DHS Should Get Cybersecurity Oversight, Due to FCC ‘Regulatory Collapse,’ Clarke Says
The FCC is an “example of regulatory collapse” on cybersecurity, said author and former White House security advisor Richard Clarke on a cybersecurity panel Wednesday at Georgetown University. He, former CIA Director Michael Hayden and author Jeffrey Carr agreed that cybersecurity shortcomings are more a result of policy shortcomings than of technology.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The commission has been “reluctant to regulate in the cybersecurity space,” Clarke told the event sponsored by the Georgetown Institute of Law, Science and Global Security and by CyberSecurity Seminars. “The FCC over the years has abandoned the field of security to someone else.” FCC Chairman Julius Genachowski may not even be able to get enough votes for net neutrality, let alone cybersecurity, which isn’t even in the National Broadband Plan, Clarke said. As a result, cybersecurity legislation next session should “look at beefing up” the authority of the Department of Homeland Security to regulate in cybersecurity and other areas where agencies have abandoned their roles, Clarke said.
There are “a lot of capabilities” in cybersecurity and cyberwarfare, but the U.S. so far has been unable to deploy them due to lack of set policies and guidelines on what to do, Hayden said: “We have incredible technical solutions.” Policies haven’t been developed yet because they're very complex, and because the “people making the decisions probably can’t program their VCR,” he said. The biggest problem is that whatever the U.S. does in cyberspace will probably “legitimize the action for the whole planet,” and the U.S. has to work out the worldwide implications before it takes any such action, Hayden said.
The U.S. itself apparently hasn’t acted in the WikiLeaks case, but hackers attacked Mastercard and others for their role in freezing WikiLeaks founder Julian Assange’s bank account, Hayden said. “So, the people who belatedly did the right thing” in slowing WikiLeaks “are being subject to cyberattacks,” he said. “So it’s game on.” He predicted that WikiLeaks may be the incident that “illustrates the problem and gets us started dealing with the big issues."
Clarke, however, said WikiLeaks is primarily the military’s own fault for failing to protect its networks. He said he was “appalled” that the military isn’t using network protection software that “has already been available for a decade” to issue an alert when someone is downloading an unusual amount or type of material. The soldier who allegedly stole it will go to jail, but the network administrators who didn’t protect the network probably won’t be prosecuted for “criminal negligence,” he said.
Meanwhile, key cybersecurity issues remain undecided, including “what constitutes free speech” that’s protected by the constitution, Hayden said. Other issues include what constitutes national sovereignty in cyberspace, what constitutes freedom of movement, and a generally agreed definition of privacy, he said.
Much of the U.S. cybersecurity problem originates from ISPs who don’t care about what they carry, Carr said. He said the U.S. is “home to more bad ISPs than anywhere in the world,” and the “preferred location for [cyber] criminals worldwide,” meaning such ISPs provide a platform for attacks on the U.S. from within U.S. borders. ISPs don’t even verify Whois data identifying who owns a website, Carr said. ICANN requires such verification, but has no ability to enforce the rule, he said.
But the government should not be monitoring content transmitted on the Internet, Clarke said. He said that should be the role of the ISPs, and legislation might trade off immunity from lawsuits claiming an ISP improperly blocked content, in return for a responsibility for ISPs to actively stop bad activities.
The ITU or ICANN are not the best agencies to move cybersecurity ahead, Clarke said: “With all due respect to ICANN, it is not a place that can do anything very effectively in this area.” He said the same is true of the ITU, for much the same reason: “If you throw it open to every nation, you guarantee nothing will happen.” Citing international action to shut down money laundering some years ago, Clarke said it would be “useful” for five to 12 “like-minded nations” to get together to pressure the world community to crack down on bad activities in cyberspace.
The “long-term solution,” Hayden said, is not to keep patching the current Internet, but to create a new network where “things we value” are transmitted and protect it, and “let those who like transparency enjoy their little Internet,” Clarke said. Hayden also suggested a “Smokey Bear"-type campaign to begin educating the public that total transparency on the Internet isn’t always a good thing. The current Internet should be labeled “hazardous to health,” he said, and people need to learn the value of trading some privacy for security: “A lot of the answer is attitudinal, not technological.”