Rethinking critical infrastructure security
- By Ari Schwartz
- Jul 25, 1999
Recent "hacks" against Pentagon, Senate and FBI World Wide Web sites have highlighted the importance of protecting computer systems against cyberattacks. Indeed, the digital equivalent of spraying graffiti on agency home pages (and denying citizens access to those sites) is the least of the problems. Critical infrastructures central to our economy and government - including telecommunications, transportation, and banking and finance - depend on networked information systems that are vulnerable to attack.
While there is no doubt that the problem of critical infrastructure protection is real, there is cause for concern that the hype surrounding the issue may lead to infringements on civil liberties. The President's Commission on Critical Infrastructure Protection, which studied the issue in 1997, recommended the establishment of an "early warning and response capability" to protect telecommunications networks against cyberattacks, raising the specter of general monitoring of Internet traffic. Lately, it has been suggested that this software should be shared with the private sector, which would be encouraged to use it to monitor communications systems to detect attacks.
The commission also recommended the adoption of key-recovery encryption, a clear example of how the issue can serve as the vehicle for other agendas because key recovery not only has no value for infrastructure protection but would introduce a new set of vulnerabilities into computer networks. And recently we have seen legislative proposals to keep off the Internet information about the environmental dangers of chemical plants in the name of protecting those facilities against terrorist attacks.
Instead of complaining about the openness of the Internet, the focus of government infrastructure protection efforts should be on building more robust systems in ways that do not erode civil liberties. Perhaps the government and businesses need to rethink their reliance on networked systems for internal operations. And designers of programs need to be sensitive to security implications.
It is clear that there are some things that critical infrastructure protection should not include:
* First, the government should not impose security measures on private systems or compel sharing of information by the private sector. The owners of private-sector infrastructures are in the best position to understand and prioritize this range of threats and what is necessary to mitigate them.
It remains unclear what information flow from industry to the government would be beneficial to promote industry's protection of its own infrastructures.
* Second, neither the government nor the private sector needs any greater authority to monitor communications or the Internet. The Electronic Communications Privacy Act already gives operators of private and government systems wide latitude in monitoring and intercepting communications on their own systems to protect their rights or property.
Perhaps one of the most questionable elements of the government's evolving infrastructure protection program concerns the lead role assigned to the FBI as home of the National Infrastructure Protection Center. Much of the defined purpose of the center is "protective." Yet the FBI is an investigative and counterintelligence agency with potent powers that do not mesh well with the voluntary cooperation of businesses on which the government claims the FBI will rely on to perform its infrastructure protection responsibilities. It would be better, on the grounds of effectiveness and civil liberties, to place elsewhere the infrastructure protection mission and the role of liaison with industry.
We must resist the logic that falsely promises an increase in security in return for a surrender of privacy and other civil liberties. In terms of the private sector, the government's role should be limited and largely advisory. Proposals for increased monitoring of information systems or for more intrusive background investigations of private-sector employees are not required and should be rejected.
-- Schwartz is a policy analyst at the Center for Democracy and Technology, Washington, D.C.