William Jackson | When the price for protection is too high
Cybereye | Commentary: Security can be a good thing, but it comes at a price that must be considered
Word is getting around about what appears to be another foray by the government into domestic intelligence gathering. According to news reports, the National Security Agency is making plans to take the lead in a federal initiative to monitor and protect the control and communications networks that serve the nation's critical infrastructure.
Security can be a good thing, but it comes at a price that must be considered. In this case, we need to ask: Is the government equipped to do the best job of protecting these networks, and do we want to entrust this job to them? The answer to both questions is no.
Supervisory control and data acquisition systems (SCADA), which form the nexus of information technology and physical infrastructure, have been recognized for several years as a critical chink in the armor of our cyberdefenses as they become increasingly connected to the Internet. In 2004, the Homeland Security Department told a House committee that the department had identified 1,700 facilities across the country that pose a risk to the nation's critical infrastructure, but the department lacked the authority to mandate that companies and state and local governments correct vulnerabilities. The same year, the Government Accountability Office recommended that DHS 'develop and implement a strategy for coordinating with the private sector and other governmental agencies to improve control system security.'
Scott Borg, director and chief economist at the Cyber Consequences Unit, an independent research institute, said SCADA networks in critical infrastructures are prime targets for would-be cyberterrorists.
'Cyberattacks on those industries have the greatest potential to cause our country huge losses of life and value,' Borg said. 'Critical infrastructure industries are also the most likely targets for serious cyberattackers.'
Under the plan that NSA and DHS reportedly are developing, government would take the lead in monitoring networks to detect threats. The plan conceivably gives agencies carte blanche for the kind of network access that historically has required a warrant. They would argue the access is necessary to identify and respond to threats. But putting private-sector communications into the hands of government overseers is a breach of privacy. Regardless of how they use the information, privacy has been breached as soon as they have access to it.
And such access is neither necessary nor effective, some experts say. 'To be effective, any efforts to protect the critical infrastructure industries need to be led by cybersecurity experts who know something about these industries, not just people whose chief experience is with the government and military,' Borg said. Resources could be better spent improving the security of systems we are trying to protect, he said. 'We should be designing robust, self-restoring systems that an intruder can't easily harm or hijack.'
The government has a legitimate interest and a valid role to play in protecting the nation's critical infrastructure. But except in the government's own networks, that role is not active surveillance or control. Rather, it is a regulatory role, in which it sets standards for the private sector, enforces compliance, funds research and development into security technology, and helps make that technology available where needed.
Allowing unfettered government access to the contents of the nation's communications networks is too high a price to pay for a sense of security that could, in the end, prove false.