Cliff Gregory started an interesting discussion yesterday on the Cyber Security in Real-Time Systems group (membership required) on LinkedIn. He asks an interesting question considering that it is the start of the 113th Congress; does the US need a Critical Infrastructure Protection Act? To start off that discussion he gives a pretty good short summary of the history of hacking.
With Cliff’s discussion as a starting point, I think that we can all agree that there has been a significant change in the threat environment over the last decade or so. There are now a wide variety of actors in the cyber-threat space with an even wider variety of motivations, goals and capabilities.
The first thing that we must realize is that some of these cyber-threats are not issues to be solely resolved by governmental action. A certain level of responsibility for protection of cyber assets rests with the owners and operators of cyber related enterprises. This is going to have to include some sort of minimum standards for the protection of cyber assets, both physical and informational.
These standards are going to be risk-based much the same way that homeowners with pools are required to have more anti-trespassing measures in place than someone with just a patio in their backyard. Higher levels of protection are going to have to be required where the information or systems protected are more valuable.
Another area in the civil realm will be the use of civil courts to allow individuals who are affected by cyber-crimes to look for redress from those entities that were entrusted with the protection of personal information or assets. Class action suits against entities that allow personal information entrusted to their care to be stolen may be the most effective way to ensure that the information handling meets minimum standards of protection.
Law Enforcement Issue
Many of these threat actors are simply law breakers that ought to be dealt with through the criminal justice system. Identity theft, electronic funds theft, computer fraud, web page defacing, and a certain level of hacktavisim are all generally equivalent to offenses in the physical sphere that are routinely handled by law enforcement personnel. The cyber-versions of these crimes should also be handled by law enforcement personnel and the courts.
This is certainly going to require the development of cyber-police capabilities to investigate these simply criminal acts. Legislators at all levels are going to have to review current criminal statutes to ensure that the current definitions of crimes are broad enough to encompass their cyber-equivalents. And the courts will have to establish the appropriate changes to the evidentiary requirements to deal with the prosecution of these criminal acts.
Because of the transnational nature of many of the criminals involved the Federal government is going to have a large role in the law enforcement realm over and above their necessary involvement in enforcing criminal statutes for crimes that cross state boundaries.
Homeland Security Issue
The Department of Homeland Security in the United States was established as an organization in 2002 to deal with threats to the country that fell somewhere between the strictly law enforcement and military realms. These threats include areas such as counter-terrorism, border protection, immigration and large scale disaster relief. It is clear that some of the cyber-threats that we face fall within these areas of operation.
In these areas it is clear that the Congress, DHS and the Federal Courts take similar action with the respect to these cyber-threats as State and local governments will have to take with the purely law enforcement actions described above.
It must not be forgotten that DHS has responsibility, mainly through FEMA, to help State and local officials respond to natural and man-made disasters that are too large, or cross political boundaries. Similar activities must be addressed for the closely related cyber-disasters as seen last year in the aftermath of Sandy. Congress and DHS need to firmly establish the necessity for responding to cyber-disasters and provide the technical and financial wherewithal to provide the appropriate response.
While DHS has border protection responsibilities it is clear that there is a difference between border protection and border defense. The later clearly falls into the military realm. While it may be relatively easy to differentiate between the responsibility for stopping terrorists at the border and stopping an invading army, it will not be as easy to determine which agency has responsibility for preventing, detecting and responding to cross border cyber-attacks.
With Iran reportedly conducting state-sponsored denial-of-service (DOS) attacks against banks in the United States in response to the supposed (no proof or admission at this point) US involvement in the Stuxnet attack, it is clear that we need to have the political discussion about where the line is drawn between homeland protection and national defense in the cyber-realm. It does seem clear that the line will not be clear-cut so that there will have to be more than the usual coordination and cooperation between DHS and DOD in this area.
Now this has clearly been a broad look at the different areas of how these three areas are delineated. I’ll try to look at them in more detail in future posts.