Government and private institutions from the Pentagon to Wall Street regularly face significant threats from unseen and unknown assailants in cyberspace -- from casual hackers to nation-state actors. The bipartisan desire in Washington to craft a national cybersecurity plan to address this broad range of threats has led to a number of cybersecurity bills being introduced in both house of Congress. Last week the White House lent its voice to the issue and unveiled a cybersecurity proposal, and today I'm testifying before a House Judiciary subcommittee at a hearing focusing on "innovative solutions to challenging problems" in cybersecurity.
Crafting a national cybersecurity policy is fraught with challenges. Finding a solution will require a nuanced approach that recognizes that any comprehensive law will affect individual rights and technological innovation and that strives to minimize the negative consequences.
In my testimony today I outline four important distinctions to make in dealing with the cybersecurity problem and attempting to determine which systems should be more regulable and which should be less regulable. The first distinction recognizes the basic divide between government-owned and privately owned systems; government systems are appropriately subject to more regulation. The second distinction requires policymakers to consider how critical a given system's functionality is to the national interest. For example, systems that run nuclear power plants or the electric grid should justifiably be considered more regulable, while your local web hosting service should not be.
The third distinction that must be drawn is between systems that serve our core American values such as free expression and democratic participation -- most prominently the Internet -- and those that do not. Policies that may be appropriate for the power grid or the banking system may not be appropriate for components of the Internet used for exercising First Amendment rights to speak, associate, and petition the government. Fourth, a distinction must be drawn based on the actual threat. The types of government regulation required to address national security concerns may be disproportionate when used to deflect the attacks of a hacker trying to change grades on a high school computer.
For these reasons a sectoral, threat-specific approach is called for. Very careful distinctions -- too often lacking in cybersecurity discourse -- are needed to ensure that the elements of the Internet critical to new economic models, human development, and civic engagement are not regulated in ways that could stifle innovation, chill free speech, or violate privacy.
White House Data-Sharing Plan Largely Unbalanced
Many claim that the current level of cybersecurity information sharing is inadequate. Private sector network operators and government agencies monitoring their own networks say that they could better respond to threats if they had more information about what other network operators are seeing. The challenge is how to encourage better information sharing without putting privacy at risk.
The Administration's answer to the information-sharing problem raises concerns. The plan proposes a sweeping voluntary information sharing regime that would permit any entity to share with the Department of Homeland Security any information the entity may have, including communications traffic, no matter how it was acquired and no matter how use and disclosure of that information would otherwise be restricted by law, so long as the entity shares it for cybersecurity purposes, makes reasonable efforts to remove irrelevant identifying information, and complies with as-yet-unwritten privacy protections. The provision would override current protections in the Wiretap Act, the Electronic Communications Privacy Act, the Foreign Intelligence Surveillance Act, the Freedom of Information Act, the Sherman Antitrust Act, and many more.
While the commitment to voluntary sharing instead of mandatory participation in a government sharing scheme is admirable, it doesn't override the concern that the White House proposal would, in practice, authorize a massive surveillance system; that part of the plan isn't acceptable. Instead, as my testimony notes, a superior alternative would be to make narrow changes in surveillance laws to address the cybersecurity data sharing issue without carving unnecessary holes in existing privacy protections. However, before making any amendments Congress should adopt proposed legislation that updates the Electronic Communications Privacy Act by making its privacy protections more relevant to today's digital environment.
White House Rejects 'Kill Switch'
In discussions on cybersecurity legislation in the last Congress, some in Congress seized on the idea that the President or Homeland Security should be given "kill switch" authority to shut down Internet traffic in an effort to save a compromised critical information system. Thankfully, the White House cybersecurity plan implicitly rejects that notion; that should put the idea to rest once and for all.
There are many reasons why the "kill switch" idea should remain buried. One of the most important is that such authority would give aid and comfort to repressive countries around the world. The government of Egypt was widely condemned when it cut off Internet services to much of its population earlier this year in order to stifle dissent. The U.S. should not now endorse such a power, even if only for cybersecurity purposes, because to do so would set a precedent other countries would cite when shutting down Internet services for other purposes.
I've only been able to cover some of the issues facing policymakers as they work toward crafting a national cybersecurity policy. For a deeper dive on these complex issues, I encourage to you take a look at the four-part series my organization has published analyzing the strengths and shortcomings of the White House cybersecurity proposal. I firmly believe that all the pieces of a workable national cybersecurity policy can be found in the various public and private sector proposals put forward to date; we need only to assemble them. With a careful and nuanced approach we will achieve the goal of legislation that both protects our critical infrastructure and upholds our civil liberties.