Remember how cybersecurity legislation died in the last Congress in large part because businesses said new regulations would be too onerous and costly? We’re about to have that debate again, but this time with a twist.
As explained in this Bloomberg article, telecommunications companies, such as Verizon and AT&T—the companies that run the networks—are concerned that President Obama’s new executive order on cybersecurity exempts commercial technology companies like Google, Microsoft, and Facebook—companies whose products exist on the network.
The EO directs the Homeland Security Secretary to make a list of critical infrastructures, by sector, for which a “cybersecurity incident” could threaten public safety or national security. We’re talking about cyber attackers taking down a power grid, or manipulating financial information in a major bank’s databases. The kinds of attacks that would result in mass panic and potentially loss of life.
But the order would appear not to include any software that controls those infrastructures, or technologies that are exploited by hackers to facilitate said attacks, as being critical infrastructures themselves, at least for the purposes of preventing a national-level cyber incident. The Secretary is instructed to “not identify any commercial information technology products or consumer information technology services” in drawing up the list.
Securing an electrical grid from hackers would presumably mean defending all the vulnerabilities an intruder might exploit, whether at the network level or in an application. E-mail and social networking sites are well-known conduits for spear phishing and the implanting of malware inside corporate networks. And some would argue, as Verizon does, that e-mail itself is a requisite feature of modern life, the loss of which would impair the smooth functioning of society. (My friend Bill Powers might take issue with that.)
So, why are these technologies preemptively “off the list” as the Secretary begins her review? The White House told Bloomberg that the goal of the order is to protect “systems and assets whose incapacitation from a cyber incident would have catastrophic national security and economic consequences. It is not about Netflix, Twitter, Facebook, and Snapchat.”
There we have a frame for the debate. Should cyber security be about protecting facilities, or regulating products and services? Can you do one without the other?
It’s no surprise that the likes of Verizon and AT&T, which have long, deep ties in the national security space, would make an early move on this. They’ve been down this road before and learned from history. Every time government officials talk about the need for new laws and rules to protect national security, the companies go into battle mode, and they fight hard. But usually their adversary is the government itself. This time, it might be Facebook and Microsoft.