Editor’s note: This post by Sean Lawson provides context on cyber conflict, an area of interest at the nexus of national security and technology. – bg
For the last two years, I have been calling attention to the generally poor quality of the public policy debate about cybersecurity in the United States. This has included a tendency to resist efforts to define key terms clearly, to hype threats, and to conflate a number of different threats and vulnerabilities under the term “cyber war.”
Recently, we have seen the emergence of one potential negative consequence to these tendencies. Just as a number of pieces of legislation addressing the cybersecurity of critical infrastructure like power and water systems are being introduced into the Congress, the New York Times reports that some lawmakers might be getting cold feet. Why? The recent fight over anti-online piracy bills SOPA and PIPA have left some lawmakers hesitant to be seen as regulating the Internet.
The article is quick to point out, however, that “In fact, the latest network security bills do not regulate the Internet, and it is not clear whether they will gain popular traction, either for or against.” While that may well be true, lawmaker’s concerns are well-founded and largely of their own making.
Since at least 2008, many in government and industry have indulged in rhetoric that has allowed for this situation. Official efforts to diagnose and motivate a response to cybersecurity challenges have inadvertently resulted in critical infrastructure receiving less attention than it deserves.
First, I have noted previously that hypothetical, cyber-doom scenarios have become a staple of efforts to motivate a policy response to cyber threats. These scenarios often involve hypothetical cyber attacks upon critical infrastructure leading to mass casualties and widespread disruption of daily life. I have argued that such scenarios are not only unrealistic but that the war/disaster framing and the fear it instills encourages militarized policy responses. Thus, the most significant policy response we have seen to date has been the creation of a military command, USCYBERCOM. Former White House cybersecurity advisor, Richard Clarke, has argued that to this point the United States has focused on creating offensive military cyber capabilities while largely ignoring the cybersecurity of civilian networks, including critical infrastructure.
Second, there is a clear disconnect between the rhetoric used to motivate a policy response and actual diagnoses of the problem. In a previous post, I demonstrated that key cybersecurity policy documents and statements from top policy makers have consistently diagnosed cyber threats primarily in terms of theft of intellectual property and decreased economic competitiveness. A recent report from Bloomberg News highlights one potential negative consequence of this framing: decreased emphasis on critical infrastructure cybersecurity.
Electric utilities fail to recognize the risk because, unlike banks and telecommunications companies, they aren’t prime targets for Internet theft or espionage, said James Lewis, technology program director at the Center for Strategic & InternationalStudies in Washington. Yet “if there was a cyber attack, the electrical grid would be target number one” for terrorists, he said.
Now the New York Times has pointed to another potential negative consequence: the bad blood caused by efforts to protect intellectual property first and foremost might make it more difficult to address critical infrastructure cybersecurity. After years of conflating intellectual property theft and cybersecurity, lawmakers are right to be concerned that these latest bills will be seen as just more attempts to regulate online activities.
Fear mongering and intellectual property concerns have already distracted our attention from taking efforts to secure critical infrastructure. It would be unfortunate indeed if the criticism and distrust this has generated were to further delay efforts to address critical infrastructure cybersecurity.
[Cross-posted from Forbes.com.]