APRIL 24, 2013, AT 8:28 AM
The debate over the Cyber Intelligence Sharing and Protection Act is largely a debate about how Congress will allocate authorities and powers to fight against Chinese cyber-espionage, which siphons off from the U.S. economy as much as $100 billion a year in intellectual property and proprietary information.
CISPA is controversial because it vaguely defines what a "cyber threat" actually is, immunizes U.S. companies who share personal information with the government, lacks oversight mechanisms to prevent abuse by the government, and militarizes what is, in essence, a law enforcement function — an FBI and Department of Homeland Security function.
CISPA is controversial because it vaguely defines what a "cyber threat" actually is, immunizes U.S. companies who share personal information with the government, lacks oversight mechanisms to prevent abuse by the government, and militarizes what is, in essence, a law enforcement function — an FBI and Department of Homeland Security function.
That latter objection is based on the Obama administration's intention to fight Chinese crime using a variety of different mechanisms. Importantly, it wants to determine how to fight— it does not want Congress to tell them how and when cyber information must be shared between private companies, the FBI, the CIA or the National Security Agency.
Still, the White House has not explicitly said that President Obama won't allow some version of CIPSA to reach his desk. It has said that personal privacy is not well-protected by CIPSA, but traditionally, the executive branch has used this excuse as a fig-leaf to cover their opposition for other reasons.
Still, the White House has not explicitly said that President Obama won't allow some version of CIPSA to reach his desk. It has said that personal privacy is not well-protected by CIPSA, but traditionally, the executive branch has used this excuse as a fig-leaf to cover their opposition for other reasons.
So what can the U.S. do to reduce the cyber threat from China?
1. It can build an electronic wall around the country, forcing all Internet traffic to be
subject to deep packet inspection; and then, to compare those packets against known
signatures from China; segregate them; eradicate the malware from them, and then
let them through.
As I've written before, this is something the National Security Agency believes it CAN do but something that virtually every stakeholder except those inside the government believe would be an awfully hard sell to the American people.
subject to deep packet inspection; and then, to compare those packets against known
signatures from China; segregate them; eradicate the malware from them, and then
let them through.
As I've written before, this is something the National Security Agency believes it CAN do but something that virtually every stakeholder except those inside the government believe would be an awfully hard sell to the American people.
2. It can require, or encourage, major technology companies that serve as
Internet gateways for most Americans to boost their own cyber defenses,
and then share, with immunity, suspected cyber threats with the government in
real-time, allowing the NSA to swoop in and solve the problem. This is, incidentally,
the CISPA approach.
Internet gateways for most Americans to boost their own cyber defenses,
and then share, with immunity, suspected cyber threats with the government in
real-time, allowing the NSA to swoop in and solve the problem. This is, incidentally,
the CISPA approach.
3. It can secretly share with the big Internet companies the cyber techniques
and tactics used by Chinese corporations and the military, giving U.S. companies a
chance to develop cyber counter-measures. It can work in secret with companies to lure
hackers from China into systems, and then manipulate those hackers into divulging
attack patterns, which can be reverse-engineered to fortify defenses. Publicly, it can
enforce its own laws against hacking and set an example for the world to follow.
and tactics used by Chinese corporations and the military, giving U.S. companies a
chance to develop cyber counter-measures. It can work in secret with companies to lure
hackers from China into systems, and then manipulate those hackers into divulging
attack patterns, which can be reverse-engineered to fortify defenses. Publicly, it can
enforce its own laws against hacking and set an example for the world to follow.
4. It can fight back, engaging in tit-for-tat brinksmanship, hoping to convince
the Chinese to back off by demonstrating the capacity of U.S. computer network
operations. Though there is a body of secret law authorizing offensive cyber exploitation
against China, the Obama administration doesn't want to engage in "war," as
commonly understood. Less kinetic means include sanctions, property seizures and
military deception/information operations campaigns.
the Chinese to back off by demonstrating the capacity of U.S. computer network
operations. Though there is a body of secret law authorizing offensive cyber exploitation
against China, the Obama administration doesn't want to engage in "war," as
commonly understood. Less kinetic means include sanctions, property seizures and
military deception/information operations campaigns.
5. It can provide significant incentives for individuals and corporations to
protect themselves, allowing free market mechanisms to determine the structure and
rules of economy-wide computer network defense. For this approach to be effective,
there has to be a broad understanding of what the threat is, what can and can't be done
about it, and informal "rules" to shame/encourage those who don't and do participate.
It can also work with companies that do major business with China to influence Chinese
policies; it can propose a global treaty that would set clear guidelines and an enforcement
mechanism. It can, can, can, but there are so many ifs, ands and buts to deal with it that
they — we — probably won't, not for awhile anyway.
protect themselves, allowing free market mechanisms to determine the structure and
rules of economy-wide computer network defense. For this approach to be effective,
there has to be a broad understanding of what the threat is, what can and can't be done
about it, and informal "rules" to shame/encourage those who don't and do participate.
It can also work with companies that do major business with China to influence Chinese
policies; it can propose a global treaty that would set clear guidelines and an enforcement
mechanism. It can, can, can, but there are so many ifs, ands and buts to deal with it that
they — we — probably won't, not for awhile anyway.
Some combination of all of these approaches is going to be the de facto law of the land,
even though the community of smart people who debate cyber security still haven't
agreed on a set of basic propositions, like whether it is possible to determine
precisely where an attack emanated and what its motive actually was and who can be blamed for it.
even though the community of smart people who debate cyber security still haven't
agreed on a set of basic propositions, like whether it is possible to determine
precisely where an attack emanated and what its motive actually was and who can be blamed for it.
But the U.S. is not powerless. And that's the point.
No comments:
Post a Comment
Comments always welcome!