As Attacks Mount, Governments Grapple With Cyber Security Policies
One way or the other, the president of the United States is going to unveil a new executive order on cyber security this week. Long in coming — cyber security has simmered in the background of the national security policy agenda for at least two years — the new order will create a set of standards that private companies operating critical infrastructure, such as power plans and water utilities, can choose to follow voluntarily, according to a report from Bloomberg News.
That the new policy is expected this week implies that President Obama may devote a few words to the subject in his State of the Union address on Tuesday night. Or he may not. But the fact of the matter is that the headlines have been rife of late with news of hacking attacks against American banks, media organizations and others that appear not be coming from pranksters in a basement, but from parties that appear to be operating barely at arm’s length from governments in countries like China and Iran.
One provision would order government agencies to share more information about the nature of computer threats with private companies and give relevant executives of those companies the option to get proper security clearances to get briefed on certain classified information about the nature of the threats, and perhaps lay the groundwork for improved responses.
Republicans and business groups have generally opposed this approach, arguing that voluntary government standards essentially amount to implied regulations that they have to follow whether they want to or not. Additionally they say — correctly — that any government-set standards would quickly be overtaken by the fluid nature of cyber security threats, which are changing daily.
Compare the approach, however, to the European Union, which has its own proposal for cyber security rules on the table, this one more onerous. It would require certain companies, including search engines, energy companies, banks, transit hubs, stock exchange and others to report disruptions to the operations of their computing systems and networks — including anything from human error to full-blown cyber attacks — to government authorities. The expectation is that the proposal will become law within the 27-nation EU within two years. Nothing voluntary about it.
Given the difference, here’s an interesting thought: So often the targets of attacks are entities so large as to have global operations and global networks. An attack on Google’s operations in Europe, for example, one that under the EU scheme would have to be reported to government authorities there, amounts to an attack on its operations in the States. The same is certainly true for many banks that operate on more than one continent.
Sharing of information about cyber security incidents has always been a tricky thing. Large companies don’t like to advertise that they’ve been attacked and their operations disrupted — and when they do disclose it publicly, they do so only sparingly — and the same is true for countries. One country doesn’t like sharing what it knows about a cyber attack because it doesn’t trust what its neighbor might do with the information.
But the difference in approaches makes me wonder why there isn’t more cooperation generally between countries, especially between the U.S. and Europe. National borders mean nothing in the digital realm, and attacks are very often launched from computers in one or more countries, operated remotely by people in one or more countries, against targets in one or more countries. Now everyone is a target and no one knows exactly who the attackers are.
This makes questions about cyber warfare and security infinitely more complex. Most attackers operate at a certain remove from any governments to which they may hold an allegiance, however strong or loose, allowing for what the diplomats like to call “plausible deniability.” Or they may be the equivalent of digital mercenaries fighting for whoever pays the most, or some combination of both. The multiple combinations of variables make the the old nation-to-nation, single attacker, single target paradigm seem outmoded.
That makes the sharing of information among authorities in the most target-rich nations — the U.S. and Europe generally — an important piece any response. If houses are being broken into by a burglar who happens to be good at prying open a certain kind of door or window that happens to be prevalent in your neighborhood, would you not want your neighbor to share that information with you so that you can prepare accordingly?
Perhaps the same kind of common sense approach should apply to the community of nations in the area of cyber security. Could it be done under the auspices of a multination treaty? Perhaps something similar to NATO, where an attack on interests in one country — whatever the entity doing the attacking, be it a nation-state, terrorists, or a gang of troublemakers — amounts to an attack on all? Just a thought.