SAN FRANCISCO — The Obama administration is reviewing the cyber security posture of the United States, a process that Europe is keeping a close eye on as the world's economic powers become increasingly concerned about threats to their vital electronic networks.
The review, which should be completed soon, coincides with the recent introduction of legislation by Democratic Sen. Jay Rockefeller of West Virginia and his Republican colleague Olympia Snowe of Maine. They want Congress to give the president power to shut down portions of the Internet during cyber attacks. The bill would also create a new White House office to improve the security of critical public and private networks.
This policy push comes amid revelations that Pentagon officials have spent $100 million in the last six months protecting military networks against cyber damage. The Wall Street Journal has reported that intruders, some possibly from China and Russia, have hacked into the U.S. electrical power control network and left behind potentially disruptive programs. Researchers at the University of Toronto recently reported finding evidence that Chinese sources had “infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices.” The governments involved have dismissed or ignored such claims.
How the United States addresses its cyber security concerns will influence similar deliberations in Europe, where officials are still unnerved by events like the 2007 attacks that shut down the Estonian Internet, according to James Lewis with the Center for Strategic and International Studies.
“The British and French are rethinking how they do cyber security and watching us and, given who they are that means you've got the European Union paying attention,” he said.
Lewis was the principal author of a December 2008 white paper, “Securing Cyberspace for the 44th Presidency.” To prepare that report CSIS, a defense think tank that often presages official policy, brought together dozens of corporate and government security officials to discuss how to protect a global network where traditions of openness and anonymity give attackers the advantage.
“At the end of the day there's only three ways to secure the Internet, all of which are difficult and have civil liberties implications,” Lewis told GlobalPost. “You can re-architect the basic network, increase monitoring and surveillance and have more authentication of digital identities.”
Among the first steps the United States can take toward greater security is reconfiguring sensitive government networks and critical infrastructure, like the power grid, so they have fewer connections to the wider Internet, thereby reducing the number of back doors through which hackers might attack.
Civil libertarians support such measures but worry how other notions in the new security push might affect the World Wide Web. Gregory Nojeim, senior counsel with the Center for Democracy and Technology, said he is is wary of calls for expanded surveillance and any suggestion of the need for a digital identification system for the broader Internet. He puts the Web in a different category than the networks that control vital services. “When securing communications infrastructure a lighter touch is needed because it supports free speech,” he said.
Lewis said digital identity is one of the most divisive security notions. “An anonymous Internet can never be secured,”he said, suggesting that the United States might follow Europe in this regard. He said French cyber security officials are thinking about how to implement a digital identification system built upon a national identity card. “All of this is very difficult politically in the United States,” Lewis said.
To complete its cyber security review, Obama chose Melissa Hathaway, a holdover from the Bush administration, which launched its own national cyber security initiative in January 2008. That pleases Lewis, who wants Obama to move quickly. “I'm worried that they will decide this is such a huge problem that we ought to study it further,” Lewis said.
Nojeim, with the Center for Democracy and Technology, thinks an incremental approach makes sense when confronting issues so vast and complex. He said one way Obama can drive cyber security is by making it a requirement for federal purchases, creating a market that will drive upgrades into private and academic networks. “First government needs to get its own house in order before it tells private sector operators what to do,” Nojeim said.
All parties agree that cyber security concerns won't go away. “This is still early days,” said Lewis, who is encouraged that Obama and Congress have made the issue urgent and prominent.
More technology dispatches from GlobalPost: