Tech manifestos are often cringe-worthy acts of presumption, a harangue, a screech of superior attitude by people who haven’t earned the right to tell everyone else what to do. So, it was with some alarm that I found myself considering a manifesto of my own. Having spent nearly two decades involved in cyber security, however, I have reached a level of concern about our country’s vulnerability where I feel it is imperative to speak out. The following ideas comprise a sorta-manifesto on cyber policy, a high-level set of rules that will make the US safer from escalating cyberthreats. I don’t presume to have all the answers. I do hope to spark a meaningful dialogue.
Premise I: The Digitally-Connected World is an Engineering Failure
From the perspective of security, the digital connected world—consisting of the Internet, corporate systems, cloud infrastructure, connected mobile devices and the Internet of Things (IoT)—is an engineering failure. This may sound impolite, but unfortunately, it’s the truth for anyone who has their eyes open. Virtually every networked device and system is subject to pervasive, extremely serious security problems. Epoch-making attacks are now commonplace. Data assumed to be private is routinely made public or stolen for improper use.
We would never accept this level of engineering failure from other systems we rely upon in our society. Can you imagine every car arriving from the factory containing a hidden incendiary device that may or may not explode at any time? Picture a city where thieves could get a key to your house at every corner store. Would you drive on a road with car-sized potholes on every block? How about an airliner that regularly denies its pilot control of the plane? How many people would choose to live in buildings that were negligently built to be deadly firetraps? (And, which come equipped with impossible-to-remove surveillance equipment that broadcasts every event in your private life to blackmailers and identity thieves.) Yet, we tolerate, even laud, a digitally connected world that embodies many analogous engineering flaws.
This is only a partial criticism of the people and companies who make the elements of the digitally connected world. I include myself in the industry. There is some legitimate blame to cast on the tech industry. But, everyone is working with the tools and materials at hand, with urgent profit incentives and a deeply flawed systemic design. The digitally connected world is a dangerous cocktail of rushed-to-market hardware and software, networks that were never intended to be secure and a decentralized, ungoverned global system of non-accountability. Given these factors, how could the digitally connected world not be insecure?
Premise II: The Societal and Human Risks are Immense
It’s easy to come off sounding like a paranoid lunatic in this department, but a careful reckoning of the systemic security risks we face is a sobering exercise. As books like Ted Koppel’s excellent “Lights Out” describe, the United States is vulnerable to catastrophic destruction due to security flaws in the electrical power grid. There are many comparable risks that are poorly managed, each of which could lead to mass chaos, death and destruction.
A short list of inadequately mitigated but deadly security risks includes: The “bricking” (permanent switching off) of millions of electronic devices through firmware- and software-borne malware; Contamination of critical data (e.g. financial records) through malware; Distortion of public information and on and on. A national-scale incident of this type could deprive hundreds of millions of Americans of power, water, fire and police services, telecommunications, medical care, sewage services, food, money and information. It could even render the military useless.
These scenarios are not the stuff of fevered Hollywood imaginations. They are actively being pursued by powerful nation states and terrorist organizations at this very moment. Almost all of our hardware and a significant amount of our critical software originates in countries that are strategic adversaries to the United States. These countries liberally exploit their ability to spy on us and implant destructive malware right in our pockets, server rooms, networks, vehicles and desktops. We’re they’re biggest customers. They’re not our friends.
Premise III: It Doesn’t Have to Be This Way
The truth is that America used to be a land of exploding cars, deadly highways and fire-trap buildings. Many of the same, “It’s not my fault. It’s the system.” types of excuses were employed to explain away thousands of preventable deaths from these dangers. Why do we no longer have such high risks in these engineered systems? Ignoring the politics of it for a moment, it’s fair to say that a great deal of effort went into rethinking the designs of cars, roads and buildings. The resulting ideas were then slowly, arduously translated into policies and laws that prevented needless death and destruction.
Today, though these systems are for from flawless, we have authorities, laws and penalties for breaches in the various codes that were enacted to protect people from poorly engineered products. We have mandatory car and fire insurance. There are industry standards: cars are built for safety; buildings are built to be fire-proof; roads are designed to avert accidents. There are governing bodies that monitor and enforce safety policies. Perhaps most importantly, the public mindset about safety is clear and positive. Safety is something that is supposed to be ensured, not avoided or rationalized. Lapses in safety are punishable by both civil and criminal law. The same needs to happen now for the digitally connected world.
Making It Happen with Cyber Policy
The United States needs a unifying cyber policy, a high-level set of rules, laws and norms that serve to remediate the serious security deficiencies in our digitally connected world. Devising such a policy, coming to consensus on it and then implementing it will be a monumental challenge. It may be the central governance struggle of the 21st century. Yet, it needs to be done. The risks of ignoring the danger are too high to bear. The following ideas could form the basis for a more extended conversation about forming a national cyber policy:
#1: Build a Secure National Network
The United States needs a secure, encrypted network mandated for use by industry, government and critical infrastructure such as power plants. No critical element of the US economy, government or public infrastructure should be allowed to conduct business of any kind over the public Internet. This network should be built using only hardware built in the United States. Any device connecting to it should be 100% American made. Any software accessible by the network needs to be scanned for malware or malicious code from unfriendly nation states. All users of this network have to be authenticated and authorized by a central authority governing use of the network. Locations of users must be verifiable, with strict controls over access to the network from overseas.
#2: Issue Licenses for Use of the Secure National Network
Users of the secure network can only access it once they are issued a license by a central controlling authority over the network. The licensing procedure includes criminal background checks, geographic location and more. With this license should come with a mandatory cyber insurance policy covering losses from security incidents. Violations of licensing policy ought to be criminal.
#3: Create Guidelines for Media and Public Information
As the events of 2016 show, the public is easily misled by deliberate manipulation of social media and other forms of public information. The news media would do well to devise and adhere to policies that limit the impact of unverifiable digital information sources, e.g. automated Twitterbots. Additionally, as it becomes simpler and cheaper to create false images and videos of real people (e.g. politicians) saying and doing things, there should be standards of reporting that make the news media less vulnerable to fraudulent stories.
#4: Make Data Harder to Steal and Less Valuable to Thieves
Data breaches will continue to plague the United States as long as the data itself has value. For example, being able to steal a social security number is a key element of identity theft. If it were possible to change social security numbers or render them useless without a personal PIN, the actual number would be a less attractive target for theft. On a related note, the practice of encryption of data at rest could help reduce the scope and frequency of data breaches.
#5: Make Data Storing Entities Legally Accountable for Breaches
The law needs to be strengthened to protect victims of data breaches. Entities that negligently enable hackers to steal valuable data, such as personally identifying information, have to be held legally accountable. This might even include criminal penalties for those responsible.
#6: Establish a National Cyber Authority
For any of this to work, there has to be some sort of national cyber authority. Whatever comprises this authority, whether it’s a government agency or a commission like the SEC or FCC, it has to have teeth. It has to be able to define and enforce national cyber policy to protect the American public from cyber risk.
Objections to the Idea of a National Cyber Policy
After we’ve gotten past the basic reaction of, “This will never happen,” it might be worth looking at some valid objections to the idea of a unifying, authority-based cyber policy governing American use of digitally connected technologies. These include:
- It will be hacked. Of course it will. No system is completely secure. However, if cyber policy is implemented in a serious fashion, the probably, frequency and severity of attacks will drop. They will also become easier to remediate.
- Such a policy will kill internet freedom. No, there can still be a largely ungoverned public internet used by non-authenticated users on insecure devices. Government and industry may not use this network, however.
- It Will Slow Down Innovation. Not necessarily. Designing and building the systems contemplated by a national cyber policy could be the biggest innovation and profit-making opportunity of this entire era.
- It Will Cost Too Much. Creating and implementing a national cyber policy will be a costly undertaking. However, it will be structured to benefit for-profit entities, so the cost is actually revenue to American tech companies. Done right, this policy should be a boon to American workers, hired to build secure, American-made technologies. Also, costly as opposed to what? To the hundreds of billions of dollars spent by businesses and government agencies trying in vain to defend themselves against foreign cyber armies? To the multi-billion-dollar costs of rectifying data breaches? As opposed to realistically facing the end of American life as we know it? What is that worth?
Now, we need to discuss.