Cybersecurity Legislation and Common Sense – Still Waiting for the Two to Meet

During the past two weeks, we’ve been highlighting cybersecurity and the dangers that various legislative proposals pose to our civil liberties. One major concern is the prospect of private companies sharing vast amounts of our personal information with the military and other government agencies, without a warrant or any court oversight. Much of the cybersecurity debate has been distorted by the conflation of scary stories of possible terrorist cyberattacks (scenarios that frequently fall apart when confronted by the facts) with troubling, but much lower-grade incidents of credit card and other theft. The result is a pervasive crisis atmosphere, which is then used to justify sweeping aside civil liberties in the name of security.

But there’s something you don’t often hear during cybersecurity debates: that according to the CIA and Secret Service, if we took common sense, basic security steps, nearly all cybersecurity attacks would be thwarted – without invading our privacy.

Imagine there has been a rash of break-ins in a neighborhood. As a policy maker, what would be the most sensible first step: to make sure everyone is locking their doors and windows, or to invite the military to set up shop in the community’s living rooms? The latter defies common sense, yet it‘s the functional equivalent of many current cybersecurity proposals, including the Cyber Intelligence Sharing and Protection Act (CISPA) recently passed by the House. While there are certainly sophisticated, highly-advanced computer threats out there, the vast majority of cyberattacks take advantage of failures to carry out basic cybersecurity tasks such as updating software or changing passwords – the Internet equivalent of unlocked doors. Among the simple, effective computer hygiene measures that every individual and business should be taking: installing and updating anti-virus software and firewalls, patching and replacing software, regularly replacing passwords, and carefully examining emails and attachments before opening them.

If individuals and organizations were more careful about following these basics of good security, most cybersecurity problems would be avoided, and arguments for the government playing a more invasive role would lose force. According to a comprehensive forensic analysis by the U.S. Secret Service, Verizon, and the Dutch National High Tech Crime Unit, 96 percent of otherwise successful cyberattacks could have been avoided simply by using existing best practices and good cyber hygiene. Even the CIA’s Chief of Information Assurance has said that up to 90 percent of cybersecurity problems could be countered using due diligence. Yet, only 58 percent of North American corporations have a cybersecurity plan in place, and only 31 percent plan to increase spending on security.

When it comes to companies that run critical infrastructure facilities — like power plants, dams, and water treatment facilities — fundamental steps could profoundly alter the cybersecurity equation. Some critical infrastructure operators have connected their systems to the Internet for the sake of convenience or cost savings. But those connections unnecessarily expose systems to malicious hackers. They should not be allowed. We had dams and power plants before the Internet, and such facilities can be operated without connecting to public networks. Insulating them from the Internet would raise the bar dramatically for hackers, expose potential infiltrators to detection – and prevent the emergence of genuine horror stories justifying new government incursions into the Internet.

Rather than seeking more access to Americans’ private information in the name of cybersecurity, the government should be doing all it can to encourage private entities and government agencies to address security fundamentals. It simply does not make sense to undermine our freedoms in the pursuit of complex, expensive, and intrusive security policies when the most basic measures are not being implemented properly.