On The Horizon: Cyber- Protection's Murky Waters Run Deep
Conflicting interests tug at urgent safeguards for the nation's critical infrastructure
What would have happened if the tragic attacks of Sept. 11 had been followed by cyberattacks on the computer systems that control the nation's electric power grids, transportation networks, and water supplies? Are we prepared for a cyberattack on our critical infrastructure?
The short answer is no. As the President's Commission on Critical Infrastructure Protection stated in October 1997, "The rapid proliferation and integration of telecommunications systems and computer systems have connected infrastructures to one another in a complex network of interdependence. This interlinkage, combined with an emerging constellation of threats, poses unprecedented national risk."
Connectivity, the very thing that makes the global network so powerful, is also its Achilles' heel. The Internet, while largely immune from random failure of individual components, is highly susceptible to targeted attacks on critical components, recent research by physics professor Albert-Laszlo Barabasi of Notre Dame University and his colleagues has shown. Coupled with a physical attack, this scenario could open the door to a cascading economic tsunami--on a global scale.
In response to the commission's report, President Clinton in May 1998 signed Presidential Decision Directive 63, which states the government's intent to "take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyberattacks on our critical infrastructure" and protect that infrastructure against intentional acts by 2003.
The document never lived up to its stated intent, because it was a policy statement and not a plan. The government couldn't mandate network protection because more than 90% of the networks that make up the Internet are owned and operated by the private sector. The "genuine" public-private sector partnership as envisioned by the directive didn't occur because companies were--and still are--uncomfortable sharing corporate cybersecurity information with the government. So cyberattacks have continued to plague businesses and the government. In January 2002, Riptech, an Internet security firm, documented 128,678 cyberattacks from July to December 2001 in its first tabulation of such events.
Historically, the government didn't have a strong interest in addressing denial-of-service attacks because they were viewed as a commercial problem. The attacks weren't physical or generally severe, and that made it difficult to quantify economic losses. Since many cyberattacks focused on previously unidentified software vulnerabilities, it was (and still is) difficult to establish legal liability. Moreover, there was no deep-pocket recovery to be had from a hacker in China or the Philippines.
Sept. 11 changed this view. The attacks brought into focus the government's need to quickly foster heightened private network security. As a result, President Bush in October issued an executive order on "Critical Infrastructure in the Information Age," which, in part, supercedes the Clinton directive while continuing to recognize its intent: The nation's critical infrastructures, increasingly interdependent, are far too vulnerable, and the situation has to be fixed now or the global economy is at risk. The Bush plan sets forth a policy framework--and, more important, an implementation strategy.
The government is trying to encourage companies to further secure their networks, but that isn't easy. It's expensive and requires constant monitoring and upgrading, a recurring cost. Companies face a catch-22: If a network audit isn't conducted, there may be an unknown vulnerability--but if one is done, vulnerabilities uncovered must be fixed or the company could face liability for failure to act.
Implementation of critical infrastructure protection continues to be hampered by the inadequacy of criminal laws relative to cybercrime, international enforcement issues, the lack of civil remedies, antitrust issues relating to information sharing, and liability issues.
Richard Clarke, special adviser to President Bush for Cyber Security has been working to bring business, government, and academic leaders together to address all the issues relating to cybersecurity, including the law. The Sept. 11 attacks couldn't make the urgency of Clarke's mission any clearer.
David Post is a Temple University law professor and senior fellow at the National Center for Technology and Law at the George Mason University School of Law. Reach him at firstname.lastname@example.org. Bradford C. Brown is chairman of the National Center for Technology and Law at the George Mason University School of Law. Reach him at email@example.com.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.