<b><i>Commentary:</b></i> Cybersecurity Needs Public Notice

There is an important debate unfolding across government and the private sector over a critical national security issue: how to secure America's information networks from cybersabotage, espionage and attacks. (See, “Do Cyber-Attacks Require a 'Duty to Assist'?”)

Cyber-assault, from criminal organizations of unprecedented scale and sophistication, and from powerful nations and their proxies, is relentless against American strategic and commercial interests.

As an example of the scale of the threat, one American company had 38 terabytes of sensitive data and intellectual property exfiltrated from its computers ' equivalent to nearly double the amount of text contained in the Library of Congress. The United States is hemorrhaging intellectual property.

On the Defensive

There are already several dozen cybersecurity-related bills before Congress. The decisions we as a country must make to protect our Internet security will affect everyone from the major Internet service providers down to individual computer users ' yet the American public is largely disengaged from this debate. This is partly because so many issues compete for attention during this time of economic hardship, partly because the effort to defend .mil and .gov is classified, and also because many businesses in .com and .org do not want to share cyberthreat information that they consider to be sensitive and proprietary.

In a democracy, however, that's not a good place to be. Congress, the executive branch and the private sector must all do a better job of engaging the public on decisions that are so important. The questions are indeed big ones.

For example, the overwhelming majority of successful cyber-attacks could be prevented if we treated our computers more like our automobiles. Even the most casual drivers follow basic rules of the road and perform routine maintenance on their cars. If computer users took similar basic precautions and performed the computer equivalent of routine maintenance with up-to-date anti-virus software and automatic patching of security vulnerabilities, most cyberattacks would be blocked.

Should computer users then be subject to rules of the road? If so, what should the duty of care be, and how would it be enforced?

Commercial traders attacked by ocean pirates in the 18th century could run out their guns and fight back. Indeed, privateers under letters of marque hunted pirates on the open seas. Today, corporations whose networks are being penetrated or disrupted can do little more than batten down the hatches.

All Hands on Deck

How do we encourage information sharing to establish better situational awareness? And is information-sharing the best we can do? Should we facilitate the use of court orders to disrupt the ability of hackers to command and control hijacked computers, as Microsoft recently did against the Waledac botnet? (See, http://news.cnet.com/8301-1009_3-10459558-83.html.) How do we best enable 21st century corporations to defend their networks against modern cyberpirates?

If a bank, electric utility or communications provider is disabled by an attack, beyond the capability of the individual corporation to defend itself, and private property or essential services or even lives are at stake, should anyone be empowered to step in, and on what terms? The Federal Deposit Insurance Corp. steps in, quickly and smoothly, to protect against a loss of confidence and a “run on the bank” caused by solvency concerns, and then exits. Is that a good model for protecting a company disabled by cyber-attack?

In the event of a major cyber-attack attributable to a foreign government, the president has established authorities for responding. But in the shadowy world of probe and counterprobe, of unattributable attacks, what should be the rules of engagement? When can covert agencies hit back against attackers? Who oversees this shadow conflict?

And of course the broader question is: What should be reported to the American people about cyberthreats? If the public remains insulated from the threat, from the cost of the cyberpillaging of our country's work and wealth, and from the depth of the national security hazard, we will not engage in a political discussion that is both robust enough to befit a great democracy and urgent enough to meet the cyberthreat in time.

There is an important debate unfolding across government and the private sector over a critical national security issue: how to secure America's information networks from cybersabotage, espionage and attacks. (See, “Do Cyber-Attacks Require a 'Duty to Assist'?”)

Cyber-assault, from criminal organizations of unprecedented scale and sophistication, and from powerful nations and their proxies, is relentless against American strategic and commercial interests.

As an example of the scale of the threat, one American company had 38 terabytes of sensitive data and intellectual property exfiltrated from its computers ' equivalent to nearly double the amount of text contained in the Library of Congress. The United States is hemorrhaging intellectual property.

On the Defensive

There are already several dozen cybersecurity-related bills before Congress. The decisions we as a country must make to protect our Internet security will affect everyone from the major Internet service providers down to individual computer users ' yet the American public is largely disengaged from this debate. This is partly because so many issues compete for attention during this time of economic hardship, partly because the effort to defend .mil and .gov is classified, and also because many businesses in .com and .org do not want to share cyberthreat information that they consider to be sensitive and proprietary.

In a democracy, however, that's not a good place to be. Congress, the executive branch and the private sector must all do a better job of engaging the public on decisions that are so important. The questions are indeed big ones.

For example, the overwhelming majority of successful cyber-attacks could be prevented if we treated our computers more like our automobiles. Even the most casual drivers follow basic rules of the road and perform routine maintenance on their cars. If computer users took similar basic precautions and performed the computer equivalent of routine maintenance with up-to-date anti-virus software and automatic patching of security vulnerabilities, most cyberattacks would be blocked.

Should computer users then be subject to rules of the road? If so, what should the duty of care be, and how would it be enforced?

Commercial traders attacked by ocean pirates in the 18th century could run out their guns and fight back. Indeed, privateers under letters of marque hunted pirates on the open seas. Today, corporations whose networks are being penetrated or disrupted can do little more than batten down the hatches.

All Hands on Deck

How do we encourage information sharing to establish better situational awareness? And is information-sharing the best we can do? Should we facilitate the use of court orders to disrupt the ability of hackers to command and control hijacked computers, as Microsoft recently did against the Waledac botnet? (See, http://news.cnet.com/8301-1009_3-10459558-83.html.) How do we best enable 21st century corporations to defend their networks against modern cyberpirates?

If a bank, electric utility or communications provider is disabled by an attack, beyond the capability of the individual corporation to defend itself, and private property or essential services or even lives are at stake, should anyone be empowered to step in, and on what terms? The Federal Deposit Insurance Corp. steps in, quickly and smoothly, to protect against a loss of confidence and a “run on the bank” caused by solvency concerns, and then exits. Is that a good model for protecting a company disabled by cyber-attack?

In the event of a major cyber-attack attributable to a foreign government, the president has established authorities for responding. But in the shadowy world of probe and counterprobe, of unattributable attacks, what should be the rules of engagement? When can covert agencies hit back against attackers? Who oversees this shadow conflict?

And of course the broader question is: What should be reported to the American people about cyberthreats? If the public remains insulated from the threat, from the cost of the cyberpillaging of our country's work and wealth, and from the depth of the national security hazard, we will not engage in a political discussion that is both robust enough to befit a great democracy and urgent enough to meet the cyberthreat in time.