Internet & Democracy Blog

In the last twelve months alone, several high-profile cyber-attacks have either infected or stolen data from computer systems run by the State Department, DoD, Department of Homeland Security and other federal entities. Particularly worrisome is the very real possibility that critical U.S. infrastructure (think nuclear power plants, commercial banking and major telecom networks) could fall prey to attacks, information theft and extortion. Back in July, Barack Obama put the threat of cyber-terrorism on the same level as chemical and nuclear weapons.

A few days ago, the Center for Strategic and International Studies (CSIS), a bi-partisan security think tank from the Cold War, released a detailed and lengthy set of recommendations for Pres. Elect Barack Obama about the future of cyberspace security and regulation. Much of the report is uncontroversial, pragmatic and sober when it comes to its recommendations for security implementation.

In order to stem the capabilities of “hackers, espionage, and criminal elements” (58), the CSIS report proposes greater federal coordination under a new National Office for Cyberspace, increased information sharing with private sector IT companies, and new regulations and minimum cyber-security standards.

The possibility of increased web regulation, however, is like to meet stiff resistance on two important fronts: private business reeling from recession and civil libertarians concerned about privacy. Thankfully, the report acknowledges these facts and attempts to address them upfront.

As the report writers suggest, greater (and costlier) internet safety regulations are needed because comprehensive cyber-security is not a public good market forces have an incentive to provide. In theory, at least, these new regulations would function like mandatory sprinkler systems in a building code; though more expensive for the private sector in the short term, they save private business a considerable amount in the event of an attack. I concede that they are probably right on this point, though the specter of tangled bureaucratic regulation of a field as dynamic and innovative as information technology worries me.

The report’s proposal for beefing up internet security is what will seem unsavory to civil libertarians: much stronger digital identification of individual users (chapter 5). If the government were to require more substantial digital identification for network access, attacks could be either prevented beforehand or more adequately traced afterward. Robust digital identification would also be required in critical public sectors such as energy and finance, where a catastrophic attack would cripple national security and economic performance.

The question is whether this digital license threatens the powerful, even intoxicating, freedom which web anonymity provides to millions of users. Will the government maintain this data, and for how long? What is to prevent law enforcement, intelligence agencies or private business from abusing these records for political or private reasons (cf. the theft of Obama’s phone records by Verizon employees and the passport records of Obama, McCain and Hilary Clinton by State Department employees)? Will this simply be the next frontier after library records were made accessible to the government by the Patriot Act?

The report acknowledges these questions quite frankly:

The question is whether we improve, for cybersecurity purposes, authentication while we protect other important social values such as privacy and free speech (64)

By consulting with watchdog groups and civil libertarians, the report writers belive that regulations and data deletion statutes could be crafted which achieve this balance. The report also reasonably suggests that a sliding scale of risk-based identity authentication be utilized to protect internet users from having to cede too much information.

For high profile transactions or for access to critical systems, robust digital identification would be required. This is no different that a bank requiring a driver’s license to open an account or take out a loan. Conversely, for low-risk internet behavior, users would not be required to provide any credentials. As the report puts it:

Anonymity is important (for the online expression of political views or for seeking of information about disease treatment, for example), but weak online identification is inappropriate in circumstances where all legitimate parties to a transaction desire robust authentication of identity (61-62)

I am glad that the report was sensitive enough to understand the privacy implications of a greatly expanded regulatory regime, and the potential for abuse. I only hope that the legislators who ultimately craft the regulatory regime (always under pressure from the public to look “tough” on terrorism) will be as aware of the very serious civil liberty concerns this new initiative potentially represents. Bulking up internet defenses may be a grim necessity, but that doesn’t mean, as Ben Franklin presciently noted, that we should give up our liberty for the reassurance of temporary safety.

Be Sociable, Share!

• 
•