When people think of “cybersecurity,” they usually think about the big stuff like Iranian hackers bringing down the power grid or master criminals hacking Bank of America. We associate it with the Department of Homeland Security (DHS) and institutions generally clustered around the military. When its gets down to the individual consumer level, we usually think of it as something entirely different, like “identity theft.” To the extent we think of any federal agency involved with protecting consumers from such “cyberfraud,” we usually think of the Federal Trade Commission (FTC) going after businesses for failing to disclose that the free game you just downloaded to your smart phone will also track your location so that the folks at Target can text you when you get within 500 yards.
This has two unfortunate results. The first is that the “cybersecurity establishment” generally does not trouble itself about things like privacy or ease of use or general consumer habits. If anything, they think of users as part of the problem. Cybersecurity in this regard works like airport security. Just accept the loss of privacy and overall inconvenience as the price of security – even if it makes you much less likely to fly. After all, the mandate of the cybersecurity experts is security and protection, not promoting broadband.
The second unfortunate result is to treat consumers either as helpless victims or part of the problem. But in either case, no one thinks they have anything useful to contribute on the subject.
Which is what makes the Federal Communications Commission’s (FCC) new cybersecurity initiative so important, and Chairman Julius Genachowski’s speech last Wednesday such a radical and welcome addition to the cybersecurity discussion. The approach outlined by Genachowski, if followed, promises to address three key security weaknesses in the Internet in a way that actually works with the underlying principles that have made the Internet such a widespread success for everyone from the most unsophisticated end user to the most sophisticated tech giant: voluntary consensus, openness, and ease of use. By leveraging the strengths of the network to help overcome the vulnerabilities of the network, the FCC can do a lot to improve cybersecurity while simultaneously fulfilling its statutory mandates to protect consumers and promote broadband adoption and use.
More below . . .
Working With The Nature of The ‘Net, Not Against It.
I will unabashedly promote Genachowski’s speech as one of the best things I’ve heard to date on the right approach to cybersecurity from a federal official and urge every other federal agency looking at “cybersecurity” in any of its various aspects. What gives Genachowski a unique perspective is the unique niche the FCC occupies. Unlike DHS or other folks in the cybersecurity establishment, the FCC actually has a mandate to promote the development and adoption of broadband. It has a statutory responsibility for public safety and security of the communications grid as well, but it does not start with “Job One is security, whatever the cost.” It also has a consumer protection mandate, so it is no stranger to concerns about things like privacy.
Genachowski starts with a reminder of why we care about broadband and cybersecurity from an economic and consumer perspective. But critically, he also ranks as equally important that the Internet “is expanding and invigorating the public square, where digital tools are providing new ways of engaging with our government and with one another.” OK, that’s good so far, but not so different from where most folks start. But after describing the danger if we don’t address cybersecurity, Genachowski radically departs from the usual Cybersecurity Establishment. Here’s the money quote:
It’s important to pause and note the relationship between the Internet’s success and these new threats. The potential harm of cyber attacks is so great because the Internet has become such a key platform for innovation, economic growth, and opportunity — delivering more and more value to people everywhere, every day.
So as stakeholders address the challenge of cybersecurity, it’s vital that we preserve the ingredients that have and will fuel the Internet’s growth and success. Specifically, it’s critical that we preserve Internet freedom and the open architecture of the Internet, which have been essential to the Internet’s success as an engine of innovation and economic growth.
Preserving the openness of the Internet is not a concern to be balanced with security risks, it is a guiding principle to be honored as we seek to address security challenges.
Privacy is a similarly important principle. There are some who suggest that we should compromise privacy to enhance online security. This too is a false choice. Privacy and security are complementary – both are essential to consumer confidence and adoption of broadband. We can and must improve online security while protecting individuals’ privacy.
To translate: It doesn’t help to save the Internet from security threats if you end up ruining it. There’s an old joke about the surgeon who said: “The operation was a complete success. Too bad the patient died.” For too long, that’s been the attitude of much of the cybersecurity establishment. They view cybersecurity “fixing” something wrong with the fundamental nature of the Internet, such as the open architecture that makes it so easy to connect and use, and demanding that users must adjust their expectations about things like privacy to reflect this “reality.”
Genachowski, by contrast, argues that successful cybersecurity must mean a successful Internet, or it defeats its own purpose. Effective cybersecurity therefore works with the nature of the Internet and the expectations of users rather than fighting against these principles. Indeed, working with the principles of the Internet makes security more effective, which enhances the success of the Internet. Taking this approach transforms cybersecurity from an internal struggle of the Internet against itself into a virtuous cycle. Yes, putting the principles that make the Internet successful at the heart of any cybersecurity intitiative make it more challenging to come up with solutions. But it also maximizes the likelihood of success.
Voluntary “Best Practices” Is The Right Approach Here.
Which brings me to the third critical element of Genachowski’s speech, the bottom-up approach:
A third key component for problem-solving in this area: the multi-stakeholder model. Like so many other Internet-related challenges, solutions to cyber threats will require the multiple stakeholders of the Internet community to work together and develop practical solutions to secure our networks. This approach has been fundamental to the Internet’s development, and I believe it is the right course for the Internet’s future.
Most cybersecurity initiatives start with “we’re the experts and here’s what has to happen to make things secure. Now you guys who are actually providing service need to implement what we tell you.” At that point, a negotiation ensues between the industry reps (and occasional consumer group reps) which uses the position developed by the cybersecurity establishment as the starting point. It also assumes that any solution to have value must be immediately universal, because this is *the* best solution. After all, it’s what the security experts decided we needed, and they are the security experts.
But as Genachowski points out, the Internet hasn’t worked that way and its generally done very well. The genius on the technical side is recognizing the value in diversity in all aspects of the development – from problem solving to methods of implementation. What used to be called “rough consensus and running code.” Talk about stuff, come to some general idea about what to do, go run it, come back and tell everyone how it worked out. Keep building on what works, set aside what doesn’t.
I’m often accused of wanting regulation for its own sake. Baloney. From my perspective, regulation is a tool of public policy just like voluntary efforts and the bully pulpit are tools. The trick for good public policy is knowing which tool is appropriate for what (and when to leave well enough alone). It is just as wrong to say we always need a rule as it is to say we should never try a rule unless we’ve tried voluntary measures and “industry standards” first. A saw and a screwdriver are both useful tools, and one isn’t “better” than the other. No one ever says “saws are dangerous, always try a screw driver before you ever try a saw.”
Here, I agree with the industry folks that voluntary cooperation and development of “best practices” are the way to go. I also think the FCC is well situated as the place to bring these stakeholders together. As I noted above, the FCC actually has relationships with providers as well as consumers – in addition to having its own experts. It’s dual mission of promoting broadband and protecting consumers will help keep the effort focused. And the fact that it is a government agency allows the parties to share information and agree on standards without worrying either about antitrust or about liability that might occur from candidly discussing known weaknesses.
I also think there is a lot of value in voluntary standards. ISPs are highly motivated to address cybersecurity issues, even if they have other concerns about the cost of implementation. So if people start implementing stuff and it works, we will see much more implementation. But because it’s voluntary, folks will be able to tweak it to their own circumstances.
Finally, I give high marks to Genachowski for picking three concrete problems to address. Again, a lot of people thinking about cybersecurity want to find a “comprehensive” solution. That makes the problem much harder, and much more likely to require radical change in the Internet’s architecture and user behavior. Picking specific things to tackle makes the problem solvable.
Genachowski talked about three things that fit comfortably in the FCC’s overall wheelhouse of broadband deployment and consumer protection and education. Botnets is a particularly useful one for the FCC to mediate because it requires ISPs to do things like notice sudden shifts in user behavior (the infected computer starts doing stuff) and take appropriate action to protect the network and the user. It is easy to see how this could be mishandled, or even misused by some ISPs to collect user data for behavioral advertising or other purposes in the name of “cybersecurity.” Even without this concern, it is also important to think about this from the user perspective. The first thing a user with an infected machine will want to know is “what do I do next?” The FCC has experience with this kind of consumer outreach, and can serve as both a resource and a trusted source of information.
Obviously, we will need to see what happens next. A good speech is only the first step. But it’s important to recognize what makes success of such voluntary standards setting here as opposed to in other areas, like say 700 MHz interoperability or Allvid. This is a situation where the benefits of participation and mutual cooperation by the ISP industry are obvious to all the players, rather than beneficial to some and contrary to the financial interests of others. Indeed, development of standards in this fashion is superior to the more traditional cybersecurity “government will come up with something then give you a chance to respond.”
So I’m hopeful we will see a lot of good come out of this. In particular, I am hopeful that success of this initiative will get the rest of the cybersecurity establishment to reexamine some of their basic assumptions and start thinking about “cybersecurity” as an end-to-end process that works with the Internet’s strength, rather than thinking of themselves as here to forcibly fix what they see as the Internet’s weaknesses.
Stay tuned . . . .