Jay P. Kesan, a professor of law at Illinois, is a leading national scholar in the areas of technology, law and business.
Kesan, who directs the Program in Intellectual Property and Technology Law, spoke with News Bureau business and law editor Phil Ciciora about what steps the government should take to improve the cybersecurity infrastructure in the U.S.
Is the U.S. taking cybersecurity as seriously as it needs to?
The government is taking cybersecurity seriously but the general public, however, has been more vocal about a perceived loss of Internet freedoms. In fact, Internet activism, like the Stop Online Piracy Act blackout and the recent postings and petitions against Cyber Intelligence Sharing and Protection Act, may actually make effective cybersecurity regulation more difficult to pass.
Discussions of CISPA in a "Get away from my Internet" context miss the larger point. CISPA was written to prevent really vicious new cyberweapons from emerging - like Stuxnet, the worm that damaged nuclear centrifuges in Iran, interrupting its enrichment of uranium. If a Stuxnet-type worm were to be released in the U.S. and it infected critical infrastructure, depending on the targeted sector, you could be talking about sewage being released into the water supply; massive power outages; and interference with transportation systems, which could potentially lead to plane crashes or subway malfunctions.
The bottom line is that serious cybersecurity proposals should be narrowly tailored to protect us against a Stuxnet-like attack.
Does the government need to do more to deter cyberattacks?
There are two types of deterrence: deterrence by punishment and deterrence by denial.
When you are talking about deterrence by punishment, the first thing that comes to my mind is the Computer Fraud and Abuse Act, the main federal cybercrime statute. Efforts to increase the CFAA's deterrent effect typically focus on deterrence by punishment. This could include increasing the sentences for cybercrimes, and making violations of the law into crimes that can trigger additional punishment under RICO (the Racketeer Influenced and Corrupt Organizations Act), which is a federal law concerned with imposing harsher punishments for organized crime.
But just increasing sentences and throwing people in jail for longer periods of time is not the answer. We already have a huge overcrowding problem in this country's prisons, so relying on deterrence by punishment to curb domestic cyberattacks may cause more problems than it would solve.
Deterrence by punishment also becomes more questionable when you are talking about attacks from actors not within the U.S., because there are a lot of other countries that would not assist with investigations into attacks originating in those countries.
Given the international criminal law realities and the practical concerns about prison overpopulation, I think there should be more of a focus on deterrence by denial. In other words, deter by denying the attackers success from their attacks.
How do we deter by denial? You can do it through passive means, like firewalls, intrusion-detection systems and antivirus software, or you can do it through active means, where the system ejects the intruder.
Does the government need to do more to facilitate deterrence by denial? Yes. There should be an emphasis on education, and the government should do more to support the private sector in this.
Should there be a law that forces private companies to build up their cyber defenses, or merely a softer mandate that encourages them to meet certain minimum standards?
A set of security suggestions enhanced with government subsidization of cyber defenses would probably be a good start for private companies. If it is critical infrastructure, then a more detailed mandate may be appropriate because of the relationship between privately owned and operated infrastructure and national security concerns.
To create incentives for the private sector to bulk up their defenses, the government could subsidize passive defense methods, perhaps by allowing individuals and companies to take a tax deduction for amounts spent on computer security. But in the case of privately owned critical infrastructure, government support in this area could be very valuable, and the government should be more involved because of the importance to national security.
You've published research on mitigative counterstriking. Is that a viable option to counter a cyberattack?
Mitigative counterstriking is another piece of deterrence by denial. This would be where you see an intruder in your system, figure out where the intruder is coming from, and then do something to interrupt the intruder's access to your system. Not to punish, and not in retaliation, but just to kick them out and minimize future harm to your system.
The problem is that these actions may be illegal under our current laws. Therefore, the government should assert a right to self-help in the cyberattack context. But because of the potential international and diplomatic issues, the government may need to closely regulate this aspect of self-help.