Pages

25 August 2014

HOW TO SAVE THE INTERNET: WE NEED A CDC FOR CYBER CRIME

August 21, 2014 

Peter W. Singer had a August 19, 2014 article on the website Wired.com, with the title above. Mr. Singer begins his article noting that “the Internet may be made up of software and hardware; but, it is an ecosystem that depends on a key human value: trust. The networks and the systems must,” he writes, “be able to trust the information we are sending, and in turn, we have to be able to trust the information we receive.”

“This system of trust,” he writes, “has allowed business around the world to share data rapidly and reliably on almost every issue — except their own security. Too many firms,” he contends, “are still unwilling to share crucial information about the network data attacks, data breaches, and outright cyber theft we they’ve experienced — and, what they do to defend themselves. Companies keep everything from basic facts to crucial technical details from one another, and notably, from the government, largely because they’re suspicious and fearful about what others might do with that information. The fears run the gamut: Tech companies worry about their brand, potential prosecution, even exploitation by the intelligence community; consumer firms wonder how the stock market will react; oil companies fear aiding their competitors; and energy companies are nervous that the information will end up being exploited by those they fear far more hackers: environmental lawyers.”

“The result is that, as cyber security guru Kevin Mandia of FireEye puts it, “Nobody gets smarter.” Victims of attacks may learn how to adjust to a new threat, but only after the fact, while the world at large too often doesn’t get the guidance needed to bolster [cyber] defenses in a timely manner.”

Just As The CDC Plays A Part In Public Education On Preventive Health Care — So Too, Could A Cyber-CDC Be a Hub For Better “Cyber Hygiene”

“Discussions of what government should do about this predicament tend to focus on some kind of change in the law to raise regulations and/lower liabilities. That is well and good,” Mr. Singer writes, but government should also think about building a new organization for the cyber age. And, it can do so by taking inspiration from one of the most successful agencies created in the past,” he argues.

“The Centers for Disease Control and Prevention started out in 1946 with a mission to prevent malaria in the U.S.,” Mr. Singer notes. But, he adds, “It has since become the bulwark of the modern American public health system; not only ending the scourge of malaria within the U.S., but helping eliminate global killers like smallpox. Now, it stands guard against new outbreaks like Ebola and pandemic flu. The CDC succeeded,” Mr. Singer contends, “because it established itself as a hub for research on threats that the private market wasn’t equipped, or motivated to confront; and, the public system wasn’t well organized to handle. In doing so, it became a trusted clearinghouse for public and private actors, by sharing important — but, anonymized information with anyone who needed it. Though its leadership is appointed by the government, its staff is recruited from a wide range of specialties — to enhance its independence and credibility.”

“A similar gap could be filled by creating a “Cyber-CDC,” Mr. Singer contends. “Forming an agency whose core mission is cyber security research and information sharing — would help change the nature of the game. It’s not just that there are many similarities between the spread of malware and communicable disease (even the terminology is the same — “viruses,” “infection,” etc.), it is that the CDC plays a key role no missing in cyber security — in terms of the trust factor. We similarly need a publicly funded research organization, trying to understand emerging [cyber] threats, as well as a reliable clearinghouse, transparently sharing information to anyone, and everyone who needs it.”

“As with the CDC in public health, the cyber version would not replace all the other players, but fill a gap that now exists between the public and private space, especially when it comes to the trust factor. It could be structured in a similar way, with leadership appointed by the government; but, with staff recruited across a wide range of specialties to aid its independence and credibility. Or, as one writer for the Cyber Security Law and Policy blog joked, “Essentially, take everything the CDC already does; and, slap a cyber in front of it.”

“Forming an agency whose core mission is cyber security research and information sharing would help change the nature of the game,” Mr. Singer said. “By having a research focus and origin, it would distinguish itself from organizations like NSA, law enforcement agencies, the federal Computer Emergency Readiness Team, trade groups and private companies that now all try to play this intermediary role. These groups each bring strong capabilities; but, they also often have mixed interests and dueling motives that can undermine trust. What’s more, this new agency would have a more cohesive structure, mandate, and funding than the valiant — but, outgunned volunteer outfits that also play in this space,” Mr. Singer noted.

“Implementing a cyber version of the CDC might even have a wonderful side benefit to the diplomatic tensions that so trouble the Internet today. By focusing on research and information sharing, it could serve as a hub for cooperation with all the various state and international agencies, as well as non-state actors that matter in cyber space. Such an entity might serve as a key intermediary in evermore heated political environments, just as CDC proved to be a trusted diplomatic back-channel during the Cold War,” Mr. Singer wrote.

“The benefits of such an [cyber[] organization,” Mr. Singer concludes, “would extend all the way down to the individual level. Just as the CDC plays a key part in public education on preventive health care, so too could a “Cyber CDC,” be a hub for better “cyber hygiene.” “When the HeartBleed security bug was discovered in April — creating potential web vulnerabilities on a mass scale — everyone from software companies and media outlets to the NSA was asked for answers, but none of their responses was fully trusted,” Mr. Singer observed.

“There are many technical and legal, and policy gaps in cyber security today. But, maybe what is missing most is an intermediary we can trust. This new problem might best be answered by an old success story,” Mr. Singer suggests.

Interesting idea. I do not know whether it is a good idea; or, the right one. We probably should have some kind of wisdom of the crowd/social media gathering of the best ideas for cleaning up the Internet and preventing, or mitigating cyber ‘viral’ outbreaks. Once we have collected all the suggestions/ideas, use our big data mining to cull down a manageable list of the top five ideas or so — and, either promulgate the pros/cons of each — as well as attempt to understand the unintended consequences — both good and bad. And, go from there. My own guess is, there is no one right answer; and, most certainly no “silver bullet” solution that will get us to Shangri-La. Like democracy, the Internet is imperfect; but, it is the best we have right now. One thing that doctors at the CDC know is the Hippocratic Oath — “First, Do No Harm.” We should also have a Cyber Hippocratic Oath, and proceed carefully down the road to a better and safer Internet. V/R,

No comments:

Post a Comment