[credit provider=”Alain-Christian/Flickr” url=”http://www.flickr.com/photos/aseraphin/6726476393/lightbox/”]
Is 2012 a landmark year for Internet security bills, or is it just the tip of the iceberg? So far this year we’ve had SOPA, CISPA, CSA and SECURE IT – the latter three still up for votes in the Senate or House. It’s doubtful that any of them will pass in the current legislative session but it does raise an interesting point: why are so many Internet protection bills suddenly coming up in Congress?
For one simple reason: for the first time since the War of 1812, the US cannot protect its borders.
We are witnessing the start of a massive shift in how sovereign countries assert power and control their borders. Until recently, global power has come down to controlling the world’s oceans, which the US Navy (and her allies) has done successfully since 1945. But now cyberspace is surpassing the world’s oceans as the primary means for transit, shipping goods and of course attack.
Part of the problem is the difficulty in developing policy over abstract concepts that are poorly understood by the public or any governing body. For example, cyberspace is not a place in the traditional terms. And its very nebulousness means there are tipping points in cyberspace that are crossed both invisibly and irretrievably – think of Napster and how it has changed the music industry for one example. Even more than in physical space, where we feel security’s effects most stringently when forced into airport-style security lines, information security tends to rub up against accepted conventions in personal privacy and established ideas of individual freedom.
Ask yourself these questions:
- Is it OK for the government to collect, store, and search every website you visit online?
- Is it OK for Google to do the same?
- Is it OK for Google to share all the data it collects about you with the FBI?
- What about the local police department?
These are all exactly the questions that Congress has to tried to balance in proposed bills this session. The most prominent of which are the Cyber Information Sharing & Protection Act (CISPA) and Sen. Joseph Lieberman’s Cybersecurity Act of 2012 (CSA). If you answered “no” to any of the above questions, then you are probably against either bill passing (which is why neither bill really has overwhelming support).
But of course, you could restate those questions to be more about security:
- Should the government do everything it can do to detect and prevent terrorists or organised crime from communicating over the Internet, even within the country?
- Should the government (the DHS in Lieberman’s bill) regulate your local utility company so that Russian mobsters cannot turn off your power at will?
- Should Google and other large Internet companies be allowed to share with the government signs of ongoing economic espionage by Chinese state-sponsored hackers?
That last question, of course, has the keyword that runs this election year – JOBS. Protecting businesses from ongoing successful economic espionage by China is the main thrust of each and every one of these legislative efforts. So far, these efforts have failed.
When I was at the NSA, one of the luminaries posed the question of whether it would be better to have a completely secure Internet, even from the government, or a completely insecure Internet. I know which one we ended up with, but it’s worth thinking that maybe those are the only options. The binary nature of the underlying digital architectures may, in fact, bubble up to the biggest policy questions of our time.
What if it’s simply not possible to have a secure Internet and personal freedom? If it is an either/or proposition it is going to be very messy for US Internet users over the next few decades.
Because for the federal government and major corporations, there’s too much at stake to leave our networks unsecured. Right now, the focus is on critical infrastructure systems and massive economic espionage levels, but soon cybersecurity demands will radiate into every type of industry and facet of our lives.
America’s ability to conduct war is only the smallest part of it, but it’s a visible one. As the director of the NSA has mentioned, the military can’t go to war with an exposed digital flank.
So big changes will have to happen – and the legislation will keep coming until it gets passed.
That brings us to the other half of the equation – money. America’s cybersecurity is not a billion dollar problem – it’s a trillion dollar problem.
Even in a time of budget cuts, the President and the defence Department have indicated that the military and DHS will continue to ramp up their spending on cyber defence (and I even think that by 2032, we could see the Pentagon spending as much on cybersecurity as it does on the Marines). But they simply can’t keep up with the total cost of keeping America safe from the kind of coordinated threat cyber-espionage poses.
That means more bills like Sen. Lieberman’s CSA, which try to mandate cybersecurity reforms to the private sector. This could raise their costs (and hence your power bill).
It goes without saying that corporations will have a huge stake in the coming cybersecurity reforms. And they’ll be expecting a quid pro quo for footing so much of the bill.
Expect to see the anti-piracy SOPA bill may come back in one form or another. As well as new legislative attempts to limit corporate liability, reduce the cost of failure, and allow them to access and share personal user information with the government. There’s a good chance we’ll also see a stronger legislative effort to push “trusted identities” on Internet users to identify who’s using the Web and how. These measures won’t pass in this legislative session, but they just might in the next.
Dramatic changes in America’s cybersecurity, and with it, our daily lives, are inevitable, so get ready. Big Brother won’t exist in our everyday lives, but he just might when we go online.