standing in the way of an online security response and research ecosystem that currently thrives without the need for government meddling.
Greater centralization of control, standards-setting, and "information-sharing" efforts are not going to "bring focus" to the issue of cybersecurity. In fact, the more we attempt to consolidate cybersecurity efforts, the less effective CERTs and ad-hoc security teams will be in sharing threat information across borders and operating at peak flexibility. I have difficulty seeing how a massive new federal agency (and, contrary to the report's assertion, this is a "new federal agency" even if it's only subsuming existent powers dispersed amongst various other agencies) could possibly be the ideal solution to cybersecurity when the more responsive and agile networks of CERTs have already been doing a pretty bang up job when it comes to Internet security.
Speed and sophistication are always going to be friends to would-be ne'er do wells. Effective cybersecurity policies will embrace, and match, that speed and sophistication; large government bureaucracies will not. As such, the fewer hurdles individuals and CERTs have to responding quickly and vigorously to emerging threats online, the more effective they can be in defending the rest of us. More bureaucracy is never the answer. If the government hasn't been capable of "focusing" on cybersecurity by now, another bureaucratic stopgate for effective online response is unlikely to improve outcomes.
2. "Currently, we lack the proper incentives to encourage good faith information sharing between public and private organizations."
Well that just isn't true at all.
Just look at the recent battle over CISA here, here, and here. Though to be clear, incentives for information sharing long predated the dubious necessity of legal liability that CISA now affords private companies sharing information with the government. Information sharing already occurs between the organizations and individuals who help contribute to securing the Internet--the CERTs mentioned previously--and law enforcement, private corporations, and other organizations. There's no need for government-sanctioned "incentives" to "encourage good faith information sharing;" the Internet's denizens are already doing a pretty good job sharing threat information amongst relevant parties.
3. "Intelligence agencies must use targeted analysis of online intelligence sources to ensure that America can detect and disrupt attacks on our country before they can be carried out. Our military and intelligence operations must also lead the way in advancing encryption and de-encryption systems. The ULTRA program gave the allies a decisive edge in World War Two, and being able to break coded communications by terrorist organizations or rogue states can do the same for our current fights."
Breaking coded communications and "advancing ... de-encryption systems" sound an awful lot like an endorsement for mandatory security vulnerabilities--that is, backdoors--in encryption protocols. For reasons that have been outlined elsewhere (see here and here), such an approach is unlikely to work to defray potential terrorist attacks, but will certainly have a detrimental impact to the security and privacy of average Americans, to say nothing of the economic ramifications. As for the expectation that intelligence agencies "use targeted analysis of online intelligence sources" ... that's great! They certainly should. All the intelligence in the world won't get you any closer to finding the proverbial needle in the haystack. If they are to be effective, intelligence analysts need to focus on sorting through specific silos of information from signals intelligence sources (i.e. intercepting communications, information mining, electronic surveillance, etc.), and which sets of data should be examined will, more likely than not, need to be determined based on a mix of both signals intelligence and human intelligence (i.e. "black bag jobs," physical surveillance, etc.).
Rather than simply embracing a vacuum-up-everything collection strategy, the intelligence community needs to return to its roots of using "targeted analysis" to "detect and disrupt attacks." In other words, rather than simply adding more hay to the haystack with the expectation that we might find additional needles, maybe we should make sure we're even checking the right haystacks to begin with.
4. "We must ensure that the Internet remains a sandbox for development and exploration; an open environment for communication, collaboration, and innovation."
Yes, I couldn't agree more. Unfortunately, for all the reasons already discussed, the NCSA is not the right way to ensure online security.
Ben Carson might not have achieved the goldilocks formula on cybersecurity, but at least he made an attempt. The only other Republican who has attempted to craft a broader policy perspective on cybersecurity is Jeb Bush and he too gets a great many things wrong. It would be great to see some counter-proposals from the rest of the candidates, especially Carly Fiorina and Rand Paul, that don't call for bloating government as the "solution" to securing America's networks.
This has been an awful lot of naysaying and nitpicking of a document that, let's be honest, isn't a truly viable or conservatively principled "plan" for addressing cybersecurity. What, if not this, is the ideal policy guidance a Republican candidate should embrace when discussing cybersecurity? I'd argue it's already been written. This past summer, the Internet Association released a report on the need to embrace collaborative security as the most ideal means to achieving effective network security. It suggests, in part, that "it is through voluntary bottom-up self-organization that the most impactful solutions are likely to reached." It also makes an important recognition of a broader principle that conservative, and especially libertarian, candidates should be extolling when framing the issue of cybersecurity:
"People are what ultimately hold the Internet together. The Internet's development has been based on voluntary cooperation and collaboration. Cooperation and collaboration remain the essential factors for its prosperity and potential."
Until then, in the spirit of these ongoing presidential policy battles, I offer President Ryan Hagemann's cybersecurity proposal based on a simple principle of my own: if it ain't broke, don't try to fix it.