As cybersecurity hits the House floor this week, the debate over what role the government should play in efforts to secure cyberspace will be front and center. On one side are those who believe that the federal government should be engaged in encouraging, if not requiring, critical infrastructure owners and operators to meet certain standards to avoid the catastrophic cyber attack that experts and fortune tellers have been predicting for years.
In the opposite corner are the majority of the owners and operators, as well as business groups and the Chamber of Commerce who believe that the private sector knows best when securing their systems and involvement from Washington would only create expensive solutions that would not result in more security.
The debate over how to address critical infrastructure vulnerabilities is not new and is one that the federal government has struggled with since at least 1997, when President Clinton established the President's Commission on Critical Infrastructure Protection. In its report, Critical Foundations: Protecting America's Infrastructure, the Commission found:
We know our infrastructures have substantial vulnerabilities to domestic and international threats. Some have been exploited -- so far chiefly by insiders. Although we know these new vulnerabilities place our infrastructures at risk, we also recognize that this is a new kind of risk that requires new thinking to develop effective countermeasures. Coping with increasingly cyber-based threats demands a new approach to the relationship between government and the private sector.
This "new" public-private partnership configuration, now 15 years old, is really at the heart of the debate this week and in the coming weeks (should the Senate take up its cybersecurity legislation). Indeed, it is a debate that will not go away anytime soon.
Back in 1997, the Commission envisioned a partnership that had explicit roles for the government and for the owners and operators of CIP:
Because it may be impossible to determine the nature of a threat until after it has materialized, infrastructure owners and operators -- most of whom are in the private sector -- must focus on protecting themselves against the tools of disruption, while the government helps by collecting and disseminating the latest information about those tools and their employment. This cooperation implies a more intimate level of mutual communication, accommodation, and support than has characterized public-private sector relations in the past.
If this type of relationship sounds familiar, it may be because it is what the House Republican leadership is addressing, in part, as the center of its Cybersecurity Week. The Cyber Intelligence Sharing and Protection Act (H.R. 3523), sponsored by Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD), is intended to allow the sharing of classified cyberthreat information with key private sector stakeholders, many of whom have found that their existing efforts could be strengthened by better threat analysis. Based on this sharing, numerous high-tech and business associations and companies have come out in support of the bill.
At the same time, numerous privacy and civil libertarians have raised red flags about the actual language of the bill, which also allows certain self-protection efforts and the voluntary sharing of information with the federal government. The latter has many concerned that sharing information with intelligence agencies could violate the Constitution and put individual rights at risk -- a backdoor to Big Brother spying on U.S. citizens. The sponsors have made significant edits to the bill but it remains unclear whether that will be enough to win over libertarian and Democratic support on the floor. In many ways, the issue is less about the information-sharing and more about the sharing with NSA, which always raises flags domestically.
So if the House Republicans are taking the path laid out in the CIP Commission report, why is there such a push by the Obama Administration and Senate Leaders to create voluntary standards for protecting CIP? It may be that the model as envisioned by the Commission in 1997 has proven not to be foolproof, as the government and private sector have struggled over the past 15 years to ensure that cybersecurity was baked into infrastructure and information flowed freely. If things had worked as envisioned, it is likely we would not be having these debates today on either standards or information sharing.
The Commission was right -- we do need a new approach to cybersecurity and the relationship between the private sector and government. It is just not clear how that relationship should be structured to ensure that all concerns, whether from business groups or privacy advocates, are met. Unfortunately, we likely do not have another 15 years to try to figure it out.