Cliff
Gregory started an interesting
discussion yesterday on the Cyber Security in Real-Time Systems group (membership required) on LinkedIn.
He asks an interesting question considering that it is the start of the 113th
Congress; does the US need a
Critical Infrastructure Protection Act? To start off that discussion he gives a
pretty good short summary of the history of hacking.
With Cliff’s
discussion as a starting point, I think that we can all agree that there has
been a significant change in the threat environment over the last decade or so.
There are now a wide variety of actors in the cyber-threat space with an even
wider variety of motivations, goals and capabilities.
Civil Issues
The first thing
that we must realize is that some of these cyber-threats are not issues to be
solely resolved by governmental action. A certain level of responsibility for
protection of cyber assets rests with the owners and operators of cyber related
enterprises. This is going to have to include some sort of minimum standards
for the protection of cyber assets, both physical and informational.
These standards
are going to be risk-based much the same way that homeowners with pools are
required to have more anti-trespassing measures in place than someone with just
a patio in their backyard. Higher levels of protection are going to have to be
required where the information or systems protected are more valuable.
Another area in
the civil realm will be the use of civil courts to allow individuals who are
affected by cyber-crimes to look for redress from those entities that were entrusted
with the protection of personal information or assets. Class action suits
against entities that allow personal information entrusted to their care to be
stolen may be the most effective way to ensure that the information handling
meets minimum standards of protection.
Law Enforcement Issue
Many of these threat actors are simply law breakers that
ought to be dealt with through the criminal justice system. Identity theft,
electronic funds theft, computer fraud, web page defacing, and a certain level
of hacktavisim are all generally equivalent to offenses in the physical sphere
that are routinely handled by law enforcement personnel. The cyber-versions of
these crimes should also be handled by law enforcement personnel and the
courts.
This is certainly going to require the development of
cyber-police capabilities to investigate these simply criminal acts.
Legislators at all levels are going to have to review current criminal statutes
to ensure that the current definitions of crimes are broad enough to encompass
their cyber-equivalents. And the courts will have to establish the appropriate
changes to the evidentiary requirements to deal with the prosecution of these
criminal acts.
Because of the transnational nature of many of the criminals
involved the Federal government is going to have a large role in the law
enforcement realm over and above their necessary involvement in enforcing
criminal statutes for crimes that cross state boundaries.
Homeland Security Issue
The Department of Homeland Security in the United States was
established as an organization in 2002 to deal with threats to the country that
fell somewhere between the strictly law enforcement and military realms. These
threats include areas such as counter-terrorism, border protection, immigration
and large scale disaster relief. It is clear that some of the cyber-threats
that we face fall within these areas of operation.
In these areas it is clear that the Congress, DHS and the
Federal Courts take similar action with the respect to these cyber-threats as
State and local governments will have to take with the purely law enforcement
actions described above.
It must not be forgotten that DHS has responsibility, mainly
through FEMA, to help State and local officials respond to natural and man-made
disasters that are too large, or cross political boundaries. Similar activities
must be addressed for the closely related cyber-disasters as seen last year in
the aftermath of Sandy. Congress and DHS need to firmly establish the necessity
for responding to cyber-disasters and provide the technical and financial wherewithal
to provide the appropriate response.
Military Issue
While DHS has border protection responsibilities it is clear
that there is a difference between border protection and border defense. The
later clearly falls into the military realm. While it may be relatively easy to
differentiate between the responsibility for stopping terrorists at the border
and stopping an invading army, it will not be as easy to determine which agency
has responsibility for preventing, detecting and responding to cross border
cyber-attacks.
With Iran reportedly conducting state-sponsored
denial-of-service (DOS) attacks against banks in the United States in response
to the supposed (no proof or admission at this point) US involvement in the
Stuxnet attack, it is clear that we need to have the political discussion about
where the line is drawn between homeland protection and national defense in the
cyber-realm. It does seem clear that the line will not be clear-cut so that
there will have to be more than the usual coordination and cooperation between
DHS and DOD in this area.
More Discussion
Now this has clearly been a broad look at the different
areas of how these three areas are delineated. I’ll try to look at them in more
detail in future posts.
Posts
No comments:
Post a Comment