William Jackson | When the price for protection is too high

Cybereye | Commentary: Security can be a good thing, but it comes at a price that must be considered

William Jackson

Word is getting around about what appears to be another foray by the government into domestic intelligence gathering. According to news reports, the National Security Agency is making plans to take the lead in a federal initiative to monitor and protect the control and communications networks that serve the nation's critical infrastructure.

Security can be a good thing, but it comes at a price that must be considered. In this case, we need to ask: Is the government equipped to do the best job of protecting these networks, and do we want to entrust this job to them? The answer to both questions is no.

Supervisory control and data acquisition systems (SCADA), which form the nexus of information technology and physical infrastructure, have been recognized for several years as a critical chink in the armor of our cyberdefenses as they become increasingly connected to the Internet. In 2004, the Homeland Security Department told a House committee that the department had identified 1,700 facilities across the country that pose a risk to the nation's critical infrastructure, but the department lacked the authority to mandate that companies and state and local governments correct vulnerabilities. The same year, the Government Accountability Office recommended that DHS 'develop and implement a strategy for coordinating with the private sector and other governmental agencies to improve control system security.'

Scott Borg, director and chief economist at the Cyber Consequences Unit, an independent research institute, said SCADA networks in critical infrastructures are prime targets for would-be cyberterrorists.

'Cyberattacks on those industries have the greatest potential to cause our country huge losses of life and value,' Borg said. 'Critical infrastructure industries are also the most likely targets for serious cyberattackers.'

Under the plan that NSA and DHS reportedly are developing, government would take the lead in monitoring networks to detect threats. The plan conceivably gives agencies carte blanche for the kind of network access that historically has required a warrant. They would argue the access is necessary to identify and respond to threats. But putting private-sector communications into the hands of government overseers is a breach of privacy. Regardless of how they use the information, privacy has been breached as soon as they have access to it.

And such access is neither necessary nor effective, some experts say. 'To be effective, any efforts to protect the critical infrastructure industries need to be led by cybersecurity experts who know something about these industries, not just people whose chief experience is with the government and military,' Borg said. Resources could be better spent improving the security of systems we are trying to protect, he said. 'We should be designing robust, self-restoring systems that an intruder can't easily harm or hijack.'

The government has a legitimate interest and a valid role to play in protecting the nation's critical infrastructure. But except in the government's own networks, that role is not active surveillance or control. Rather, it is a regulatory role, in which it sets standards for the private sector, enforces compliance, funds research and development into security technology, and helps make that technology available where needed.

Allowing unfettered government access to the contents of the nation's communications networks is too high a price to pay for a sense of security that could, in the end, prove false.

About the Author

William Jackson is a Maryland-based freelance writer.

Featured

  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected