Speaking at a conference at Georgia Tech, Director of the U.S. National Security Agency General Keith Alexander pressed Congress last week to pass legislation creating a more effective information-sharing regime between government and businesses to help protect the nation’s security. Just as past legislative efforts such as the proposed Cyber Intelligence Protection Act (CISPA) have faced widespread backlash for imposing high regulatory costs on businesses while risking infringing basic rights, the fear remains that Alexander’s proposals simply suggest more of the same.
Alexander’s recent statements will rightly face heightened scrutiny over such legislation’s potential to infringe on the rights of citizens and the interests of businesses. However, despite necessary scrutiny over such delicate issues, the General’s recent statements add much needed realism to current debates about cyber security. That is, with the current state of fragmented Internet infrastructure operations, the reality is that the government does not see a clear picture of what is going on in cyberspace.
In his speech Alexander noted, "I know the public thinks that we see everything. The reality is that we don't ... If Wall Street is going to be attacked … the chances of me seeing it are limited…”
The fact is that the wealth of data information held by large U.S. businesses (outlined, for example, in a 2011 McKinsey & Company report) could drastically broaden the government’s ability to see a comprehensive picture of cyber space. Without a more coordinated infrastructure, the intelligence community’s ability to see the big picture is limited. Alexander's proposals call for a system of data exchange where threat information in a "metadata-like format" can be sent between businesses and government authorities at "network speed."
The risks of cyber threat remain hypothetical and difficult for policymakers to pin down. Intelligence Director James Clapper warned last week in a statement to the Senate Committee on Intelligence that there exists a “remote chance of a major cyber attack against U.S. critical infrastructure systems during the next two years” which could result in “long-term, wide-scale” damages such as regional power-outages.
In February, President Obama put forward an executive order addressing cyber security. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control system,” the president warned, announcing his intentions to work to more clearly define government responsibilities concerning cyber security. However, the president’s order remains weak without the backing of congressional legislation.
Any such legislative solution, of course, will raise a host of problematic aspects that should be predicted and minimized. Just as Senate Republicans, led by John McCain of Arizona, criticized previous efforts placed standards too burdensome for businesses, any new legislation must tow a careful line to eliminate risks of business liability for data sharing. There are numerous risks to opening the floodgates of government oversight in this area. Related criticism from analysts at Foreign Policy and the ACLU last year found overly broad information legislation violates civil liberties, and any new proposal must work carefully to craft limited, specific language that secures bipartisan support and addresses privacy and business concerns. Understanding the risks and potential for harnessing big data will remain a pressing task.
Still, efforts to secure cyber space have rightfully reached the forefront of international agenda in recent months. UK officials recently announced the launch of their own initiative to share information between businesses and government. Cyber security has also gained a place at the forefront of NATO’s agenda, listed as an “urgent task” for the organization, which recently announced a 58 million euro contract to establish its own cyber response capabilities. Despite challenges, data sharing can offer a variety of new tools to the intelligence community by providing a clearer picture of cyber space. Congress should carefully, but urgently, take Alexander’s advice and press ahead to address possible policy options that consider the benefits of information sharing.