by Larry Magid
Just before issuing his State of the Union address last week, President Barack Obama signed an executive order to improve critical infrastructure and cybersecurity. The next day, Congress was presented with a new version of the Cyber Intelligence Sharing and Protection Act (CISPA).
While there are important differences between the president’s plan and the current House iteration of CISPA, both seek to beef up and coordinate our response to cyber intrusions.
The need for greater cybersecurity is essential to both national security and the economy. We’re already at the point where an enormous amount of government and private business is transacted online. And there are parts of our physical infrastructure, including power plants and transportation systems, that are vulnerable to cyberattacks.
Millions of people do the bulk of their banking online, and even if you’re not one of them, your bank is connected to the Internet and your accounts are vulnerable to attack. Merely having a credit card, receiving government services or even applying for or attending school puts at least some of your data at risk. An attack on our physical infrastructure could hurt anyone, either by putting us at risk or — more likely — shutting down essential services that we all depend on.
Digital global village
Whether you like it or not, we live in a global digital village where everyone’s security affects everyone else. Clearly there is a role for businesses and government to protect citizen and consumer data, but individual users also have a civic responsibility to protect our own devices and the networks we access. A computer or smartphone infected with malware can spread that infection to other computers. Many cyberattacks take advantage of “zombie” networks of infected machines owned by innocent people whose machines have been unwittingly commandeered to help the hackers break into other machines and networks.
If there is any doubt as to the range of organizations that are vulnerable, consider that The New York Times recently reported that its systems had been infiltrated by hackers from China. And stolen emails from the Bush family — including some from former President George W. Bush — were recently posted online. National security wasn’t at stake, but it was a horrific invasion of the family’s privacy as members contemplated possible funeral arrangements for the elder former President Bush, who was critically ill at the time.
The issue of security was important enough for President Obama to address it during his State of the Union address, “We know hackers steal people’s identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets,” he said, warning that “our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”
His executive order called for “enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts.”
Pursuant to that order, the National Institute of Standards and Technology (NIST) is developing what it calls a “Cybersecurity Framework,” that will consist of a set of voluntary standards and practices “to guide industry in reducing cyber risks to the networks and computers that are vital to the nation’s economy, security and daily life.” NIST specifically mentioned cyber risks to critical infrastructure including power plants and financial, transportation and communications systems. Some have questioned whether the guidelines go far enough. A 2011 White House proposal included procedures for holding private, critical infrastructure operators “accountable for their cybersecurity.”
Security vs. privacy
Others worry about the trade-off between security and personal privacy but, unlike the House’s CISPA bill, the president’s plan seems to be getting good marks from privacy advocates. Michelle Richardson, legislative council for the American Civil Liberties Union (ACLU) praised the White House plan, saying it “rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties.”
The ACLU opposes the CISPA bill reintroduced last week by Reps. Mike Rogers, R-MI., and Dutch Ruppersberger, D-MD. The ACLU’s Richardson said that bill “once again allows companies to share sensitive and personal American Internet data with the government, including the National Security Agency and other military agencies.”
Coming up with good plan to protect cybersecurity is, of course, essential. And while Congress and the administration need to act quickly, they also need to be thoughtful to make sure that it’s comprehensive and meaningful, but at the same time respectful of our privacy.