While it hasn’t gotten nearly the play of threats of terrorist attacks, the threat of cyber attacks is being promoted by defense secretary Leon Panetta as one of the greatest threats facing the country, demanding resources, attention and, of course, laws. From the New York Times :
Defense Secretary Leon E. Panetta warned Thursday that the United States was facing the possibility of a “cyber-Pearl Harbor” and was increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid, transportation system, financial networks and government.
“An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Mr. Panetta said. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
Given our reliance on computers to do, well, everything, manage and control the world as we know it, a cyber attack could certainly wreak havoc. Whether a comparison to Pearl Harbor holds water is another story.
The upshot is the government desires to enact legislation, and if not legislation, then an executive order looms. This is where is gets muddy, yet disturbing.
Mr. Panetta also argued against the idea that new legislation would be costly for business. “The fact is that to fully provide the necessary protection in our democracy, cybersecurity must be passed by the Congress,” he told his audience, Business Executives for National Security. “Without it, we are and we will be vulnerable.”
With the legislation stalled, Mr. Panetta said President Obama was weighing the option of issuing an executive order that would promote information sharing on cybersecurity between government and private industry. (Emphasis added.)
Is this what will save us from attack? Perhaps, but its implications run far deeper, an issue that few address. After all, when the national security flag is raised, what kind of idiot would concern himself with such trivialities as the impact on civil and constitutional rights? This kind of idiot, I guess.
If we’ve learned nothing over the past decade, it’s that the government is singularly adept at multi-tasking, using laws promoted as our protection from terrorism to undermine the rights and privacy of its own citizens. Whether it’s coincidental or deliberate isn’t the point; the point is that consequences follow from such initiatives, but nobody wants to talk about them before the damage is done when the defense secretary is screaming about a cyber-Pearl Harbor.
At Volokh Conspiracy, Stewart Baker (who has done a lot of thinking about cybersecurity) argues that the government’s approach flawed and ineffective.
We will never defend our way out of the current cybersecurity crisis. That’s because putting all the burden of preventing crime on the victim rarely succeeds.
The obvious alternative is to identify the attackers and punish them. Many information security experts have given up on this approach. As they point out, retribution depends on attribution, and attribution is difficult; attackers can hop from country to country and from server to server to protect their identities.
I think this skepticism is outmoded, however. Our intelligence on cyberattacks has gotten a lot better. Investigators no longer need to trace each hop the hackers take. Instead, they can find other ways to compromise and then identify the attackers, either by penetrating hacker networks directly or by observing their behavior on compromised systems and finding behavioral patterns that uniquely identify the attackers.
There is a huge irony gap in the government’s promotion of the notion that hackers, be they state sponsored or a collective of individuals who screw with the system for fun, are so much smarter, better, more nefarious, that our collection of cybersecurity-minded individuals are totally outgunned. Are we really impotent against the evil computer geniuses of Iran?
But Stewart notes a deeper problem lurking in the background, happening at the same time as the administration wants to get inside our computers to prevent this cyber-Pearl Habor:
Now there’s no doubt that US intelligence and law enforcement agencies have the authority to respond to hacks of US companies by breaking into the networks of suspected hackers and gathering information there. But by and large they don’t.
Why not? Because complaining to the FBI and CCIPS about even a state-sponsored intrusion is like complaining to the DC police that someone stole your bicycle. You might get a visit from the local office; you might get their sympathy; you might even get advice on how to protect your next bicycle. What you won’t get is a serious investigation. There are just too many crimes that have a higher priority.
This is where it becomes hard to reconcile. On the one side, the Department of Defense says the sky is falling and we need intrusive laws to allow the government access to our computer infrastructure for our own protection. On the other side, law enforcement can’t be bothered with it because it’s got bigger fish to fry. Which is it?
No doubt the concerns about cybersecurity will eventually hit main street, with teenagers aghast at the possibility that Facebook will go down and they’ll never be able to add new friends they’ve never met. Whether law or executive order, it will be sold to us as the absolutely necessary means of protecting us from this dreaded but unseen enemy, waiting at the fringes of the internet to take over our nation. We certainly can’t have that.
In the process of staving off this cyber-Peal Harbor, however, the implication for further erosion of privacy and liberty is at monumental risk. For most of us, we’re far behind the learning curve of what this means at the moment, but the government is moving full steam ahead. By the time we figure out what liberty has been lost in the name of security, it will be too late, just as it was after 9/11. The time to confront the implications of cybersecurity is before we lose any more freedom, because if 9/11 has taught us anything at all, it’s that getting it back afterward doesn’t work.