For journalists covering cyberspace, the story well is full. Chinese cyber espionage. U.S. cyber attacks against Iran. Budget crunches. New cyber-warrior teams. A secret "executive order" on cyberspace. Senior officials complaining to Congress about cyber-authorities. Congress complaining that companies aren't doing enough. Companies begging for guidance and risk-sharing. At least there is debate and discussion. A lot is muddled and unclear, though. Here's a brief attempt to answer five common questions about what the heck is going on.
Q. How safe are we as a country? How safe is my data?
A. Collectively, we're kind of OK. As of now, the U.S. intelligence community assesses that China and Russia, the two state actors capable of perpetuating cyber-geddon, whatever that is, have no interest in doing so. Iran attacks sporadically but the U.S. seems to have a handle on the scope of what it is doing. The government (.gov) and military (.mil) and intelligence community (ic.gov) are better protected than they ever were. The distributed nature of American critical infrastructure makes it harder to kneecap the country. Attempts to break into these networks top 2 billion a year, though, and they're getting more intense. Most every major private entity that controls critical infrastructure has been hit by at least one major cyber attack. Some come from state actors looking to steal technology or gain an understanding of our network to exploit it should we ever go to war; others come from hackers who do it for giggles.
Individually, your data is not safe. About 100 million Americans are on the net. In 2009, 11 million fell victim to some sort of cyber shenanigan involving malicious code. Do the math. ISPs cannot prevent you from falling victim to a spear-fishing attack, in which someone lures you into clicking a link that gives them access to your computer or network. Companies that do internet protection for a living are regularly getting broken into. You should back your data redundantly. Because the government can't and won't assume responsibility for protecting the entire infrastructure from attacks; you, the individual user, must do so yourself. You must assume that your data will be compromised unless you take extra precautions. This requires time, cognitive capacity, and vigilance. If you have a public persona and are associated with an industry of interest for an adversary, like national defense, technology, energy, or financial services, the chances that, at some point, some site that you engage with regularly will be the target of an attack designed to exploit your information is high enough for you to take precautions.
Q. Why hasn't Congress done something?
A. Urgency. It's not there. We read about attacks, and we get attacked, but we don't see blood or people dying. Our brains still are not oriented to the idea of cyber-warfare. And frankly, there's something uncomfortable about applying the "war" label to a phenomenon as complex as cyber anyway. The 110th and 111th Congress tried, but two other factors intervened. One was the financial crisis, which ground Congress to a halt. Two: Concerns of two huge stakeholders — the companies that own most of the infrastructure that's getting attacked and privacy activists. No one seems to want the government to set mandatory standards; Congress is unwilling to do so. Businesses say that they want to set standards for themselves, to monitor the standards themselves, and to adjust as necessary. Corporate America is OK with the government setting a "posture," which is basically a generic series of promises, like "Keep this safe!," but insists that the market dictate which solution is best. Technology evolves, of course, and so the government must remain "technologically neutral," which would not be possible if it dictated a specific set of policies and penalties are put forth. Within the corporate sector, defense companies have different concerns than financial companies; everyone is concerned about shared vulnerability and distributed risk. These interests often clash intensely. And because cyber-protection is integrated with intelligence collection, or or seems to be so, the government hasn't figured out how to truly balance legitimate privacy expectations with technological realities and the scope of the threat.
Q. What's the military's involvement with this cyber thing?
A. It's up for debate. It used to be that, if you wanted to get something done, you describe it in terms of its national security implications. Internally, the government has organized its cyber-space policies around the idea of defense and not innovation, and so its attempts to communicate generally and specifically with the public and with the private sectors are already compromised.
Q. What has the government done? What about the private sector?
The credit/debit/payment industry figured out earlier than most that policing itself effectively would ward off government intervention. And so now, companies get penalized when their systems get attacked or when their customers get defrauded. The industry itself conducts audits and sets standards; participants in the chain must comply with 12 fairly tough prophylactic measures. If an audit detects an anomaly, they'll lose certification and other businesses won't work with them. Since the industry is so interconnected, the incentives for cooperation are powerful.
The government will start to share information; Obama issued an executive order asking industries to set voluntary standards and then a classified presidential directive that clarifies the computer network exploitation/defense/attack posture for the government. The Department of Commerce is working with industry on creating trusted identity standards that will help individuals more efficiently manage their privacy and identity online. More than a billion dollars has been spent for basic research on cyber-defense; the government is trying to button up its response to cyber crises through regular exercises.
Q. What's the most radical thing that the government could do to prevent or mitigate stuff like this?
Well, Congress would have to change a few laws, but the president could direct the National Security Agency to set up black box machines everywhere data enters the United States and then engage in active deep packet inspection for known cyber-attack signatures. Technologically, that's very difficult, because of how data gets here. Deep packet inspection means, for the sake of simplicity, looking into the medical record that transits from its virtual data home in India to your doctor on Main Street for any signs of outside compromise in the code, and if so, flagging and screening it. Step one would involve the installation of powerful machines like these, at tens of thousands of nodes, at central switching centers, fiber and broadband hubs, satellite downlink stations, building a hardened and redundant uber-network to link them to the Mothership at Ft. Meade, which would constantly update the signature packets with the latest intelligence and code, encrypt it, and then send it back to the packet-sensors. Thousands of compliance technicians would have to be hired to ensure that data is anonymized — but not to the extent that, if something bad is detected, the government couldn't reconstruct the corrupt code. This will not happen.