A Minute With: An interview on cybersecurity with ITI researcher Jay Kesan
Editor's note: Jay P. Kesan, a professor of law at Illinois, is a leading national scholar in the areas of technology, law and business.
Kesan, who directs the Program in Intellectual Property and Technology Law, spoke with News Bureau business and law editor Phil Ciciora about what steps the government should take to improve the cybersecurity infrastructure in the U.S.
Experts have been conjuring frightening images – everything from electricity and Internet outages to malfunctioning nuclear power plants – to dramatize what could happen if a cyberattack from a malicious actor were to succeed. Is this hyperbole, or a pre-9/11 moment that we need to prepare ourselves for?
This is something that we need to prepare for, but it is difficult to anticipate the potential scope of future attacks. Yes, cyberattacks could be used to sabotage electrical systems or wastewater treatment plants. Consider Stuxnet, which targeted Iranian nuclear infrastructure and knocked several centrifuges offline, throwing a cyber wrench into that country's uranium enrichment activities. And that's just the one example that we have the most information about. There may be ongoing attacks against industrial infrastructure all over the world.
But we find ourselves in an awkward position. If we warn against these dangers, and because of preparations that are made, nothing comes to pass, the general public will continue to think of these warnings as alarmist and exaggerated. At the same time, it's difficult to estimate what preparations will be sufficient to protect against attacks that could come from anywhere and take a variety of forms.
Businesses and civil libertarians have pushed back against government-mandated fixes of computer networks, arguing that such top-down changes would stifle innovation and cost consumers millions. Will it only take a catastrophic attack to get people's attention to the vulnerabilities our digital systems face from hackers and spies?
We are facing a situation where it would benefit us to be forward-looking, but public demand for these programs likely will remain stagnant or hostile to government oversight of computer security issues until a very public event causes people to take notice. This does not necessarily require that the U.S. find itself the victim of catastrophic cyber hostilities. Security experts should track and publicize events that are occurring in other countries. In my opinion, Stuxnet should be as prevalent in the modern political lexicon as Benghazi. After all, Stuxnet inspired the writers of the new James Bond film Skyfall in creating their plot.
But currently, cyber threats are still a pretty vague idea for most people. There are already lots of actions being taken by the government to protect infrastructure, but you won't see these measures if they are successful. If there is a cyber Pearl Harbor, it will be because the current measures failed.
But really, a cyber Pearl Harbor is a misleading concept. Pearl Harbor is a military base, which is a fairly obvious target. The attack on Pearl Harbor was organized and executed by a national government on the other side of the Pacific Ocean. A massive cyberattack could be anywhere, and may not even need the backing of a national government to be successful. Military bases inherently know that they might be attacked. Cyber hostilities could arise anywhere. It's very hard to prepare for and protect against. In my view, the question is when a grand scale cyberattack will occur, not if.
During a time of all-around belt-tightening for defense budgets, how essential is it to keep cybersecurity funding intact?
I don't think there's really a danger of cybersecurity funding being cut substantially. Military leaders recognize its importance. Congress itself recognized the relevance of cyber operations in last year's much-maligned National Defense Authorization Act. In the NDAA, Congress made it explicit that cyber operations should be governed by the same laws of war as other military activities. The problem with this sort of question is that it assumes that it's currently a low priority. Evidence suggests that cybersecurity is a pretty high priority; it's just not something that Congress members talk about publicly because they don't think that a particular position on it will make them gain or lose support.
I read a law article a while back where the authors were discussing the possibility of a cyber reserve corps – technical professionals who could spend a couple of weekends a month training in military cybersecurity topics. Maybe that would be a good option to balance budgetary spending.
The Obama administration has floated the idea of issuing an executive order to keep the country's most important networks safe from cyberattacks. Is this the way to go, or do we need a full-fledged cybersecurity bill from Congress in 2013?
Some legal precedents suggest that it would be permissible for the Obama administration to do something like this, though more detailed oversight of privately owned critical infrastructure systems might require that the president declare some form of emergency. Having Congressional action on these topics would provide more transparency and more legal justifications, so that is probably a better direction. But Congressional actions also take a long time, and are subject to a variety of veto gates along the way. Most bills don't make it out of the committees. So limited executive action would probably be beneficial while support is being put together for formal Congressional action.