WASHINGTON –– It’s serious and it’s here. It might be your stolen identity, it might be imposter status updates from your Facebook account, or it might be the shutdown of the electrical grid you rely on. But cyberattacks are a fact of life, a panel of experts noted, while cybersecurity is relatively uncharted legal territory, with less-than-optimal levels of acknowledgement and action by the government and industry.
“It’s one of those problems that if you do not deal with, it will deal with you,” said Harvey Rishikof, director of cybersecurity and the law at Drexel University’s iSchool.
The panelists at the Nov. 15 cybersecurity debate at the National Press Club, sponsored by the Medill National Security Journalism Initiative and the American Bar Association Standing Committee on Law and National Security, were hesitant to give concrete statements about the size and nature of the cybersecurity threat, partially because much of the threat is cloaked in secrecy.
Panelist Stewart Baker, former assistant secretary for policy for the Department of Homeland Security and former general counsel for the National Security Agency, said the threat of cybersecurity is real, but that doesn’t mean a “cyber Pearl Harbor” is imminent. Somebody would have to want to wage that war, and most of those who have that capability may not have the desire, Baker said — at least right now.
Most disagreement among the experts revolved around how to approach the problem. Jody Westby, CEO and founder of the cybersecurity consulting firm Global Cyber Risk, LLC, advocated for better mechanisms to combat cybercrime as a means of dealing with the larger problem of cybersecurity.
A cyber criminal could be “the kid down the street, the insider, a terrorist, a criminal ring, or it could be a nation state,” Westby said, describing what she sees as blurred boundaries in the cybercrime arena.
She expressed relief that the proposed Cybersecurity Act of 2012 did not pass, arguing that setting standards for specific aspects of cyber structure and activity would not be effective. She would prefer policies that empower law enforcement to better investigate and prosecute cybercrime.
Attorney Joel Brenner, former inspector general of the NSA, advocated for a more top-down approach. “I don’t think we’re going to deal with the crime issue satisfactorily without some re-engineering of the way the Internet works,” Brenner said.
All the experts acknowledged that an increasingly globalized economy and the decentralized, private nature of the Internet make it difficult to contain the problem. Brenner stressed that relying on that public community to voluntarily deal with cybersecurity would be a mistake.
“Whenever security butts heads with convenience, convenience wins, hands down,” he said. “You can’t expect anyone to understand how this stuff works.”