Last week, President Barack Obama unveiled legislation aimed at making cyberspace safer. "Cyberspace" is, admittedly, a clunky term, but no one has yet come up with anything better to describe the totality of Internet connections, electrical grids, consumer databases, financial networks, military systems, and other networks on which American life has grown dependent. But when it comes to securing it, as Obama has said, "we're not as prepared as we should be, as a government or as a country."
Obama's proposal won't win any awards for innovation, but it does seek to answer the two big questions: Can we protect the digital realm from the viruses, hacks, and breaches that regularly threaten it? And, can this be done without upsetting the balance between private innovation and government oversight that has enabled the Internet's explosive growth in the last few decades? The president's cybersecurity proposal follows a model first adopted in the early days of the Internet: The government encourages the private sector to take the lead; if it doesn't, or if it fails, the government steps in.
Obama's plan would formally appoint the Department of Homeland Security to act whenever there's a digital breach of information -- whether it's in the private or public sector. The proposal also sets up a legal framework to govern how DHS responds once a company asks the government to get involved.
Part of the goal is to avoid scandals like the recent ones at Sony and Google. In the case of Sony, the records of millions of its gamers were hacked during a two-week period in April, and the company is accused of a delay in informing their customers. In February, Google, after finding out that Gmail and other systems had been infiltrated, with digital forensics showing the threat came from China, caused a stir by giving the National Security Agency access to its records. We learned after the fact that Google executives had been outraged that some 20 other large companies from "the Internet, finance, technology, media, and chemical sectors" had been similarly targeted by China, but only Google had risked public wrath by seeking assistance from one of the government's most distrusted agencies. The idea behind the Obama plan is to make it less toxic for a company to call for help, by setting clear rules about what government agencies have access to and who's in charge.
Under the president's plan, public-private threat monitoring, information sharing, and data retention would get "strong privacy and civil liberties protections." Identifying information, for example, would be treated carefully, so that opening up Gmail records to federal experts doesn't expose the personal files of its millions of users to federal investigators. Private actors sharing information on threats get immunity, and the attorney general oversees the use of the captured data. But the nuances of how citizens' personal data is treated under the new cybersecurity regime will rightly be a focus of the public debate as these details are worked out.
Obama's cybersecurity proposal also directs industry to batten down its own hatches. Operators of core critical infrastructure -- as-yet-to-be-enumerated systems so important that crippling them would disrupt America -- are required to draw up emergency plans that must be verified by commercial auditors. That approach sidesteps the whole question of creating an "Internet kill switch," which would allow the government to shut off the Internet in the case of an infrastructure attack. Here, the private sector is given a chance to figure out what emergency protections look like. On a press call last week, though, administration officials said they see themselves as retaining the authority to step in should industry not step up. The plan would also institute a single national policy, replacing a patchwork of 47 different state laws, to govern when a company must notify users and the government of a data breach.
Much in Obama's wide-ranging proposal goes beyond reframing that public-private dynamic. The federal government worries a great deal about the security of its own networks. Here, the plan officially tasks the Homeland Security Department with deploying government-wide digital intrusion-detection systems such as EINSTEIN, the monitoring program that guards the points at which federal systems connect to the Internet. To strengthen enforcement, the proposal would create mandatory minimum sentences for cyber crimes, explicitly extend powerful laws like the organized-crime law known as RICO to cyberspace crimes, and strengthen penalties for offenses that courts might tend to treat too softly, such as the trafficking in online passwords.
To some extent, the president is playing catch-up. With dozens of relevant bills bouncing around the Hill, Senate leaders have long pressed Obama to focus Washington's attention on specific cybersecurity legislation.
In response to Obama's proposal, Sens. Joe Lieberman, the chair of the Homeland Security and Governmental Affairs Committee; Susan Collins, one of its ranking members; and Tom Carper, chair of the Federal Financial Management Subcommittee, issued a press release thanking Obama for his contribution, saying that "the Senate and the White House are on the same track" when it comes to cybersecurity. The finally, Mr. President was implied.
There's widespread agreement that the government's current ad hoc response to digital threats isn't the best or most sustainable approach. But it's worth keeping in mind the flip-side risk: overreaction. It's a short hop from cybersecurity to cyber war. Seymour Hersh has reported for The New Yorker that the U.S. is on its way toward building a sizable military-cyber complex. The federal government spends some $8 billion annually on unclassified cybersecurity work and about the same on classified work. There's big money, as ever, in war. And this is a debate where the rhetoric hasn't always been careful. One of the major works in the cybersecurity field is Cyber War, a book that came out last April written by Richard Clarke, a former official in both the Clinton and Bush administrations. Clarke's book offers a terrifying view of the insecurity of modern technology, leaving the impression that anything with a plug is waiting for the opportunity to kill us.
For many, the exact details of what Obama proposed last week are less important than the fact that he joined the battle to secure cyberspace. Obama has come out as committed to maintaining the balance between the private and public sectors that has been, rather improbably, one of the strong suits of the Internet thus far. Obama is driving forward a debate that already agrees on a premise: We must make cyberspace safe enough for our networked world to continue to thrive.
