Four principles for effective cybersecurity law and policy

Steven Titch of has made available the following post, Four principles for effective cybersecurity law and policy | R Street Institute | Free Markets. Real Solutions.

“Cybercrime is in the news again. The Heartbleed security flaw has damaged the reputation of open source computing—a situation only made worse by reports that the government exploited the flaw for its own intrusive purposes. This came on top of news of credit card data breaches at hobby story chain Michael’s and big box retailer Target.

Political pressure keeps rising on legislators to ‘do something.’ But before rushing in, legislation or policy first should be vetted carefully. Although current proposed solutions on cybersecurity – such as the Cybersecurity Act and President Obama’s executive order – vary in scope, they tend to have two aspects in common. First, they address cybersecurity in overly broad ways, with top-down solutions that do not distinguish the different motives and goals that drive cyber-attacks. Second, they broaden the power of the U.S. government to collect information private sector companies use routinely in their online relationships with consumers and businesses, often without regard to the consequences such powers would have for legal due process.

The principal tension in cybersecurity – which by definition involves computers, networks and data – is between the need to protect citizens, property and infrastructure and the need to respect legal, civil and property rights.

Any proposed cybersecurity legislation and/or executive policy should be scrutinized for any unintended consequences that may result from a ‘rush to act.’ We need only consider the circumstances that, in the wake of the Sept. 11 attacks, brought us the PATRIOT Act, which gave the FBI and the National Security Agency broad discretionary powers in electronic surveillance. Now, 13 years later, Edward Snowden’s disclosures have shown how these powers have been used to gather information on the communications and online habits of millions of Americans who were never remotely under suspicion for any crime. Given the complexities not only of law, but of information technology itself, it is wise to have standards in place that allow level-headed discourse to prevail.

Rely on existing law

The chief flaw of most ‘cybersecurity policy’ is that it approaches cybersecurity as something separate and apart from conventional law and order. People have been committing theft, fraud, vandalism and espionage throughout history. Exploitation of vulnerabilities in computer networks is simply a new method for achieving these objectives. At the basic level, using the Internet to remove $10 million from a bank’s electronic reserves is no different than drilling into a vault and taking it in the form of cash.

If cybersecurity is understood in the context of plain old-fashion security, the first step in sound policymaking is to examine existing laws before rushing to create new ones. This reduces the promulgation of vague laws with vague objectives, as well as the risk of prosecutorial overreach.   In short, new laws should be the last resort, not the first.

Target wrongdoers

One aspect of the current cybersecurity that critics find particularly troubling are vague goals and terms that give too much discretion to prosecutors. If badly written, these laws end up incorrectly applied.

A notorious example was the 2011 move by federal prosecutors in Massachusetts in 2011 to charge Internet entrepreneur Aaron Swartz with 11 violations of the Computer Fraud and Abuse Act. Swartz logged in to the Massachusetts Institute of Technology’s network and downloaded some 8,000 articles from MIT’s Journal Storage, or JSTOR, database. Prosecutors pushed for the cumulative maximum penalty of $1 million in fines plus 35 years in prison. This was despite the fact that, aside from physically breaking into an MIT equipment closet, Swartz’s most significant ‘crime’ appears to have been violating JSTOR’s terms of service.

Swartz, who had a history of depression, committed suicide before the case was adjudicated. While the CFAA was designed to be a tool to combat cybercrime, many leaders in the Internet’s business and academic community severely criticized the Massachusetts federal prosecutors for using it against Swartz, who had done no damage and had not accessed any data that was not freely available to any JSTOR member.

Respect due process

Open-ended information gathering and processing is time- and cost-intensive, yields poor results and breeds mistrust of government. The torrent of disclosures about the NSA’s wide-ranging surveillance programs—none of which has been shown to have prevented a terrorist attack—stand as telling examples. To counter this tendency, all cybersecurity legislation, at minimum, should answer the following questions:

Under what circumstances does the government have the right to request access third-party information? Should any private company, entity or individual should be coerced or pressured to turn over information absent due process? When it is necessary for the government to collect personally identifiable information, what limits should be in place? What legal redress do and should citizens have if personally identifiable data is compromised or improperly used while in government care? Endorse specific practices, not vague frameworks

The Cybersecurity Act proposes to create a set of government-imposed, top-down regulations to combat cybersecurity threats. Similarly, President Obama’s executive order calls for information-sharing and mandated protocols, but as of now is unspecific. These proposals overlook the wide range of procedures and protocols that have been developed bottom-up over the past several decades—procedures that have been tested by real-world experience and subject to regular and ongoing review, revision and updating.

The correct approach eschews attempts at top-down, one-size-fits-all solutions and grounds itself in sound definitions and solid understanding of the threat.

There are different types of cybersecurity threats, each of which target different parts of an organization’s information technology infrastructure and each with its own goal. Broadly, they can be divided into three categories:

Theft/fraud, where the motive is profit. Espionage/exposure, where the motive is to acquire private or protected information. Disruption/destruction, where the motive is to cause harm or loss through an attack designed to slow, disable or destroy critical systems and operations. Just as each of the categories represents different objectives and motivations for attack, they require solutions that can appropriately address the threat and therefore combat it effectively.

Indeed, businesses consider best practices as the first line of cybersecurity defense and are doubtful about the effectiveness of government regulations. In a 2011 survey of 1861 IT professionals across a wide range of industries (including government), 58 percent of respondents said implementing best practices and better security policies has the biggest positive impact on the state of cybersecurity. An additional 20 percent said an organization’s employees could have the greatest impact. By contrast, only 15 percent said cybersecurity can be improved through better technology and just 7 percent said government regulation and law enforcement were the key.

If the federal government, along with the states, would commit to a basic set of core principles to undergird cybersecurity policy, the outcome would be law that operates within constitutional limits and yields more effective results.