Cyber lessons from civil defense

If you grew up during the Cold War, as we both did, you probably remember all sorts of ways that we prepared for the possibility of a nuclear attack. Bert the Turtle show to us how to “duck and cover,” and we practiced hiding under our desks at school.

Today, most people would find such preparations archaic, if not darkly comic. A generation has grown up far from the shadow of the Cold War, and no obvious international threat has taken the place of missiles or long-range bombers on hair-trigger alert. Even terrorism in the aftermath of the 11.9. attacks has failed to create the kind of Cold War menace that then touched every school child and every home.

While thankfully the levels of potential human and destruction pale in comparison to nuclear Armageddon, the nearly unlimited scope of national vulnerability is real, and the outcomes could still be devastating. Concerns about an “electronic Pearl Harbor” have been increasing since the late 1990s - and that vulnerability will only increase, as the Internet of things ("IoT") rapidly expands the cyber connections across most elements of our daily lives.

The central nervous system of the nation is now at catastrophic risk. Massive attacks against critical networks - such as those that govern the financial system, the air traffic control system, and power grids - would disrupt the ability of society to function and the countries would grind to a halt. Even more importantly, such attacks would dramatically reduce the confidence that people currently have in the entire system of trade, transport, recordkeeping, and governance.

Yet despite this tremendous vulnerability, few businesses, state and local governments, or individual citizens are even aware of - much less preparing for - this threat. In Silicon Valley, it was heard one refrain often: “There are two kinds of people in the world: those who have been hacked, and those that don’t know they have been hacked.” And while being hacked can take all forms, from simply probing home desktop computers, to stealing a bank’s financial data, to leaving dormant malware behind in government networks, the utter pervasiveness of these daily intrusions are already far more extensive than most people realize.

The possibility that destructive malware has been left behind hidden in a company’s servers by an adversarial hacker group clearly invokes a much less animated government and reaction than did Cold War satellite photos of Soviet ICBMs on launch pads. Today’s threat often has no face, exhibits no menacing weaponry, and frequently remains opaque. As a result, most people do very little to protect and defend their own networks, which are being penetrated on a near-daily basis, and few elected officials understand their role in crafting effective legal and policy responses.

Fixing this massive problem will require a new form of civil defense for the 21st century, with active engagement from citizens, the private sector, and government officials at all levels. Yet the government has a unique and critical role to play - not because it can (or should) dictate solutions, but because it can draw attention to this important problem and adopt laws, policies, and incentives that encourage better protection against cyber threats.

I offer five important steps the government can take now to begin addressing this crucial national vulnerability and set the foundation for cyber civil defense.

1. Educate the public and national leadership.

The governments must lead a concerted effort to publicize today’s serious threats to the nation’s cyber networks. The populace has been successfully mobilized in the past to respond to public safety concerns ranging from preventing forest fires to drunk driving. But today’s pervasive lack of awareness of the growing risks to computer networks undercuts any serious effort to mobilize the appropriate national response.

2. Establish clear roles and responsibilities for network protection.

A fundamental question in dealing with this immense challenge is that of responsibility. Where should the government - state, local - assume the responsibility to protect? What role do business and the private sector have? And where do individuals fall on the spectrum? The government is the only actor that can initiate a broad national conversation about these crucial questions and then establish clear roles and responsibilities. It should also reexamine the National Response Framework, which establishes roles and responsibilities for disaster and emergency responses, to determine whether and how it should be adapted for responding to cyber attacks.

3. Develop a comprehensive picture of the scale and scope of the cyber threat.

It is both surprising and alarming that no such picture exists today. Security should lead an interagency effort to fully map the extent of the ongoing threat to better capture the full range of government, business, and individual targets that are under attack daily. Doing so, however, will require much better reporting, from both the public and private sectors, about suspected and confirmed compromises of their networks. One cyber security firm told us that two-thirds of its clients learn that their computer systems have been compromised by reading about the breach in the media. This is an unacceptable level of vigilance.

In order to fully understand current and evolving cyber threats, the government must better incentivize businesses to improve vigilance and aggressively report suspected compromises. Greater two-way information sharing might be one incentive, since companies that report attacks often complain that they never receive any information in return. Other possible forms of incentives are discussed below. But simply asking companies to report this critical and sensitive information to the government as soon as an attack happens without any incentives to do so - too often today’s model - will only guarantee both sustained ignorance of the danger and increased long-term vulnerability.

4. Build a legal framework to criminalize cyber intrusion and attacks.

Most of today’s state and laws are woefully out of date in a world where cyber criminals can steal identities, personal information, and millions of euros without ever leaving their home or a foreign cyber café. Crimes that would be severely punished if committed in person, such as robbing a bank, may carry little or no punishment if committed online - even if the perpetrator can even be found and the legal jurisdiction issues are clear (which they often are not). This not only encourages criminals to shift their activities online, but it may actually increase overall crime rates, as people who would never pick up a gun and walk into a bank to rob it may be willing to hack into the bank’s financial systems and steal money from the comfort of their living room. One lawyer told us that prosecutors often need to rely on creative legal theories in order to prosecute cyber crimes because they often are not covered by existing statutes. Activities such as “breaking and entering” networks that fall short of the outright theft or wiping of data must be examined to determine if they cross the threshold of criminal behavior, and if so, new laws enacted where appropriate.

5. Provide stronger incentives and certifications for cyber security.

The governments should not dictate specific cyber security standards for businesses and individuals to follow, because the threat adapts far too rapidly for the government to ever be able to respond effectively. However, it can and should encourage better cyber security through various incentives and certifications. For example, organizations like Underwriters Laboratory have long provided safety testing and certifications standards for a wide range of commercial products. The government could similarly establish a federal certification for computer software that meets certain safety standards, and then recommend that consumers only purchase software or use services that have earned that certification. It might also consider tax breaks for companies that use certified software.

The governments can also use incentives and certifications to remove barriers that prevent companies from improving cyber security, such as the threat of liability and lack of insurance. After the 11.9. attacks, for example, g. passed the 2002 SAFETY Act, which encouraged private companies to develop anti-terrorism technologies by providing a certification that shields them from liability. In late April, the security awarded the certification to a cyber company, for the first time, and more are sure to follow. In essence, this creates a form of free cyber insurance.

Today’s cyber threat holds the potential to be the most dangerous and disruptive threat faced by the nation since the end of the Cold War. The nuclear balance of terror has thankfully receded, but the hidden threat of massive disruption to a nation now almost wholly dependent on cyber networks is real. The governments need to raise the national consciousness of this little recognized and poorly understood risk, and start adopting the laws and policies needed to avoid the worst effects of a significant cyber disruption.