The Stanford Law Review Online has just published an Essay by Scott J. Shackelford entitled In Search of Cyber Peace: A Response to the Cybersecurity Act of 2012. In the wake of recent events with the group Anonymous and other “hacktivists,” Shackelford discusses the pressing need for improved cybersecurity and explains why the proposed Cybersecurity Act is a step in the right direction–but doesn’t go far enough:
The Cybersecurity Act of 2012, which was recently introduced in the Senate Homeland Security and Governance Affairs Committee, is the latest legislative attempt to enhance the nation’s cybersecurity. If enacted, the bill would grant new powers to the Department of Homeland Security (DHS) to oversee U.S. government cybersecurity, set “cybersecurity performance requirements” for firms operating what DHS deems to be “critical infrastructure,” and create “exchanges” to promote information sharing. In its current form, the bill is a useful step in the right direction but falls short of what is required. Fundamentally the bill misconstrues the scale and complexity of the evolving cyber threat by defining critical infrastructure too narrowly and relying too much on voluntary incentives and risk mitigation strategies. The Act might improve on the status quo, but it will not foster genuine and lasting cybersecurity. Still, it is preferable to the softer alternative SECURE IT Act proposed by senior Republicans.
If we want to change the status quo, accountability and responsibility must be increased throughout the system. Government regulations are a necessary part of that process. But given political realities and the magnitude of the problem, reform must also include relying on the competitive market whenever possible to proactively foster best practices, providing market-based incentives and cyber risk mitigation techniques to firms operating [critical national infrastructure (CNI)], negotiating new international norms, and educating users to avoid becoming victims of social-engineering attacks like phishing. Cybersecurity cannot truly be enhanced without addressing the myriad governance gaps, which include incomplete regulation of CNI; technical vulnerabilities in the physical, logical, and content layers of the Internet; and legal ambiguities ranging from liability for data breaches to the applicability of international law to cyber attacks. One Act cannot accomplish all that—not even close. But being honest about the magnitude of the problems we face would help to begin a national conversation about what needs to happen next.
In 3001: The Final Odyssey, Arthur C. Clarke envisions a future in which humanity had the foresight to rid the world of its worst weapons of mass destruction by placing them in a vault on the moon. A special place in this vault was reserved for the malignant computer viruses that, in Clarke’s speculative fiction, had caused untold damage to humanity over the centuries. Before new cyber attacks do untold damage to our information society, it is in our interest to educate and regulate our way to a steady state of cybersecurity. Part of this process involves broadening the definition of CNI in the Cybersecurity Act and deepening public-private partnerships through more robust information sharing. Science fiction teaches us that our future world can be either a wonderful or a dystopian place. Whether or not the future includes the security and prosperity of cyber peace is up to us—including, for better or worse, the U.S. Congress.
Read the full article, In Search of Cyber Peace: A Response to the Cybersecurity Act of 2012 by Scott J. Shackelford, at the Stanford Law Review Online.