honoluluadvertiser.com

Sponsored by:

Comment, blog & share photos

Log in | Become a member
The Honolulu Advertiser
Posted on: Monday, July 6, 2009

Digital networks must be protected


By Jack Goldsmith

Our economy, energy supply, means of transportation and military defenses are dependent on vast, interconnected computer and telecommunications networks. These networks are poorly defended and vulnerable to theft, disruption or destruction by foreign states, criminal organizations, individual hackers and, potentially, terrorists.

In the last few months it has been reported that Chinese network operations have gotten into American electricity grids, and computer spies have broken into the Pentagon's Joint Strike Fighter project.

Acknowledging such threats, President Obama recently declared that digital infrastructure is a "strategic national asset," the protection of which is a national security priority.

One of many hurdles to meeting this goal is that the private sector owns and controls most of the networks the government must protect. In addition to banks, energy suppliers and telecommunication companies, military and intelligence agencies use these private networks.This is a dangerous state of affairs, because the firms that build and run computer and communications networks focus on increasing profits, not protecting national security.

This is a market failure that only government leadership can correct. The tricky task is for the government to fix the problem in ways that do not stifle innovation or unduly hamper civil liberties.

Our digital security problems start with ordinary computer users who do not take security seriously. Their computers can be infiltrated and used as vehicles for attacks on military or corporate systems.

Obama has recognized the need to educate the public about computer security. The government should jump-start this education by mandating minimum computer security standards and by requiring Internet service providers to deny or delay Internet access to computers that fall below these standards, or that are sending spam or suspicious computer probes into the network.

The government should also use legal liability or tax breaks to motivate manufacturers — especially makers of operating systems — to improve vulnerability-filled software that infects the entire network.

It should mandate disclosure of data theft and other digital attacks — to trusted private parties, if not to the public or the government — so that firms can share information about common weapons and best defenses. Increased information production and sharing will also help create insurance markets that can elevate best security practices.

But the private sector cannot protect these networks by itself. The government must be prepared to monitor and, if necessary, intervene to secure channels of cyberattack as well.

The Obama administration recently announced that it would set up a Pentagon cybercommand to defend military networks. Some in the administration want to use Cybercom to help the Department of Homeland Security protect the domestic components of private networks that are under attack or being used for attacks.

Obama has tried to soothe civil liberties groups' understandable worries about these proposals. The president has said the government would not monitor private sector networks or Internet traffic, and pledged to "preserve and protect the personal privacy and civil liberties we cherish as Americans." But the president is less than candid about the tradeoffs the nation faces. The government must be given wider latitude to monitor private networks and respond to the most serious computer threats.

Many will balk at this proposal because of the excesses and mistakes associated with the secret wiretapping regime in the Bush administration. But they should not prevent us from empowering the government to meet the cyber threats that jeopardize our national defense and economic security. If they do, then privacy could suffer much more when the government reacts to a catastrophic computer attack that it failed to prevent.

Jack Goldsmith is a professor at Harvard Law School who was an assistant attorney general from 2003 to 2004. He wrote this commentary for The New York Times.