Sorry, but copying text is forbidden on this website!
We all know that cyber security is something of great importance to anyone trying to protect their network assets, customer assets, and personal assets. The list of possible risks associated with neglecting to practice good cyber security are endless, and the dangers lurking out in cyber space too numerous to imagine anyone who is controlling any type of company network to ignore; but the question here is whether or not the government should become the cyber security enforcer not only within in its own government sector but also within the private sector as well as a public good. Before we get into the discussion of whether or not the government should play this role, I believe we should have a short discussion on what “public good” actually means. Generally speaking “public good” is a loose term used to justify some kind of action one is taking, by saying that it is in the best interest of the general population to do so.
The implications behind the use of the term “public good” is that #1 the action is beneficial to a majority of the population; and #2 that the majority of the population is either too ignorant, or incapable for some reason of performing the action for themselves. The use of the term is also handy because it is non-specific as to WHO is actually benefiting from the actions; is it the general consumer, the small businesses, big businesses, the government, a special interest group, all of the above, none of the above, Who? Who is actually benefiting from the act? By using the term the “public good” one does not have to account for who is actually benefiting. Nor do they have to identify who might be harmed or negatively affected by the action either. Additionally by using the term that it is for the “public good”, by default the concept of how much will it cost, and who is going to pay for it, is seemingly automatically a non-concern.
So by the very nature of the term for “the public good” the user of said term has attempted to write themselves a blank check, quantifying and justifying any and all actions they mean to implement and enforce. The term “public good” has been used by various entities throughout history to accomplish some of the most horrendous crimes against their people, and to extort unimaginable amounts of wealth and goods from their populations. Anytime the term “public good” is used to ask for justification for an action from any entity it should be immediately critically examined with a very find tooth comb to find what the motivations for such a kind gesture might be, as well as analyzed by a staunch accountant to find out where the money is, and where it leads in the proposition. The term “public good” more than any other term I can think of, is more often than not the very term used to lead more sheep to their own quiet slaughter then any war cry ever has. It should always be approached with skeptism and caution when used, especially in conjunction with the word government.
Is Enforcement of Cyber Security a Public Good?
Should the enforcement of cyber security be considered a “public good”? This is a very difficult question to answer. In theory, on the surface, enforcement of cyber security seems like it might be a very viable public service. As viable as other protections offered as a public good such as the services of military and police protections. But then you begin to look a little deeper into the subject and you realize that enforcement of cyber security protections has many more layers then the enforcement of physical protections such as military and police. In order to enforce cyber security an entity would have to do much more than simply provide, train, and fund forces to patrol the physical areas that are in danger. Enforcing cyber security is much more akin to forcing a draft of military service on the general population and forcing them to pay for their own room, board, training and service expenses while they are in the military to boot.
In order to enforce cyber security you must force each person who has any interaction with the cyber world, into becoming a cyber security guard, whether they wish to be one or not. Additionally you force any entity whether it’s a multi-billion dollar corporation, a single person running a business out of their basement, or a member of the general population at large trying to access the internet, into funding not only the physical equipment and software required to be a good cyber security guard, but the endless training and education expenses associated with it as well. It would be like an entity not only suggesting that people should have locks on their doors, but enforcing it with requirements for double steel enforced 12 inch wide doors with a minimum 3 locks on it.
One of which had to be specialty ciphers lock, and penalizing those that do not have said door, by taking away their entire house. This “public good” if done the way it would be required to be done to actually be minimally effective, has now become a universal burden just like taxes, who’s only community quality would be the unified contempt the “public” would have for its enforcing entity and enforcement policies; very much like the contempt the general public has for the IRS. This all being said, I think it safe to say that calling the mandatory enforcement of cyber security a “public good” is about as accurate as calling the mandatory taxes we pay a “public good”. Most people when left to speak of their own analysis as to whether or not taxes are really something that is good for the majority of the public would tend to beg to differ.
Should government enforce cyber security in the private sector?
The government of the United States has many roles. Some of these are roles it was intended to have by the Founding Fathers, as written into the Constitution, and most others were assumed, inherited, given, or seized by some means still unknown to me. One of the proper roles of the government is to provide protection to its citizens by the creation and enforcement of laws that protect the people, ie..Murder is a crime punishable by death; and the creation of protection entities/forces such as police, fire, and military, to physically patrol the areas our citizens inhabit to protect the lives, and property that they own, which is inclusive of the land they occupy as a nation. These concepts were pretty cut and dry, although our congress still found a way to somehow muddy them; but until recently with the invention of the internet and cyber space it was pretty easy to tell where the borders of our nation ended and another’s began, and what constituted a criminal action against another person’s being or property. At least the common man could tell these things, lawyers, judges and politicians can be excluded from that statement.
In cyberspace, there are no boundaries. The line of what to protect and what is outside the realm of required government protection is very gray. Therefore the government up until now has restricted its enforcement of cyber security to its own government networks. This level of protection is the proper responsibility of the government, because it is protecting its networks in the interest of national security. The department responsible for the protection of its citizens as well as national security is the Department of Defense. The past 15 years with the explosion of Information Systems the DOD has found that its workload and responsibilities have increased dramatically with the government use of Information Technology systems. In the past 5 years alone the cyber security workload on the DOD has more than doubled. Although the U.S. DOD is probably the most secure and efficient government entity in the world, it is far from ideal on levels of security, and it lacks the manpower and resources to keep up with its own demands of cyber security implementations.
I have worked in the DOD for over 10 years now, and can tell you first hand that security incidences occur daily, and the security risks to our government networks is a constant ebb and flow of action/reaction. Rarely does the department get a chance, have the time, or the resources to be pro-active instead of re-active. Ultimately as well, with the very best security technologies in place, even the government must remain dependant on the human elements to protect the networks, and information. The Wiki-Leaks internet postings are a perfect example of that dependency gone badly. It may or may not have been a technical mis-security that allowed that government employee access to all that sensitive data, but it was ultimately several human failures that allowed for that information to be posted on the internet.
The failure of the trusted government employee to keep the information he was entrusted with secret, and the failure of how many internet web site owners to work at protecting sensitive national data of the country some of them were actual citizens of. The idea that the current DOD could even enforce cyber security in the private sector is not only laughable, but also an extremely menacing and terrifying concept. The government enforcement of cyber security in the private sector, “for the public good” of course…would be nothing more than a ruse to cover its real aim; which would be regulation of the internet, or to put it bluntly the control of the last totally unregulated vestige of free speech. Besides the obvious issue of lack of integrity behind its intentions there are numerous reasons why the U.S. Government should stay out of the business of regulating the enforcement of cyber security in the private sector.
The government, as stated above does not actually have the time, or the resources to manage or enforce any other security implementations outside of itself. • The government already spends most of its time in reactive mode on the security frontier; trying to find additional time to analyze or validate the security set ups of private sector companies as well would be near impossible. • The government does not have the money. Funding for such things as IT equipment hardware and software upgrades is already spread extremely thin. Many times government offices and system are running on hardware and software that are years behind the current releases due to replacement funding issues. • The government lacks the technical expertise in its ranks to be able to support or even audit / validate the security implementations in private businesses. Over 80% of the technical workforce working on government systems are contract workers, hired in because of the lack of security/technical expertise in the government employee workforce. The government does not have within its scope the right to enforce cyber security implementation within the private sector.
• The government scope as outlined by the constitution is to protect its citizens against foreign attack on its own sovereign soil, as well as to protect its citizens from physical attacks and destruction of their private property within the boundaries of its nation. There are no boundaries to cyber space; therefore when a citizen of the U.S. chooses to enter into the boundary less area known as cyberspace, they are choosing to inhabit an area that is outside the scope of their countries ability to protect them. They do this at their own risk. If these same citizens left the safety of the U.S. and put themselves willingly into the middle of Egypt right now, they are taking their chances full well knowing that they are willingly giving up the safety and protection of the U.S. If they are taken captive, the U.S. will attempt to negotiate for their release, but it cannot, and will not guarantee it. If it can secure their release or do anything at all for them, it will, but many times it can do nothing so far outside its jurisdiction; just ask Nicholas Berger, the American beheaded in Iraq several years ago.
• The government’s responsibility to provide protections to its citizens is a provision of protections that are within reason. Although the government provides police, fire, medical and military services to their citizens; I for one do not have my own personal police officer, or doctor escorting and to attend to me in case I should run into a mugger on the street or get a sniffle in the middle of the night. The services provided are broad, sweeping, and for the use of the general population to both reduce and deter its own population from being criminals as well as to protect and serve its own population. Cyberspace is not its own population.
• The government was never given authority to regulate business, in any way, shape, or form; not for the “public good” or for its own expansion. Not in the name of protections for its people, and not with its intent to create legal monopolies, or cater to interest groups. Regulation of any business interests, including the enforcement of cyber security on business networks is outside of what the government is supposed to doing, and a conflict of interest to the type of government that was originally established for the country which was a democracy. The government does not have the flexibility to efficiently enforce, and manage the cyber Security regulations and compliancy of the private sector, and in trying to do so, would only hinder the progress of the cyber security technologies industries, and protections implemented by the private sector.
• Cyber Security is a MOVING target. The government is a lethargic beast. Government bureaucracy consumes easily 60% of all the time, money and resources spent by the government. Time being the biggest issue on this point. Cyber security in order to be the most effective has to be able to be tweaked, re-configured, and updated as fast as your average cyber criminal can re-invent ways to penetrate. The higher value the data is that you work with as a company, the quicker and more flexible you must be to maintain a secure network status. An individual with little valuable data on their system does not need to be all that concerned with the security posture of their system. Not all systems, businesses, and networks can be considered the same, and each ones security posture is going to be based on the value of what they are trying to protect. All cannot and should not be regulated the same. • Creating any type of tiered regulation for cyber security enforcement will add layers of bureaucracy and therefore delays in actual implementation. Once again being counterproductive to the enforcement in the first place.
Who is going to pay for the government to take on this further endeavor? I don’t know about you but I pay enough in taxes for useless programs, counterproductive government measures, misrepresented & abused government powers, and generally overall government meddling in the private sector, both businesses and personal. Even if they charge the businesses for their “services” the cost will ultimately end up on the general population. This is where the cost always ends up; and this will be no exception.
What is the point of the government enforcing cyber security regulating the portion of the internet that runs through the U.S. internet gateways and DNS servers, when it has absolutely no control, or jurisdiction to control anything outside of it. All you would be doing is creating a black market for “foreign” internet feeds; creating yet another flourishing criminal market. Does “prohibition” – the very act that gave the organized mob their greatest power and fastest wealth windfall, or the more modern “war on drugs” that is only serving to create some of the most vicious cartel wars seen, why… because the attempt to regulate and control it only serves to make it an even more profitable illegal industry.
Shouldn’t the government stay focused on where it should be focused? Especially since IT has the largest network, with the most valuable and sensitive data in the country on it. Protection of this data actually falls within the scope and responsibility of the government, in the interest of national security. The data on its network actually does have life and death consequences to people.
Very few other enterprises process data with such importance and consequence. So shouldn’t the government worry about its own house and worry about maintaining it; instead of trying to regulate the private industry which is not only outside of their scope of responsibility, but is also a project with so much less importance then their own. It seems insane to wish them to focus on anything other than their own networks, and data. The one exception would be for them to have a level of standards required of any business network that was allowed to connect directly to them. I am happy to report, these are relatively few.
What would be the impact of government enforced cyber security in the private sector?
There would be numerous impacts to the private sector if government tried to enforce cyber security regulations. Many I can name right now, and numerous I am sure would be unexpected results. • The price for such regulation would ultimately fall on the average citizen to bear. • The price for such regulation would drive numerous smaller companies unable to bear the cost (and also processing information not much worth hacking) out of business. • The overall security posture for the private sector as a whole would be reduced- business that needed increased security then government standards would even out with businesses needing very little security carrying all kinds of security they don’t need.
• The rights of a business and the people to use their own judgment to decide the amount of security needed on their enterprises is once again diminished, and compromised, as well as them to suffer the consequences of misjudgments nullified. Building dependency on the government for critical thinking and analytical skills as well as basic survival skills is continued. • A flourishing and profitable black market for “non-regulated” internet feeds is created. • The integrity of the biased lean of the information being “regulated” through to the general population is immediately under question; resulting in further distrust of the regulating entity…ie government. • Overall to both the businesses being regulated and the businesses that produce technology instruments and devices the impact would be negative.
Should private industry have the responsibility to protect national security? Private industry has a duty to protect national security when it’s a situation that is a direct action to do so. For example, a company that processes government information has a duty to protect that information. A company that sells porcelain dolls has no responsibility to protect the national security. Just as they would not load up their employees with camouflage and weapons and send them out to a base to somewhere to “assist” the troops for a day every week, they don’t have a duty or responsibility to practice cyber security out on the internet like some kind of mercenary.
It is good business sense for them to practice some level of cyber security that is appropriate to the sensitivity and value of the data they process but that is an act of self interest; and a show of good business intelligence. Not only does private industry not have a responsibility to protect the national interest by practicing cyber security, but once again should protect their own interests and leave the national interest to the appropriate experts. Only companies that process government information, or connect to government systems should be attempting to apply cyber security in the name of national interest. Those are the only people who have that duty and the only people properly schooled in the expertise to do so, and should have an interest to. Any other business or entity should remain concerned with their own business interests, or be brought under suspect for spying or espionage; they have no business being concerned with the national defense and should stay out of it.
Tuutti , C. (2010, September 13). Cyber experts:
espionage, apts, malware among most dangerous
cyber threats. Retrieved from http://www.thenewnewinternet.com/2010/09
Stenbit, John.P. Department of Defense, Command,
Control Communications and Intelligence. (2003).
Information assurance implementation (8500.2).
Washington, DC: DISA.
Bavisi, J. (2010, July 26). Biggest national security threat: cyber attack. Retrieved from http://www.foxbusiness.com/personal-finance/2010/07/26/biggest-national-security-threat-cyber-attack/
Dhamankar, Dausin, Eisenbarth, King, Kandek, Ullrich, Skoudis, Lee, R., M.,M.,J.,W.,J.,E.,R. (2009, September 09). The top cyber security risks. Retrieved from http://www.sans.org/top-cyber-security-risks/
Aitoro, J. (2010, August 17). Employees still pose biggest security threat, survey finds. Retrieved from http://www.nextgov.com/nextgov/ng_20100817_1347.php
Bishop, M., & Irvine, C. (2010). Call in the cyber national guard! IEEE Computer and Privacy, 8(1), Retrieved from http://www.computer.org.ezproxy.umuc.edu/portal/web/csdl/abs/html/mags/sp/2010/01/msp2010010056.htm
Clarke, R.A. (2010). Cyber war: the next threat to national
security and what to do about it. New York, NY: Ecco.