The Right Way to Promote Cybersecurity by Bruce J. Heiman, Presenter, RSA Security Conference – February 18-22, 2002 1735 NEW YORK AVENUE, NW SUITE 500 n WASHINGTON, DC 20006 n 202.628.1700 n FAX 202.331.1024 n www.pgerm.com I f you are a computer-savvy but unscrupulous businessman, why develop a new infotech product if you can simply hack your competitor and steal his product design? If you are a thief, why bother holding up a bank if you can remotely transfer funds into another account? If you are a terrorist, why highjack an airplane if you can seize control of the air traffic control system? Why bomb a nuclear power plant if you can remotely manipulate its controls to cause a meltdown? After all, the murderous September 11th attacks involved the physical highjacking and suicide crashing of four airplanes – but a future attack could be launched from a distant foreign country by using only keystrokes targeted at the computer networks controlling key aspects of American life. This week, over 10,000 computer security professionals are meeting in San Jose at the annual RSA Security Conference. Their mission: to better promote cybersecurity. It’s a critical job. Because protecting our nation’s critical information infrastructure is best done through private sector solutions that are market-driven and industryled. After all, it’s the private sector that developed, owns and operates the networks and the services that constitute our information infrastructure. It also is the private sector that has the knowledge and expertise to know how to protect it. But in the aftermath of the horrific 911 attacks, will the government allow the technology industry to deploy security solutions? Or will government grow impatient and begin dictating specific standards and technological “solutions?” Today in Washington “it’s about security, stupid.” Government wants to be seen as preventing and preempting problems – not reacting to them. Cybersecurity problems are perceived to be getting worse. Just last month the Internet security firm Riptech reported that 41% of its 300 clients around the world suffered critical attacks. The Computer Emergency Response Team Coordination Center at Carnegie Mellon University reported a 50% increase in security breaches and attacks. The concept of a computer “security gap” is beginning to take hold in Washington: the difference between what the private sector is providing in security and what the “national interest” requires. Danger of government intervention is increasing. Certainly we can expect further serious, high-profile, cyber attacks. We also can expect the use of encryption and steganography to be used for evil purposes (the technology is widely available and uncontrollable). Moreover, the industry is no longer considered the “golden goose” – instead it’s “.gone”. Enron has shifted the balance to those who advocate greater government regulation. The convergence of the Internet with the older and highly-regulated telecommunications sector also is breaking down the barriers to cyber regulation. In the aftermath of the horrific 911 attacks, will the government allow the technology industry to deploy security solutions? Or will government grow impatient and begin dictating specific standards and technological “solutions?” 1735 NEW YORK AVENUE, NW SUITE 500 n WASHINGTON, DC 20006 n 202.628.1700 n FAX 202.331.1024 n www.pgerm.com The Right Way to Promote Cybersecurity continued But government mandating that the private sector use particular technologies or dictating standards is not the right way to promote cybersecurity. It simply will stifle innovation and harm the very information infrastructure that needs protection. Instead, there are several things that government can do which will help. 1. Increase the government’s ability to fight cyber crime. The government needs adequate resources to hire and train people. They also need appropriate authority to combat crime (while ensuring that any surveillance is focused and judicially approved). 2. Improve the government’s own cybersecurity. Today federal departments and agencies routinely get a “D.” There are concrete, specific actions the government can take, and they need to do so as soon as possible. 3. Maintain focus. Protecting cyber systems and networks requires consistent vigilance. Too often attention in Washington shifts to the “crisis du jour.” 4. Promote voluntary information among industry and with government. Today industry is reluctant to share information about cybersecurity problems and solutions. Industry fears that information shared with the government will be disclosed, information shared with competitors will subject them to antitrust liability, and information shared with anyone will be subsequently used against them in a lawsuit. Legislation is pending in the House and Senate to address these concerns – the Administration should support and Congress should pass it as soon as possible. Protecting our critical information infrastructure is essential for U.S. national security, American economic welfare, and our fundamental freedoms. But a truly voluntary, long-term, cooperative partnership between industry and government is the only approach that can succeed in this vital mission. Bruce Heiman is a partner in the Washington, D.C. law and lobby firm of Preston Gates Ellis & Rouvelas Meeds LLP and serves as Executive Director of Americans for Computer Privacy (www.computerprivacy.org).