If there is one thing Washington loves, it is a good debate about the “proper” role of government. When it comes to cybersecurity, the debate in D.C. rages as hotly as ever.
In one corner there are the “big government” advocates, who argue that the threat is so dangerous that government needs to be very active, including by imposing baseline requirements on certain sectors of the economy. On the other side, you have those who champion the power of the private sector, arguing that government regulation will lead to nothing more than a race to an inflexible and rapidly outdated bottom line.
The truth lies, as always, somewhere in the middle. And in this case, it also may be a bit uncomfortable in terms of how far government should go, and where it should hold back.
Based on the assumptions that 1) cyberattacks are a real, growing problem, and that the source of many of the attacks originate from foreign governments, 2) we don’t have a good grasp on the scale or scope of the cyber problem, but that it is likely much bigger than we would like to think, and 3) the idea that the problem is not going away any time soon, and so long term solutions are needed, here are some thoughts on what the government should be doing:
Espionage: We may not like it, but we cannot argue that our government should not be keeping an eye on our enemies. In fact they need to be involved in watching potential and actual attackers. Without that information the government cannot effectively deploy its law enforcement or military assets to protect itself, prosecute criminals, or strike back at our enemies.
I know the idea of the government canvassing the electronic frontier makes many people nervous, but at the end of the day it is their responsibility to collect information about threats and use it to defend our national interests. Even allegations of abuse in the collections process cannot change that basic fact.
Defending Itself: This may seem somewhat obvious, but there is still a lot of confusion about how the government should go about defending itself from cyberattacks. What cannot be argued, however, is that the government shouldn’t protect its own networks and systems.
The government has spent a lot of time and effort doing so, but it needs to do more if only because the threat grows daily. The government is under attack from foreign nations, terrorists, people with grievances, and even its own employees. If there is one thing the government needs to spend its time and money on, it is getting its cyber house in order.
Information Sharing: Going along with the concept that the government should continue to monitor potential cyber foes, the government should also share threat information with the private sector.
This is a basic practice that the Defense Department already undertakes, and Congressman Mike Rogers and C.A. “Dutch” Ruppersberger are pushing in Congress. Simply put, as the government learns about cyber threats, it should share that information with security companies and potential targets. The rub here is that some companies worry that they could be liable in court for actions they take (or don’t take) based on receiving that information. Resolving that will be addressed below, but the bottom line is that the government needs to share its “Most Wanted” cyber threat list with the private sector.
Cyber Offense: There are some that argue that private companies should have the right to strike back at their attackers. The problem in the cyberattack world is that you often don’t know who is attacking you. Blindly striking back could easily result in attacking innocent targets, or worse yet, a foreign military. Instead, this mission is, and should be, the province of the government.
It is equipped to strike back at our enemies, and can deal with the consequences of doing so. Fighting other nations is of course a basic role of the federal government—when Nazi submarines appeared off of the Atlantic Coast, President Roosevelt didn’t expect the local yacht club to take them on; it was a job for the Navy and the Coast Guard. The same thing applies to cyber offense.
Incentivizing Good Cyber Behavior: This last idea might be a bit controversial. After all, some would argue that if cyberattacks are that bad the government shouldn’t have to encourage companies to protect themselves.
Rather, shouldn’t they be willing to do what it takes to protect their systems? Unfortunately, companies are struggling to understand what they should be doing; because if they did everything they could, bankruptcy would be on the horizon. That’s where the government can come in to play. It can incentivize smart cybersecurity investments by helping identify good technologies and encouraging their use through liability protection programs.
One example is the “SAFETY Act”, which has been put to good use in the “traditional” terrorism context, and would do the same in the cyber context. Limiting or eliminating frivolous lawsuits alleging companies “failed” because they did or did not do something to stop a cyberattack will help companies push forward on good investments.
Ultimately the cybersecurity problem is an overwhelming one. Doing too much too soon will likely only result in failure. And so the government is better off sticking to its traditional roles: keeping its own house in order, and stopping the attackers before their electrons reach our shore.
Brian E. Finch (@brianefinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP, where he focuses on cyber security issues. He can be reached at firstname.lastname@example.org.