Frustration with the Commerce Department's Cybersecurity Green Paper...
Cybersecurity remains one of the most important national issues that the public has no interest in whatsoever. Despite academics and industry professionals pleading their ever-growing concerns, and despite media outlets like CNN devoting entire hour-long specials to the issue, the public remains extremely apathetic.
Until recently, cybersecurity policy was handled by two main players - The Department of Defense focuses on cyberwarfare and military operations while the Department of Homeland Security focuses on protecting the "critical infrastructure" of the Internet that would be vital during emergencies; for example, the banking and telecommunications sectors.
The Commerce Department is now weighing in as well. They have released a Green Paper titled "Cybersecurity, Innovation and the Internet Economy". Its focus is on the "Non-Critical Infrastructure" sector - which it will now call the "Internet and Information Innovation Sector" - which basically refers to private ISPs, website operators, and software and service providers.
So what's the big deal? Is this just yet another bureaucratic classification that adds more complexity to an already highly complex issue?
Because the paper emanates from the Commerce Department, its assumptions are quite clear. First, it claims to be guided by the fundamental principle of trust. Trust is vitally necessary in order for consumers to participate actively in the cyber-economy, thus it shouldn't be surprising to see it listed as the first priority in a Commerce Department security wishlist.
The second principle is "a commitment to multi-stakeholder policymaking as a tool for adapting to the dynamically changing nature of the Internet". This is extremely similar to the approach used by the Homeland Security Department and is of great interest to policy geeks. But another way of phrasing it is that the government openly admits it can't do much to protect the Internet's decentralized private assets, so it will rely on the many businesses involved to design and adopt completely voluntary measures. In other words, "multi-stakeholder" means that the government isn't going to take care of it.
What else? The paper's actual recommendations for enhancing cybersecurity include four objectives: 1) Enhancing Internet privacy, 2) Improving cybersecurity, 3) Protecting intellectual property, and 4) Ensuring the global free flow of information. Certainly, these are all worthy goals, however, again it shouldn't be surprising that the Commerce Department is conflating the interests of the business community with national security interests. One just has to wonder, though, how preventing a teenager from downloading a Beatles Album off BitTorrent somehow protects the nation from a cyberterrorist attack?
I don't mean to come across as overly harsh or critical. An official paper calling for cybersecurity policy being extended into the "non-critical" sectors of cyberspace is actually long overdue, and the Commerce Department should be commended for taking the initiative and recognizing that, in the face of a massive cyberattack, there are indeed many things worthy of protecting besides just the websites of Verizon and Bank of America.
The frustration among professionals is just that the Commerce Department's approach, which is exactly the same as Homeland Security's approach, relies completely on voluntary opt-in measures being adopted by literally millions of private Internet companies - and there's not a person alive who believes that's ever going to happen. Meanwhile, the average individual, whose information is what's most vulnerable to a cyberattack, is completely helpless in the absence of any regulation.
The Green Paper states...
Our approach recognizes a key role for government in convening stakeholders and leading the way to policy solutions that protect the public interest as well as private profits, but pure government prescription is a prescription for failure.
As a general principle, I actually agree. But since when did we stop seeking government solutions to issues of national security?