August 9, 2012

TSG IntelBrief: The Complex Challenge of Cyber Legislation

As of early August 2012, the U.S. effort to shore up its cybersecurity posture through legislation aimed at establishing roles, missions, and responsibilities remained stalled. This occurred in the context of greater public awareness of the country's vulnerability to both state-run and non-state actor assaults on America's critical infrastructure.

At the end of July in Las Vegas, a gathering for Black Hat and Def Con 20, annual conventions for hackers and other information security stakeholders, illustrated weaknesses in the security of information technology. One of the presentations held during these conferences demonstrated an alarming level of potential vulnerability and exploitation found in routers produced by the Chinese multinational company Huawei. These include "flaws" that appear to be built into the firmware that would allow an unauthorized third party to remotely access a networked computer that was operating on one of these routers.  

An industry giant, Huawei has long been a subject of controversy in the security world. The company's partnerships with global competitors such as 3COM and its extensive penetration of the telecommunications market mean that a large number of users around the world would in some way connect to a Huawei product. The company's close ties to the Chinese government and People's Liberation Army have sparked U.S. congressional inquiry into potential national security threats. In 2008, Congress launched an investigation into a Huawei-3COM merger and in 2010, following a negative assessment from the Director of National Intelligence, a review of Huawei's proposed contract with Sprint ultimately led to revocation of the bid. Although Huawei has steadfastly denied the existence of the aforementioned vulnerabilities, those at the conference say they were clearly demonstrated by security researchers.


Stepping Beyond the Political-Military Boundary

In attendance at the Las Vegas conference was General Keith Alexander, who serves as both the commander of the U.S. Cyber Command and the director of the National Security Agency. He and General Martin Dempsey, the Chairman of the Joint Chiefs of Staff (JCS), separately wrote letters to members of the U.S. Senate urging the passage of cybersecurity legislation that had been scheduled for consideration last week. Military leaders are not conventionally involved in the policymaking process; instead, they carry the responsibility for executing policy. In fact, in 2008, then-JCS Chairman Admiral Michael Mullen wrote an opinion piece in the Joint Force Quarterly, a publication of the National Defense University, warning that politics and military leadership do not mix as the military is inherently apolitical. That these top officials would openly advocate for a cybersecurity bill could signal the seriousness of the cyber threat from the military's perspective.

Yet despite the warnings of Generals Dempsey and Alexander, the Senate could not muster the 60 votes required to end the debate on the bill and move toward a vote on its passage. Among the sticking points from the Republican side was the idea of placing the Department of Homeland Security (DHS) in charge of developing standards for critical infrastructure sectors and their relevant executive agents. Critics of DHS contend that the agency has a poor track record of mandating effective security measures and that it lacks the resources and technical expertise to work with the private sector in developing best practices and standards.


Balancing Public and Private Sector Interests and Capabilities

Jurisdictional challenges also remain in the cyber world. Some within the government argue that an agency with budgetary authority, such as the Office of Management and Budget, would be the appropriate entity to compel change in agencies within the executive branch. Others point to the National Institute for Standards and Technology (NIST), which has developed cyber-related standards that are currently being used by some federal agencies.  (Earlier this year, NIST established the National Cybersecurity Center of Excellence that was designed to be "a public-private collaboration for accelerating the widespread adoption of integrated cybersecurity tools and technologies.")

The complexities do not end there. There is substantial support for the private sector as the arbiter for setting standards given its prominent role on the front lines of the cyber battlespace and the fact that it is the free market system that drives competition to ensure security. Detractors of this position, pointing to market failures, place the Department of Defense and the National Security Agency in the best position for ensuring federal government cybersecurity. Meanwhile, privacy and civil liberties activists warn of unnecessary intrusions into the private lives of citizens that this last option might produce.


A Global Perspective

In countries where constitutional mandates do not grant individual privacy and free speech protections, cybersecurity is often far less controversial. Without these restrictions, a country like China, where censorship on the Internet is routine, may face little public resistance against sweeping government Internet monitoring programs. Similarly, in countries where the government owns or controls Internet service providers (ISPs), it is also easier to impose regulations or even shut them down in a time of crisis. In Estonia, for example, the government's close ties with a relatively small number of ISPs had been called upon in defense against a massive cyberattack. A plethora of independent network providers with outsourced labor and parts creates a commensurately larger challenge to secure.

Returning to the U.S., in attempting to reach a bipartisan compromise on the Cybersecurity Act of 2012, Democrats had removed the language that would have prescribed mandatory regulations and instead replaced it with a voluntary scheme. The bill's authors lamented that this removed the "teeth" of the measure. Yet despite this concession, Republicans argued the bill had bypassed the normal committee process and still contained too many unresolved points to end debate and bring it to a floor vote. Even if it had passed, it would have still needed to be reconciled with the Cyber Intelligence Sharing and Protection Act, which passed in the House of Representatives in April. That bill was based largely on existing voluntary information sharing programs between government agencies and the private sector. And despite the Democratic concessions noted above, President Obama has threatened to veto any legislation that came before him lacking the strong regulatory component.

Given the exponential rise of technology — where a qualitative advance that once took place over a decade may now unfold in less that a year — the cyber threat will continue to assume an ever more insidious guise. As in soccer, there are no timeouts in cyberspace. As a result, while debate over cyber legislation continues in the U.S. Congress, the threat will evolve at a far more rapid pace than any legislation designed to address it.  



Also available: TSG Specialized Reports: The Soufan Group's world-class network of intelligence analysts produces specialized geopolitical and risk assessment products tailored to the unique needs of our clients in the public and private sectors. We welcome the opportunity to discuss your requirements and explore how our intelligence services can assist you in achieving your strategic objectives. For more information, please contact us at:

Screen Shot 2013-10-21 at 9.32.42 AM