Opinion: America is under cyber attack, so what should we do?

crisis imageYesterday, the US House of Representatives announced “cybersecurity week,” kicking it off with a Subcommittee Hearing entitled “America is Under Cyber Attack: Why Urgent Action is Needed”.

As you might imagine, they didn’t hold back, launching the week with a Hollywood-blockbuster style introduction, rallying citizens to fight off evilness.

(The only problem is that we have yet to identify our masked, caped, and brightly underpanted cybersecurity star who’ll whoosh in and lead us to peace-and-harmony ville.)

If only for entertainment purposes, I would urge you to watch or read the opening statement [PDF].

Here are a few snippets:

America’s computers and Internet infrastructure are under attack and every American is at risk.

...this is not a science fiction scenario. There are no shells exploding or foreign militaries on our shores. But make no mistake: America is under attack by digital bombs.

...it is not a matter of if, but when a cyber Pearl Harbor will occur.

They even bring up the horrors of 9/11 to really drive their point home.

What really ticks me off about this kind of hyperbolic rhetoric is that it is ridiculously emotive, designed to spread fear and doubt to everyone in earshot, and via the power of the internet, dribble down to the rest of us.

Do we really want our leaders whipping themselves into a frenzy of blind panic before they decide on their next steps? A subcommittee hearing is surely not the place for popcorn-munching dramatics. Am I nuts to want logical concerns brought to the table in a calm, orderly fashion, so they can be studied, analysed, debated and prioritised?

So, why all this drama? Are they trying to soften us up for something?

According to the EFF, this approach might be used to convince us that in order to keep us safe, government needs to pick away at our dwindling privacy.

While we think an increased focus on catching criminals using existing tools is a fine tactic that could be used by law enforcement, we fear the temptation for law enforcement to increase their surveillance capabilities in order to successfully go on the offensive in the context of computer crimes. This could mean things like breaking into people's computers without warrants, or disrupting privacy-enhancing tools like Tor.

The EFF raise a really good counterpoint: rather than just go all Steven Seagal on online baddies, perhaps we should look really, really closely at our current infrastructure.

Vulnerabilities, by their very name, are weaknesses in our defences. Why not focus on resolving these first?

Yes, it is painful to go back over already-written code, but combining the skills of penetration testers, white hats, forensic analysts and coders, we could review and strengthen today's infrastructures. We could also all do our bit to educate general users on why it is important to practice safe computing and how to do it.

The thing is, while there are charlatans in every industry, the security market is rich with clever experts who know how to problem solve quickly and laterally. These are the people we should rally together to review, and where necessary rethink, our current defence mechanisms and strategies.

But, it is much easier to pass laws to force everyone to divulge who they are, where they are, what they are doing, when they are doing it, etc etc. And don't worry about this information ever getting into the wrong hands, as we have our existing defences in place to protect the government databases housing all your information.

Oh, wait a minute....

Crisis image courtesy of Shutterstock