Who defends the Internet?

Much of the underlying architecture that powers the internet is under increasing threat -- and it's not clear who in government or industry can or should take the lead to protect it.

global network (NicoElNino/Shutterstock.com)

Much of the cybersecurity policy debate in Washington, D.C., tends to focus on the IT systems, networks and devices used by agencies, organizations and consumers. However, the underlying architecture that powers such tools is also increasingly under threat, as a number of high-profile attacks against internet infrastructure in recent years have demonstrated.

That architecture is sprawled across the globe in the form of underground and undersea cables, local and regional bandwidth networks and internet exchange points. No single entity owns or manages more than a fraction and in general, individuals, companies and governments all rely on the same foundation to access the Internet. Additionally, those foundations were largely built up over decades for speed and ease of communication, not security.

In a Sept. 10 hearing, House Armed Services Committee Chair Jim Langevin (D-R.I.) warned that even as government agencies like the Departments of Homeland Security, Defense, Commerce and others have moved to establish clearly defined roles in the cyber policy ecosystem, no one entity is responsible for overseeing the underlying infrastructure that powers the World Wide Web.

"I'm very worried that by carving out discrete lanes in the road, there are seams left unaddressed in the middle, and I'm concerned that internet architecture security is one of those seam issues," said Langevin.

For example, the Department of Defense manages security concerns for underground and undersea cables when they impact military systems or readiness, while DHS has typically taken point on threats to DNS and internet exchange points.

Jeanette Manfra, assistant director at the Cybersecurity and Infrastructure Security Agency at DHS, told lawmakers that there are no hard lines around ownership of these issues in government, and that most of the control consistently rests with private industry.

"It's not so much that here's a clear jurisdiction and it ends at this part of the internet architecture," Manfra said. "It's really private sector led in all cases and what we have are different tools to analyze and make assessments and take action if we have concerns."

Threats to that architecture from both state and non-state actors loom large and threaten the public and private sectors alike. Earlier this year, DHS issued an emergency directive to shore up federal protections in response to a global campaign to manipulate the Domain Name System and steal internet traffic data, while a group of teenagers managed to develop a botnet variant for their video game extortion scheme so powerful that it was later used to target the Internet's backbone with Denial of Service attacks, taking major websites and large chunks of the web offline.

But ultimately both sectors rely on the same underlying infrastructure to operate online. Ed Wilson, deputy assistant secretary of defense for cyber policy at DOD, alluded to the interconnected nature of the threat, noting that while the Pentagon previously viewed the issue through the narrow lens of direct attacks on military assets, key competitors in the global space "have demonstrated vulnerabilities that extend beyond our DOD systems and networks."

"The vulnerability of critical infrastructure to cyberattacks means that adversaries could disrupt military command and control, banking and financial operations, the transportation sector, the energy sector, various means of communications and a variety of other sectors," said Wilson.

Policy proposals to shore up security of the larger internet ecosystem have been scant, a product of both the technical wonkiness of the topic as well as the decentralized ownership of the issue by many stakeholders.

Commerce and DHS worked for years on a botnet report, but the final product wound up not recommending any major federal policies or legislation to tackle the problem, essentially leaving it up to the private sector to solve the issue through greater innovation and collaboration. Several members of Congress, most notably Sens. Sheldon Whitehouse (D-R.I.) and Lindsey Graham (R-S.C.), have spent years pushing legislation to treat bot networks, which power many attacks on internet infrastructure, as a form of fraud. However, even as the Department of Justice openly supported legislation last year, it was not passed into law.

Nine of the 55 national critical functions developed by DHS earlier this year focus on connectivity and Internet access, and officials have said they plan to use that list as a foundational springboard to refocus additional human and policy resources in the future. Manfra floated the possibility of new or existing standards bodies that could set broader guidelines or mandates for internet providers and other stakeholders, but she emphasized that private internet providers have both the means and motive to implement new protections.

"I will say when you're talking about the companies that provide that internet architecture…they have a lot of economic incentives to have a secure and reliable infrastructure," said Manfra.