Jay P. Kesan is the H. Ross and Helen Workman Research Scholar and director of the Program in Intellectual Property and Technology Law at the University of Illinois College of Law, as well as a researcher in the Information Trust Institute. An expert in the areas of technology and law, Kesan spoke with News Bureau business and law editor Phil Ciciora about the Cybersecurity National Action Plan, President Obama’s new initiative to strengthen the nation’s cyberdefenses over the next decade.
President Obama has called cybersecurity one of “the most serious economic and national security challenges of the 21st century.” What do you think of his new cybersecurity plan?
There are some elements that are very good. The Federal Privacy Council is intended to coordinate data practices across the federal government, which is a serious need. Consistency needs to be a top priority. That said, the executive order establishing the council says that independent agencies like the Federal Trade Commission and the Department of Defense are merely “encouraged to comply” with the order.
Stronger, binding requirements would likely require congressional intervention, but privacy and security concerns need to be addressed at all levels, including government contractors who have any kind of access to government systems. Security is only as strong as the weakest link. In the Target breach of 2013, for example, one contractor and one phishing email was all it took to give hackers the opportunity to steal millions of credit card numbers.
Critics have noted that what’s perhaps most striking about the Cybersecurity National Action Plan is just how rudimentary it is. For example, two-factor authentication is one of the recommendations. Should that give us some pause as to just how weak our country’s cyberdefenses are at present?
Some of these changes will seem rudimentary to those who are familiar with cybersecurity matters. But keep in mind how fast all of these changes have happened. In 1977, Ken Olsen, the founder of Digital Equipment Corporation and one of the pioneers of the computer industry, once declared that there was no reason anyone would want a personal computer in their home. In the 1990s, some people thought the Internet was a fad. Systems that were built in the 1960s, 1970s, 1980s and onward were not built with 2016 cybersecurity in mind. This is why the $3.1 billion set aside for upgrading federal systems in the proposed budget is so important.
Older systems aren’t the only problem, though. Even modern devices may not be built with cybersecurity in mind. Often, entrepreneurs and inventors are so excited to create something new that they don’t consider security in the initial planning. In the case of the “Internet of Things” – for example, sensor-driven machines talking to other machines – security for these devices is frequently an afterthought and is something that will be addressed by the proposed Cybersecurity Assurance Program.
But everything has to start somewhere. Even before the theft of more than 20 million personnel records from U.S. government databases, cybersecurity scholars knew that the federal government’s approach to security needed to be updated and made internally consistent. There are still lots of companies that continue to only use passwords. Some require employees to change their passwords every six weeks and not reuse any old passwords. But is it helping security if that motivates people to write their passwords down and keep them at their workstations?
The presidential candidates from both parties have been mostly silent on how they would shore up the nation’s cyberinfrastructure. What would you like to hear from the candidates about their vision for the future of cybersecurity in the U.S.?
First, I would like to hear about their views on encryption. Law enforcement officials, from the FBI on down to local prosecutors, express concern about investigations “going dark.” In the 1990s, a similar fear led to national encryption debates in which government officials proposed creating backdoors so that law enforcement would always have a way to access encrypted information. The debate started again in 2014 after Apple and Google announced their intentions to have secure end-to-end encryption for all of their devices. And just as before, law enforcement agents want a backdoor to ensure that the company can always decrypt customer information just in case. But it’s simply not technologically reasonable to ask a company to build their product with a security flaw that only the good guys – and not the bad guys – will be able to use. That’s not how doors and locks work.
Second, I would like them to weigh in on the National Institute of Standards and Technology Cybersecurity Framework, which was created by executive order in February 2013, and the importance of cybersecurity for critical infrastructure. Just last December, hackers used malware to cause a blackout in a large region of Ukraine. So this is not a topic where politicians and candidates can just play partisan games.
Third, and this ties in with the encryption concerns as well, I would like to know their positions on anonymity on the Internet. High security methods of accessing the Internet, such as through Tor, allow whistleblowers to communicate with journalists. Anonymity can be especially important in oppressive government regimes where dissidents are harshly punished.
So far, though, the main concern that candidates seem to have about services like Tor and the so-called “dark web” is that terrorists can use the added security when they are recruiting and distributing propaganda. In this situation, freedom can be at odds with security. Whoever receives each party’s nomination will have to address these sorts of hard questions.