The following op-ed, co-written by Harvard Law School Professor Jack Goldsmith and Melissa Hathaway of the Harvard Kennedy School, appeared in the May 29, 2010, edition of the Washington Post. Goldsmith served as an assistant attorney general in the George W. Bush administration and co-authored “Who Controls the Internet?” Melissa Hathaway, a senior adviser at the Belfer Center of Harvard University’s Kennedy School of Government, led President Obama’s Cyberspace Policy Review.
The cybersecurity changes we need
by Jack Goldsmith and Melissa Hathaway
The news is filled with scary stories about the insecurity of the computer and telecommunication systems on which our nation’s prosperity depends: malicious software planted in electricity-grid computers; rampant state-sponsored and criminal cyber-espionage and theft; and the possibility of cyberattacks on banking and transportation systems. Exactly one year ago, President Obama declared our “digital infrastructure” to be a “national security asset” and pledged to make it “secure, trustworthy and resilient.”
His administration has made little progress toward this goal, however, largely because cybersecurity is seen as a tax on short-term economic growth.
Digital progress brings many benefits, but our ever-deeper dependence on ever more complex computer systems also brings excessive security vulnerabilities. The sources of these vulnerabilities include software with too many bugs; the use of commercial off-the-shelf software produced in a global supply chain in which malicious code can be embedded by stealth; inadequate cooperation about security threats and effective security practices among firms and between firms and government; and computer malfeasance by botnets (large clusters of zombie computers, controlled by third parties, that can be used for cyberattacks).
Well more than a dozen executive branch and National Research Council reports over the past two decades attest to the fact that the government has long known about these and other causes of cyber-insecurity. But it has failed to take adequate steps to fix them because doing so is seen as a drag on innovation and profits.
Imposing liability on manufacturers will increase software prices for consumers and slow software development. So too will demands for supply chain vigilance. Mandating information-sharing is expensive and might jeopardize some corporate secrets. Clamping down on botnets will make Internet access slower and more expensive.
The short-term economic gains from increased reliance on computer systems must be balanced against the medium- and longer-term losses from failing to adequately secure these systems. This is what President Obama meant when he said last year that “America’s economic prosperity in the 21st century will depend on cybersecurity.”
Unfortunately, cybersecurity is expensive; its diffuse benefits are hard to see or quantify, and they usually come down the road. For decades, Washington has opted to pursue short-term economic gains from digital progress and to ignore the longer-term costs of not properly securing these systems.
This trend has continued under the Obama administration. In March the Federal Communications Commission unveiled an elaborate National Broadband Plan that promises to wire more Americans with much faster Internet connections. The plan acknowledged that more broadband would increase security vulnerabilities and noted that the country “needs a clear strategy for securing the vital communications networks upon which critical infrastructure and public safety communications rely.”
But it said very little concrete about how to do this and instead asked the FCC to issue a “roadmap to address cybersecurity.” The government has issued many such roadmaps over the past two decades. We know what the road toward security looks like; the hard part is getting the government to travel down it.
The administration is pushing initiatives for deeper integration of computer systems in other contexts, including the “smart grid,” a computerized network that facilitates electricity and information flows between homes and electrical suppliers; computerized health records; and next-generation air-traffic management. In each context it recognizes potential security problems, but it has made only nominal proposals, not consonant with the security threat, to address these issues.
Nor has the administration insisted on security standards as firms and the government quickly migrate to a paperless system that stores data and runs computing from the imperceptible “cloud” of computers dotted around the globe. More generally, it has not followed through on the many cybersecurity regulatory proposals outlined in the Cyberspace Policy Review that President Obama endorsed a year ago. The National Security Strategy released Thursday confirms the importance of cybersecurity but breaks no new ground, only mimicking the general themes from last year’s review.
There is widespread agreement that this long-term trend of grabbing the economic gains from information technology advances and ignoring their security costs has reached a crisis point. Yes, computer security is expensive and can slow growth. But with too little investment in security, the gains from computer integration can be wiped out or reversed. As we progress digitally, we must also adopt and embed sometimes-costly security solutions into our core infrastructures and enterprises and stop playing the game of chance.
This approach demands leadership from the White House and Congress that is difficult to muster in hard economic times. The lesson of the past two decades is that the nation will not get serious about cybersecurity until the costs of not doing so are more apparent — probably after some component of our economy is destroyed by a catastrophic cyber-event.