On Feb. 3, President Barack Obama and the entire West Wing lost access to e-mail for more than seven hours. A tree-trimmer had accidentally cut the lines running out of the White House data center. White House Communications Director Dan Pfeiffer sent a bulletin via Twitter ― the only way he could get the news out, he said ― letting the world know that “Verizon is working to solve the problem.”
A single, careless scissor snip had compromised the center of the most powerful government in the world. Staffers accustomed to constant, twitchy BlackBerry attachment were stopped in their tracks. “It felt like a snow day,” one adviser told the Washington Post.
The federal government clearly has some housecleaning to do when it comes to running its own networks. Relying on a single data connection to ensure that the leader of the free world can communicate seems shortsighted. Redundant, competing backup systems would be better. Rather than focus on the shortcomings in its own electronic operations, though, the Obama administration ― spurred by vendors such as Booz Allen Hamilton ― is opening the door to centralized monitoring of any private communications in the name of increased security.
Familiar Bush administration politics of fear, as well as vendors’ desires, are animating the current policy push. You can hear the drumbeat in communications from the defense and national security elements of the administration: William Lynn, deputy defense secretary, told the National Defense University earlier this month, “In the 21st century, bits and bytes can be as threatening as bullets and bombs.”
Just a few months ago, Lynn proposed extending “the high level of protection afforded by active defenses” to private networks that operate infrastructure critical to the military or the U.S. economy. Declan McCullagh, writing for CNET, interpreted “active defenses” as code for National Security Agency efforts that, as Lynn wrote in Foreign Affairs last fall, “are a cross between a ‘sentry’ and a ‘sharpshooter’ that can also ‘hunt within’ a network for malicious code or an intruder who managed to penetrate the network’s perimeter.”
The drumbeat in support of government monitoring and control over private networks becomes deafening when the drummer is Bush-era cybersecurity chief (and now executive vice president of Booz Allen) Michael McConnell. He voices concern that the U.S. “is fighting a cyber-war today, and we are losing.” Even ordinarily reasonable Senator Susan Collins uses this kind of language, warning of a “digital Pearl Harbor” in a recent Washington Post op-ed written with Senator Joseph Lieberman.
Howard Schmidt, the White House cybersecurity coordinator, doesn’t buy the hype. “My father was in a war, my son has been in a war, I’ve been in a war, and this is not what we’re going through right now,” Schmidt said in an interview with National Public Radio. “To label every cyberintrusion, every theft of intellectual property, as cyberwar is just a total mischaracterization of what’s going on in the world today,” Schmidt has said.
We’re hearing more about chinks in private computer networks these days because 46 states have laws requiring notification of security breaches involving personal information ― and not necessarily because there are more breaches. It’s not clear these breaches are having much effect on our economy. Cisco Systems Inc., the networking-equipment maker, suggests that mass online bank fraud and spam are both down, but that personalized fraud may be increasing.
At any rate, criminals accessing electronic information without authorization are being arrested and current laws appear to be adequate to reach them. The drumbeat of fear continues anyway. The administration’s draft cybersecurity bill released in May would result in regulation of private Internet access providers by the Department of Homeland Security. The DHS approach maps to the framework under which chemical plants handling hazardous substances are regulated, signaling that some sector of the administration views the Internet as akin to an informational toxic-waste dump.
Most importantly, the bill would allow unrestrained “voluntary” sharing of any information by private operators with DHS, no matter how it was acquired and no matter how existing law would otherwise restrict disclosure of the information. Such sharing would be justified for cybersecurity purposes, if the operator made efforts to remove irrelevant identifying information and complied with not-yet-written privacy protections. This government-centered structure bypasses the Fourth Amendment’s right to privacy. The stated limitations are no real limitation at all.
The White House proposal would also broaden the scope of the Computer Fraud and Abuse Act, make the CFAA part of a racketeering prosecution (triggering harsh penalties), and generally enhance the sentences available under that statute. The CFAA already is interpreted breathtakingly broadly. All computers connected to the Internet are protected by the CFAA against undefined “unauthorized access,” which has made it possible for disgruntled employers to go after employees who use any information for purposes the employer doesn’t like. Expanding an already unconstrained scheme is the D.C. equivalent of jumping the shark; it calls the entire cyberwar enterprise into question.
The bill would certainly create work. Cybercontractors would stay busy carrying out the audits, evaluating the providers’ plans, and suggesting draft rules. We have to hope that Booz Allen and kindred firms would be up to the job.
The astounding asymmetry of information in this area makes Americans susceptible to cyberpanics. The day after a tree-trimmer’s lapse paralyzed the White House, a website called KnowledgeEmpire asserted darkly that the outage had been caused by a “malware cyber-attack” supposedly aimed at British diplomats.
It may be in consultants’ interest to create an atmosphere of fear when it comes to the Internet. But mindless saber-rattling is hardly in America’s interest. Some basic work is needed to improve security of the government’s own networks. Beyond that, if we want to make private networks more secure, the answer involves calmer approaches: investing in research and development, spurring the creation of safer software and educating our citizens and companies about computer security.
By Susan Crawford
Susan Crawford, a professor of law at Cardozo School of Law, specializing in Internet policy and communications law, is a Bloomberg View columnist. The opinions expressed are her own. ― Ed.