The infamous Sony hack, which compromised the personal information, data, and communications of 50,000 of the company's employees, was yet another signal that America cannot ignore the serious threat of cyberattacks.
During the State of the Union address on Tuesday, President Obama outlined the three main goals of his proposed legislation on cybersecurity: encourage companies to share cybersecurity information with the government while protecting privacy, modernize law enforcement's tools to fight cybercrime via the RICO Act, and establish a national standard line of communication for companies to notify employees and customers of a breach.
"We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft, and protect our children's information," Obama said in his speech. "If we don't act, we'll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."
Providing better protection is a noble effort that members of both parties should get behind. Indisputably, change is needed in the public and corporate spheres. Businesses need to take responsibility over their customer data and must be held accountable when they fail to do so. Still, it's unclear whether the proposed legislation can possibly have its intended effect. Unfortunately, cybersecurity is a complex issue that the majority of government officials, law enforcement officers, businesses, and consumers just do not fully understand.
Crime and punishment
Part of Obama's proposed plan includes prosecuting anyone who sells botnets, spyware, and malware; updating the Racketeering Influenced and Corrupt Organizations (RICO) Act to include cybercrimes; and modernizing the Computer Fraud and Abuse Act to prosecute people who access information they shouldn't.
Miller Newton, the CEO of enterprise data encryption company PKWARE, says punishing cybercriminals is impractical. "Most cybercrime syndicates are not on U.S. soil, so law enforcement would have no jurisdiction," he says. How would the U.S. prosecute North Korean hackers? The Hermit Kingdom, slammed with sanctions long ago, hasn't been held accountable for its human rights abuses, so how will we hold it accountable for internet crime?
Another issue is the potential of draconian prosecution of those defined as "hackers," a term that can apply to all manner of people. Obama proposes to make cybercrime punishable by the RICO Act, which was used to bring down Cosa Nostra bosses and could come with decades-long sentences. Look at Aaron Swartz, the internet activist who committed suicide after the government pursued an aggressive case against him for accessing and sharing scholarly articles.
Obama's proposal to modernize the Computer Fraud and Abuse Act aims to ensure that "insignificant conduct does not fall within the scope of the statute," but a look at all the nonviolent drug offenders in our country's prison population doesn't inspire confidence that that will be the case. The updated CFAA's focus would be reserved for the big fish, Obama says, and used to "prosecute insiders who abuse their ability to access information to use it for their own purposes." This kind of language is far too vague to translate into an effective law. "Access information" could make clicking a link to all types of data a crime, or it could even be used to jail that Uber executive who tracked a journalist's ride routes. (Hmm, on second thought....)
Protect the data, not the network
Again, the fact that Obama is taking cybersecurity seriously is a good thing. Newton says our critical infrastructure is vulnerable to attack--the power grid and public water and sewage systems could be hacked, resulting in rolling blackouts, floods, and sewage overflows. But instead of making more laws and spending more money on securing an inherently insecure system like the internet, he thinks we should be focusing on protecting data and information, and sharing information about who is attacking whom. Super-critical infrastructure should be moved to separate networks, or taken offline.
"A bulk of our defense has been used to shore up the internet's perimeter. You have to protect our data and information at its core. The thieves and criminals are already in the network, and we'll never get 100 percent of them out," Newton says. "We need to armor data, neutralize it, and make it utterly useless in the hands of the criminal."
Obama's point on private and public sector reporting is a better direction for reducing crime online. Although private companies will run for the hills--anyone remember the NSA putting backdoors into U.S. software?--sharing information on threats could help.
To illustrate, Joel Brenner, former senior counsel at the National Security Agency, writes in Politico about how public-private communication could help take down the biggest criminals online: botnets, computers connected and controlled by cybercriminals that spread spam, malware, and viruses. As Brenner points out, internet service providers watch as botnets form and cause havoc. The ISPs could dismantle the botnets, "but taking them down might disrupt subscribers' communications, and service providers don't want a customer revolt. That's why they don't tell you when you're infected. That's why they don't help you refuse emails from computers they know are infected and that could infect your machine," he writes. While ISPs do cooperate with the Justice Department during targeted counterattacks of the "most dangerous botnets," a diverse economy of cybercrime "is allowed to flourish."
To change this scenario, America's addiction to instant gratification would need to take a backseat to justice and security. Are companies and their customers ready for internet blackouts in the name of crime control? If so, Congressman Michael McCaul (R-Texas), the Chairman of the House Committee on Homeland Security, which oversees cybersecurity issues, says the government is prepared to create laws that will help businesses combat cyberthreats effectively.
"My committee is currently working on cybersecurity legislation to remove any unnecessary legal barriers for the private sector to share cyberthreat information," McCaul tells Inc. in an email. He says he's "looking forward" to reviewing Obama's proposal and working "to address this growing threat to our economy and national security."
That sounds, in some ways, like a reassuring development. Now we just need to make sure another Patriot Act doesn't go into effect under the guise of protecting "children's information" from a new boogeyman--the hacker.