Where does the cyber security buck stop?

cyber security buckLate last year, Bruce Schneier testified before the U.S. House Energy and Commerce committee asking them to consider imposing security regulations on the Internet of Things (IoT). Schneier argued that neither IoT buyers nor sellers care about a device’s security. Sellers are interested in quickly releasing inexpensive products to market, while buyers only care about getting cool gadgets for cheap. This unhealthy and unsecure IoT market results in incidents like the Mirai botnet, in which hundreds of thousands of hijacked IoT devices launched successful DDoS attacks against many large websites. Schneier warned the committee that future IoT attacks could have even more catastrophic consequences.

So, should the United States government get more involved in regulating the security of products and devices?

Schneier is correct that governments should take a more active role in protecting their citizens from cyber security threats. However, there is a fine line between protecting citizens and limiting or censoring them. Poorly-designed regulations can hamper business and innovation. Where should the government’s involvement begin and end? I believe that governments should fine-tune laws to criminalize specific cyber attacks and create regulations that incentivize businesses to secure their products. However, I do not think governments should become the custodians of the Internet by imposing nation-level security controls.

Let’s start with what governments should not do. While some might argue that governments should implement Internet-wide security controls that protect citizens from hackers, this is a slippery slope. Poorly-implemented security controls can feel like censorship, and state-sponsored security could limit freedoms, invade citizen privacy and easily devolve into something like the Great Firewall of China. In the end, these controls can’t stop users from doing silly things anyways, so governments shouldn’t have to take the responsibility for securing the public’s Internet connections.

On the other hand, a government’s top priority should be to adequately penalize people that use technology to hurt or steal from its citizens. To do this, governments need laws against common cyber crimes. While a lot of countries have anti-cyber crime laws, many of them are antiquated and either don’t sufficiently cover modern cyber crimes or are so broad that they have unintended consequences. In the U.S., cyber law can get even more confusing due to differences between state and federal legislation.

For instance, the Computer Fraud and Abuse Act (CFAA) is the primary U.S. federal law that might protect citizens from cyber crimes. In general, this law makes it illegal for a person (or program) to leverage unauthorized access to a protected computer to steal or damage information. It started as a law intended to protect government and finance computers, but has been amended to apply to civil cases as well. The language in this law is broad enough for it to prosecute many cyber crimes, including acts of digital data theft and malware infections. However, there is no direct language in the CFAA about DDoS attacks or phishing emails. That leaves two problematic possibilities; either the law is not specific enough to criminalize many modern cyber crimes, or it is so vague and overly-broad that it can criminalize just about anything (such as sharing passwords). Based on how the CFAA was used against security researchers and Aaron Schwartz, I suspect the latter.

Meanwhile, some individual U.S. states have more specific cyber crime laws that do cover modern threats like phishing and DDoS attacks. This is a positive step, but since not all states share these laws, criminals can take advantage of this confusing legal environment.

To solve this problem, federal governments should create more explicit, clearly-defined laws that criminalize modern Internet attacks. To the federal government’s credit, they have tried to pass federal versions of state-like cyber crime laws before, and failed. Nonetheless, it’s time they tried again. The first step should be ensuring that we are properly criminalizing the actors behind these cyber attacks.

That brings us back to Schneier’s recommendation for governments to regulate IoT security. Since most consumers don’t care (or know) enough about IoT security to demand it (by voting with their wallet), and vendors don’t see any revenue or profit motivation to create secure products, we remain at an impasse. We need a third voice—the government—to force the issue and impose security requirements on Internet-connected devices.

The automotive industry in the United States is a good example of the need for this type of regulation and how it might work. Before the 1950s, most cars did not have seatbelts, let alone airbags or other regulated safety gear. The early automotive market was similar to today’s IoT market, with demand, growth and innovation overriding consumers’ initial demands for specific safety requirements. But as accidents increased, national organizations started compiling accident statistics, and university researchers began crash testing. The safety issues eventually turned into public demand and persuaded the U.S. government to write laws about automotive safety and create an auto safety regulatory body. Now you don’t even have to think about safety when buying a car, since you know regulation requires all cars to ship with safety equipment.

This same concept could help secure IoT devices. However, this regulation body would need to consist of both security experts and vendors from the industry to be successful. The regulatory body would need enough security expertise to propose minimum standards (such as encrypted management channels, no hard-coded passwords, and default password requirements) that significantly reduce threats, while still allowing vendors to weigh in and make sure the minimum requirements don’t impose undue hardships or halt innovation.

So, where does the buck stop for cyber attacks? No matter what happens, when it comes to protecting our connection to the Internet, the buck ultimately stops with us. Governments should not be our Internet custodians because it’s too easy for them to slip into overprotection and limit our freedoms.

However, when it comes to protecting citizens from criminals and negligent companies, the buck stops with the government. Remember that the criminal attacker is the true enemy, not product vendors. Governments should start by concentrating on writing clear, focused laws that criminalize specific computer attacks, and they should do so at a federal level to avoid state-level confusion. Once we have these clearer cyber crime laws, governments can consider technological regulations. We should only regulate technologies that have proven not to regulate themselves, and we should involve experts and stakeholders in the process to ensure that we make the correct compromises.