Larry Downes: If It Ain't BrokeBy Larry Downes | Posted 09-12-2006
Larry Downes: If It Ain't Broke
In May, Veterans Affairs Secretary R. James Nicholson told Congress he was "mad as hell" when he learned that a laptop computer containing unencrypted personal information on 26.5 million military personnel had been stolen from a VA employee's home. Soon afterward, the White House released a memorandum recommending but not requiring basic security rules for mobile devices used by federal employees.
Then, in early August, only three days after two Maryland teenagers were arrested in connection with that laptop theft, the VA announced that another laptop, this one containing a mere 38,000 personnel records, had gone missing from defense contractor Unisys. No word yet on Secretary Nicholson's mood.
Of course, these two Veterans Affairs' affairs are only the latest in a string of embarrassing computer-security incidents involving government agencies. So it might seem oxymoronic to ask how a federal bureaucracy that can't protect its own data from teenagers can be expected to protect yours and mine from natural disasters and terrorists. But that is precisely the question posed by "Internet Infrastructure: Challenges in Developing a Public/Private Recovery Plan," a report published in July by the Government Accountability Office.
Not surprisingly, the GAO concludes that the Department of Homeland Security, whose job it is to protect all national infrastructures from natural and terrorist catastrophes, has so far done almost nothing with regard to the Internet. A few highlights:
What should the DHSor, for that matter, any other arm of the federal governmentbe doing to protect the Internet? The administration's own answer depends on whom you askor rather, when. In September 2002, the White House released a draft entitled "National Strategy to Secure Cyberspace," an impressive report that evaluated the threats to Internet security on a variety of dimensions. The draft offered detailed recommendations for improvements to be made not only by government, but also by infrastructure providers, large and small companies, and home computer users, everything from "use a tough password" (home users) to "ensure that security is embedded in the business operations" (large enterprises).
Looking to the Private
But when the final version was issued, in February 2003, nearly all the concrete recommendations were gone, replaced by a passive strategy in which the government would "investigate," "encourage" and "promote" the market forces that, in turn, were expected to generate private-sector solutions to secure cyberspace. As the final report put it with unusual candor, "[F]ederal regulation will not become a primary means of securing cyberspace. Broad regulations mandating how all corporations must configure their information systems could divert more successful efforts by creating a lowest-common denominator approach . . . which evolving technology would quickly marginalize."
Two things happened between the initial draft and the final report that, I think, explain the change of tone. Most important was the creation of the Department of Homeland Security, which was given the task of implementing any recommendations that came out of the report. The second, quite simply, was the passage of time. The draft report was written in the immediate aftermath of Sept. 11, when the momentum to do something, anything, to prevent future national trauma was strong. Indeed, the draft report was written by a task force made up of 20 senior members of various federal agencies, none of whom were likely to have to implement any of the report's recommendations.
The final report, and the subsequent lethargy of the DHS, reflect what is fundamentally a conservative view of government: Don't get involved until it's clear the market has failed. To quote again from the final report, "Externally, a government role in cybersecurity is warranted in cases where high transaction costs or legal barriers lead to significant coordination problems; cases in which governments operate in the absence of private sector forces; resolution of incentive problems that lead to under provisioning of critical shared resources; and raising awareness."
Well, guess what? I agree. For one thing, the Internet is not like other national infrastructures. Unlike highways, the Internet is not built and operated by government entities. Unlike public utilities, such as the electric grid and the water supply, the Internet is not heavily supervised, inspected or controlled by regulators. At its core, the Internet is a private infrastructure, which owes its remarkable success, spread and constantly improving price/performance to the fact that it is in some sense a reflection of "market forces" at their purestan infrastructure of profoundly low, and always dropping, transaction costs.
Our best defense against a catastrophic loss of Internet access is not a less supine DHSperhaps one under a Democratic administration and Congressbut the Internet itself. Its decentralized design, full of the kind of checks and balances that make democracies work, is far more capable of withstanding natural disaster or terrorist attack than anything all the agencies and task forces and public/private partnerships in Washington could ever come up with. As the GAO report notes, since the creation of the DHS, the Internet has withstood a Baltimore tunnel fire in 2001 that burned key fiber-optic cables, the destruction caused by Hurricane Katrina, and coordinated attacks from the Code Red and Slammer worms. In all these instances there were local disruptions, but most Internet users weren't even aware of the damage. And the DHS played no part in the recovery.
So rather than wait for the DHS to develop broad solutions to Internet security on both large and small scales, and rather than appropriate more funds for the agency to pretend that's what it's doing, we should acknowledge that we don't really need a public/private partnership at all. We have a mostly functioning market of backbone providers, ISPs and Internet security companies, who work with corporate and private customers to eliminate the most obvious risks of failure and damage. Whether by design or government ineptitude, that's pretty much the system that's been in place since before Sept. 11, and it's worked pretty well. If we leave it alone, it will likely continue to work well for a long time to come.
Okay, so the federal government shouldn't be responsible for securing the Internet. But you'd think its employees could at least learn to turn on the Windows feature that requires a password before booting up a laptop.