Wednesday, March 20, 2013

The Mess that is U.S. Cybersecurity Policy...

After spending the better part of the past two months conducting research on cybersecurity, I am dumbstruck at the headlines that continue to come out on a daily basis.

Let's create a little context.  Just in the past few months, the world has been made aware that large American businesses like Google, Microsoft, and the New York Times have been the victims of massive cyberattacks originating in China.  This follows on the heels of news that U.S. governmental institutions like the Defense Department have been similarly and continuously attacked as well.  Then a report comes out, confirming what U.S. intelligence officials secretly were aware of for years, that an overwhelming number of such cyberattacks can be tracked down to a single building on a single street in Shanghai - which just so happens to be the headquarters of the Chinese government's military cyberunit, named Unit 61398.

So there is pretty damning evidence that the Chinese government - not a random group of hackers, but the military itself - is actively engaged in cyberwarfare against American businesses and American governmental institutions.  In response, what have we seen the discussion in the U.S. focus on?  How about criticism of American companies being "disturbingly silent" about when they are victims of a cyberattack, and debates over whether companies should tell the public when they get attacked.  It seems that some people consider the solution to cyberwarfare to be, simply, better information-sharing.

Granted, the Obama Administration has tried to present itself as taking a harder line on the issue.  The President recently went so far as to issue an Executive Order, however it, too, merely encourages the voluntary sharing of information with the private sector.  Also, officials have said they plan to tell China‚Äôs new president, Xi Jinping, this week that "the volume and sophistication of Chinese cyberattacks have become so intense that they threaten the relationship between Washington and Beijing".  Their solution?  To get China to agree to "acceptable norms of behavior in cyberspace".

In the meantime, the cyberattacks against U.S. targets continue.  Oh yeah, and the proposed Cybersecurity Act of 2012 has just died in the Senate due to partisan bickering and the filibuster.

Let's be constructive, shall we? 

First, let us recognize plainly that the ideas of better information-sharing and general coordination between the public and private sectors, and within the private sector, are definitely worthy ideas and ought to be pursued.  However, there's nothing new about them.  They've been part of the policy discourse at least since the Bush Administration's National Strategy to Secure Cyberspace was developed just after the 9/11 attacks.  So it's time officials stop banging that drum as smokescreen for their lack of new ideas.

Second, the challenges of cybersecurity reside on two fronts:  prevention and response.  Better information-sharing really only targets the response side of the equation, seeking to mitigate the effects of a cyberattack after it has occurred.  Such ideas do nothing in terms of prevention.

What steps can be taken to actually try to prevent cyberattacks?  There are two main ideas circulating out there...

The first is deterrence in the form of the U.S. engaging in offensive cyberwarfare of its own.  As General Keith Alexander, who runs both the National Security Agency and the military's Cyber Command has said, foreign governments need to fear that the U.S. would carry out offensive cyberattacks if America were hit with a major attack.  This far more proactive (or aggressive) policy would require an established set of criteria for when an offensive cyberattack was warranted as well as specific rules of engagement.  These determinations would be no easy feat in the context of cyberspace.

The second is enabling the government to mandate that the private sector deploy certain cybersecurity measures on its own networks.  Thus far, the design of national cybersecurity policy has focused almost exclusively on voluntary public-private partnerships.  But at what point do government mandates start to make sense?  Anytime there is discussion of not just government regulations, but government mandates, it becomes highly politicized - and rightfully so.

It's not too hard to imagine why both of these solutions fail to gain much traction.  In purely political terms, no one wants to come across as either too militaristic or too authoritarian.  But in the face of an ongoing cyberwar with China, doesn't something need to change at a fundamental level besides simply improving information-sharing and getting China to sign an agreement on "acceptable norms of behavior"?

Where is the American strategy for actually preventing cyberattacks?


Monday, March 11, 2013

Amazon's Domain Name Squatting Overreach...

Who should own specific top-level domain names?  We're all familiar with .com, .net, and .edu, and maybe a few country codes like .uk as well, all of which are administered by the independent institution known as ICANN.  But with decisions looming over the fate of several new top-level domain names (gTLDs), to what extent will the most well-capitalized private corporations be able to dominate the future of the Internet's domain name system?

For some context, consider this Wall Street Journal article reporting on how Amazon has recently submitted applications to ICANN to acquire new gTLDs including ".book", ".author", and ".read".  They're also trying to buy the rights to non-book-related suffixes like ".movie", ".wow", and ".app". 

Not everyone is thrilled with this prospect, as you might imagine.  Last week, the Authors Guild and the Association of American Publishers raised their objections, and tech companies including Google, Microsoft, and Apple are objecting to Amazon's request for ".app", to name only one example, although all of these companies are vying for their own share of gTLDs as well.

Here's the debate.  Those who object to Amazon's squatting of gTLDs argue that granting ownership rights of such generic domains to single private entities is anti-competitive.  They argue that doing so would create a monopolistic environment with great potential for abuse, especially considering Amazon has already gone on record stating that they have no plans to resell any domain names using those suffixes to outside parties.

Meanwhile, Amazon (and other firms who are submitting similar requests) defend themselves by arguing that obtaining these doman names would "protect the integrity of their brand and reputation".  They point to the same system that's been used for years for adminstering conventional domain names.  Amazon's senior counsel is quoted as saying, "Why should a company be able to own '' and not '.widget'?  There is no evidence that past 'closed' domains have led to any market power".

So where do you stand?  Regardless of which argument resonates more with you personally, what this case really highlights is ICANN's flawed model for both distributing domain names and also for resolving disputes.

As The Nerfherder has complained about before, ICANN undermines its own mandate by distributing domain names, not based on principles of fairness, but solely on a "first-come-first-served" basis.  Yes, this principle might be conceived as a fair one, however, when you look at the real-life consequences of this policy - namely, the hostage-taking of domain name rights by squatters who have no intention whatsoever to even use them - then it's hard to argue that ICANN's system isn't badly in need of reform.

How ICANN resolves disputes over domain names, as is the case here with Amazon, is also problematic.  Their decision over who gets the rights to ".app", for example, will have multi-million dollar implications, and the process by which ICANN will determine the winners and losers isn't nearly transparent enough.  Who only knows how many free dinners or vacation junkets or back-room deals are influencing the decision-making process?  Maybe none; but that's the point - we'll never know.  Shedding more sunlight into the process would mitigate conspiratorial fears of corruption.

Ultimately, the narrow question over Amazon's request for very generic domain names is an economic one.  Both sides in the debate make legitimate arguments, so what's really at issue is how best to allocate resources to ensure both an innovative and competitive marketplace.  However, the more general question, as it relates to ICANN, is a normative question about values.  What type of Internet do we want to create, and what political values do we want to guide decision-making? 

That is the lens through which everyone should be interpreting these headlines.