Why can't the government keep hackers out? Because the public is afraid of letting it.
The world’s leading cyberpower is … North Korea. This is the considered opinion of Richard Clarke, former cyberczar and advisor to four presidents. How has he come to this conclusion? Very sensibly, by assessing countries in terms of their offensive and defensive capabilities, along with the degree to which they are dependent on the Net and the Web. North Korea has only modest attacking capabilities — don’t look for the next Stuxnet to come slinking out of Pyongyang — but its cyberdefenses are formidable, and there is little in that sad land that requires connectivity to cyberspace in order to keep working.
How does the United States fare in Clarke’s analysis? Despite fielding the world’s best computer worms and viruses, America rates only a fourth-place position — Russia comes in second and China third. The United States gets dragged down by its pitifully poor defenses, coupled with very high cyberdependence. At the Aspen Security Forum this summer, the head of Cyber Command, Gen. Keith Alexander, went so far as to give a grade of "3" to U.S. defenses on a scale of 1 to 10. He observed that cybersnooping is now so rampant that the theft of intellectual property constituted the "greatest transfer of wealth in history."
Things don’t look so good — and they’re not getting better.
The recent defeat of the Senate’s Cybersecurity Act of 2012 is just the latest reverse in a nearly 20-year run of repeated failures to master the challenge of protecting the virtual domain. Back in President Bill Clinton’s first term, the "clipper chip" concept was all about improving the security of private communications. Americans were to enjoy the routine ability to send strongly encoded messages to each other that criminals and snoops would not be able to hack, making cyberspace a lot safer.
But the government was still to hold a "key" that would let it tap into and monitor said messages, primarily for purposes of law enforcement. The initiative foundered over this too-intrusive capacity. All these years later, the Cybersecurity Act called for a similar (though less encompassing) monitoring capability — along with the request that commercial firms voluntarily share more information — and died because of the concerns it rekindled.
These events are just the bookends of a long policymaking trail of tears. In the years after the clipper-chip debacle, commission after commission rose up to study how to improve cybersecurity without unduly violating privacy. Yet, even as the government considered snooping and hacking central concerns, it opposed the very idea of improving individual security by encouraging the use of powerful encryption — largely because the intelligence and law enforcement communities strongly resisted any initiative that might reduce their ability to conduct cybertaps.
The government’s intransigence was only countered in the end by the actions of "code rebels," to use tech journalist Steven Levy’s term, who broke the rules — and, arguably, the law — by making top-tier encryption available to the people. Thanks to them, average Americans now have access to the same strong encryption capabilities available to their leaders — as well as to the range of criminals, terrorists, and other rogues who are so utterly reliant on keeping their communications secure.
Sadly, industry leaders have never emphasized the value of strong crypto sufficiently either. There are many reasons for this neglect — the most likely being that encouraging ubiquitous use of strong crypto could weaken sales of the firewalls and anti-viral products that form so much of the cybersecurity business model. Most importantly, though, cybersecurity today is poor because the market hasn’t demanded it. Consumers are much more interested in features such as speed, variety of apps, weight, even color — so this is what drives production. It’s a classic case of market failure.
Thus, the complex, constantly growing virtual world — upon which individuals, commercial enterprises, and militaries are increasingly dependent — is plagued by rampant insecurity. So say top governmental officials today. So say those who know the results of the CIA’s extensive (and still classified) cyberwar game, Silent Horizon, conducted several years ago. And so say all involved in defending against the serious, real-life intrusions into defense information systems known to the public under names like Moonlight Maze and Titan Rain — the former apparently involving sophisticated Russian hackers, the latter seemingly emanating from China.
Unless there is a profound change in perspective, the market will continue to fail, with manufacturers focusing on speedy, attractive tech products instead of secure ones. Unless a fresh mindset emerges among the public, the fear of Big Brother will prevent legislative action, even though the data-mining about individuals and consumer habits conducted by marketers and social networking sites — a lot of Little Brothers — already dwarfs what the government knows. It is odd indeed that people freely allow organizations like Facebook a level of access into their private lives that they resist giving their elected leaders in Washington. And unless presidents and their advisors start taking cyberthreats more seriously and stop saying things like "There is no cyberwar" (as President Barack Obama’s former cyberczar, Howard Schmidt, used to), the lack of leadership on this issue will leave America gravely vulnerable.
But ways ahead do exist. There is a regulatory role: to mandate better security from the chip-level out — something that Sen. Joseph Lieberman’s Cybersecurity Act would only have made voluntary. Encouraging the widespread use of encryption can assuage fears about the loss of privacy. And finally, we should treat cybersecurity as a foreign-policy issue, not just a domestic one. For if countries, and even some networks, can find a way to agree to norms that discourage cyberwar-making against civilian infrastructure — much as the many countries that can make chemical and biological weapons have signed conventions against doing so — then it is just possible that the brave new virtual world will be a little less conflict prone.