Is it time to lay down the law about cybersecurity?
Who’s up for government regulation of the Internet? Yes, my skin is crawling at the thought, just like yours.
Still, some kind of government action seems inevitable. Online vandals, thieves, and spies are running wild on the global network. Tougher, smarter laws may offer our only hope of fending them off.
But what kind of laws? I suspect we’ll need regulations that compel digital device companies to make their products more secure. We might also force Internet service providers to use new technologies that could help clean up their networks.
Whatever we do, we’d better do it fast.
In recent months, we’ve seen hackers, probably working at the behest of Russia, interfering with the presidential election by publishing stolen e-mail messages and attacking voter registration databases. Some of the Internet’s most popular sites, like Twitter and Spotify, were inaccessible to millions of users during a major cyber attack less than two weeks ago. It’s possible that vandals could launch another such assault Tuesday, causing panic and outrage as millions of us head to the polls.
Those latest attacks were launched by hackers who infiltrated security cameras, video recorders, and other common gadgets that were hooked up to the Internet and used them as launch pads. Millions more such devices are being added to the sprawling network called the Internet of Things, and many won’t have basic cyber protections that could prevent attacks.
And don’t expect the free market to fix the problem. Securing IoT gadgets costs lots of money but generates little revenue, so there’s no incentive to make the devices safer.
Except for the most effective incentives known to man: pain and fear, the kind best delivered by government. The right sorts of legal incentives might goad hardware makers and network operators into designing systems that will be harder to hack or crack.
Product liability law is the ideal small-government solution. Victims of an attack enabled by insecure digital devices might sue the manufacturer into taking security seriously. But Gus Hurwitz, a former Justice Department technology attorney now teaching at the University of Nebraska, said it’s hard to prove that a bug in an infected Wi-Fi router a thousand miles away was responsible for crashing your computer.
“Historically, most courts have said that there are no recognizable injuries” when a company sells insecure devices, Hurwitz said. “They don’t face liability.”
So securing our networks may require a hands-on approach by government. There’s plenty of precedent. A century ago, as automobiles began to clutter the roads and aircraft filled the skies, an infrastructure of laws and regulations was created to cope with them. Often, obvious safety practices were adopted only when businesses were given no choice. Seat belts, for instance, became standard equipment after 1968, when a federal law made them mandatory.
Bruce Schneier, a fellow at Harvard’s Berkman Klein Center for Internet and Society, said that only a similar response by the government will bring the Internet under control.
“The market can’t do this,” Schneier said. “What we have here is a market failure.”
Schneier wants mandatory security standards for all IoT devices sold in the United States. For instance, a manufacturer could not sell an Internet router that didn’t require the user to set up a strong password. It’s hardly a foolproof cure. Passwords can still be beaten. But today, many devices don’t require passwords at all, making them open gateways for criminals.
You don’t want the standards set by Washington — that would take forever. Besides, most devices are made abroad, so this would require worldwide compliance. Luckily, there’s an alphabet soup of global organizations, such as the Institute of Electrical and Electronics Engineers and UL, that can handle the heavy lifting. The government need only choose which standards to enforce — a challenging job, still, but manageable.
On the downside, Corey Thomas, chief executive of the Boston data security firm Rapid7, told me that device regulation would mean fewer innovative gadgets from low-budget startups that can’t afford to meet the standards. This would help cement the dominance of giant tech companies that could easily afford to comply, like the networking titan Cisco Systems Inc. Fair point, but it’s a price we may have to pay.
Besides, since the United States is one of the world’s biggest markets for digital gear, manufacturers would probably apply American standards to all of their products. So better US regulation is likely to mean better network security for the rest of the world, too.
If locking down our devices doesn’t fix the problem, we may have to redesign the Internet itself. For instance, a consortium of Internet engineers has developed software standards that would make it much harder for bad guys to launch attacks like the one that recently crippled Twitter. Some American Internet providers have adopted it; others have not. Perhaps the tougher standard should be mandatory.
I don’t much care for Internet regulation. But I’m hoping the mere suggestion of it throws a scare into some very smart engineers who will devise a far less intrusive way to protect us from Internet attacks. Otherwise, our security woes will become so severe that we’ll demand help from anyone, even Uncle Sam.