If you like airport security, just wait until the same folks get control of how we protect our power grid, nuclear plants and banking system from cyber attack.
The Transit Security Administration is a notorious mess, and its parent Department of Homeland Security flunked an Inspector General’s audit on its own cybersecurity last year.
Yet the White House is set to impose the TSA-ification of the cybersecurity of 16 key national industries. It’s an unprecedented power grab that may actually make a catastrophic Pearl Harbor-style cyber attack more likely.
The notion is so laughable, a bill to enact it couldn’t even pass the Democratic-controlled Senate. But President Obama is preparing to impose it by executive order any day now.
This, from a White House whose military-office network— which handles, among other things, nuclear commands — was cracked by hackers linked to China just last month.
Under the executive order, the president will empower a DHS-led National Cybersecurity Council to decide which companies in critical sectors of the economy are vulnerable to cyber threats, and set the security standards by which they should operate.
Companies don’t have to comply, but the DHS will tell the public which are and which aren’t — and lots of companies won’t want their customers to hear that the firm doesn’t comply with federal data-security standards.
Federal contractors may be stuck, too. Firms that sort medical data for the Veterans Administration, or even the major banks (which bid in Treasury-bill auctions) might lose that business if they don’t comply.
These firms may also be subject to the DHS “risk assessments” envisioned in the bill. For any targeted company and its Information Technology team, that’s the equivalent of an IRS audit or TSA strip search, with inspectors patting and probing anyone they think is doing a lousy job meeting the government’s one-size-fits-all security standards.
Plus, companies will have to waste time and resources filling out reams of paperwork — rather than focusing on fighting the hackers.
Mind you, the stated goal here is wise: Keep critical national networks safe from cyber attack. But the idea that the federal government has the expertise to analyze every possible cyberthreat in our vast digital universe, and then recommend the best cure, is staggeringly wrong.
And the idea that any government agency can do so in a timely manner — when cyber “evolution” is so rapid — is absurd.
A National Research Council-sponsored study found that some 1.8 trillion gigabytes of digital data were created or replicated in 2011 alone; that’s equal to every person on the planet getting 215 high-resolutions MRI scans every day. And hackers will create some 24 million new viruses and malware programs this year. No government, no single institution, can ever possibly oversee all that data, and the myriad threats to them, any more than it can oversee the national economy.
The claim that without the feds in charge, we’re all helpless to respond to a massive attack on our power grid or banking system has it exactly backward. One reason those networks haven’t been subjected to significant damage is that private companies are constantly responding to threats and developing new solutions on their own.
As Jody Westby, CEO of Global Cyber Risk points out, “neither the US government nor Congress really knows the security posture of most US companies.” Instead of drawing up standards for everyone in the ever-changing cybersecurity arena (standards that will be out-of-date almost from the moment they’re put out), DHS, the National Security Agency and the Pentagon need to be learning from corporations like Visa (which fights 3 million cyber attacks on an average day) and private cybersecurity firms, not the other way around.
That’s what a bipartisan bill in the House would help to do. It keeps national cybersecurity standards voluntary (as now) and allows sharing of data between government and corporations regarding cyberattacks (whether they’re from al Qaeda, the Chinese military or disgruntled hackers), so everyone learns from each other.
But the president and the Homeland Security wizards are determined to impose the Big Government Knows Best solution. They continue to ignore the crucial lesson we learned in building the arsenal of democracy in World War Two: When the government faces a massive national problem, it’s the private sector that usually has the answers.
Obama’s impending executive order would move us very much in the opposite, and wrong, direction.
Arthur Herman’s latest book is “Freedom’s Forge: How American Business Produced Victory in World War II.”