On The Horizon: Cyber- Protection's Murky Waters Run Deep - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

08:35 AM

On The Horizon: Cyber- Protection's Murky Waters Run Deep

Conflicting interests tug at urgent safeguards for the nation's critical infrastructure

What would have happened if the tragic attacks of Sept. 11 had been followed by cyberattacks on the computer systems that control the nation's electric power grids, transportation networks, and water supplies? Are we prepared for a cyberattack on our critical infrastructure?

The short answer is no. As the President's Commission on Critical Infrastructure Protection stated in October 1997, "The rapid proliferation and integration of telecommunications systems and computer systems have connected infrastructures to one another in a complex network of interdependence. This interlinkage, combined with an emerging constellation of threats, poses unprecedented national risk."

Connectivity, the very thing that makes the global network so powerful, is also its Achilles' heel. The Internet, while largely immune from random failure of individual components, is highly susceptible to targeted attacks on critical components, recent research by physics professor Albert-Laszlo Barabasi of Notre Dame University and his colleagues has shown. Coupled with a physical attack, this scenario could open the door to a cascading economic tsunami--on a global scale.

In response to the commission's report, President Clinton in May 1998 signed Presidential Decision Directive 63, which states the government's intent to "take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyberattacks on our critical infrastructure" and protect that infrastructure against intentional acts by 2003.

The document never lived up to its stated intent, because it was a policy statement and not a plan. The government couldn't mandate network protection because more than 90% of the networks that make up the Internet are owned and operated by the private sector. The "genuine" public-private sector partnership as envisioned by the directive didn't occur because companies were--and still are--uncomfortable sharing corporate cybersecurity information with the government. So cyberattacks have continued to plague businesses and the government. In January 2002, Riptech, an Internet security firm, documented 128,678 cyberattacks from July to December 2001 in its first tabulation of such events.

Historically, the government didn't have a strong interest in addressing denial-of-service attacks because they were viewed as a commercial problem. The attacks weren't physical or generally severe, and that made it difficult to quantify economic losses. Since many cyberattacks focused on previously unidentified software vulnerabilities, it was (and still is) difficult to establish legal liability. Moreover, there was no deep-pocket recovery to be had from a hacker in China or the Philippines.

Sept. 11 changed this view. The attacks brought into focus the government's need to quickly foster heightened private network security. As a result, President Bush in October issued an executive order on "Critical Infrastructure in the Information Age," which, in part, supercedes the Clinton directive while continuing to recognize its intent: The nation's critical infrastructures, increasingly interdependent, are far too vulnerable, and the situation has to be fixed now or the global economy is at risk. The Bush plan sets forth a policy framework--and, more important, an implementation strategy.

The government is trying to encourage companies to further secure their networks, but that isn't easy. It's expensive and requires constant monitoring and upgrading, a recurring cost. Companies face a catch-22: If a network audit isn't conducted, there may be an unknown vulnerability--but if one is done, vulnerabilities uncovered must be fixed or the company could face liability for failure to act.

Implementation of critical infrastructure protection continues to be hampered by the inadequacy of criminal laws relative to cybercrime, international enforcement issues, the lack of civil remedies, antitrust issues relating to information sharing, and liability issues.

Richard Clarke, special adviser to President Bush for Cyber Security has been working to bring business, government, and academic leaders together to address all the issues relating to cybersecurity, including the law. The Sept. 11 attacks couldn't make the urgency of Clarke's mission any clearer.

David Post is a Temple University law professor and senior fellow at the National Center for Technology and Law at the George Mason University School of Law. Reach him at [email protected]. Bradford C. Brown is chairman of the National Center for Technology and Law at the George Mason University School of Law. Reach him at [email protected].

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll