Cybersecurity Requires Patches, Not a Vast Bill: Susan Crawford

Nov. 29 (Bloomberg) -- When cybersecurity problems arise, the best response is to adopt a patch as soon as it’s available. You don’t want to wait for an entirely new operating system to be created, and you really don’t want to use such a system until it has been debugged.

That second approach, though, is what the Obama administration lately has been recommending. Driven by the National Security Agency and the Department of Homeland Security, the administration has been pushing the Senate to ram through an enormous omnibus bill on cybersecurity that hasn’t yet won agreement from legislative working groups.

The comprehensive measure would give Homeland Security centralized authority to designate “Covered Critical Infrastructure.” This term has been so broadly defined that it could include Internet access sold to ordinary Americans. Under the proposed bill, Homeland Security would have the authority to mandate, among many other things, that access providers extend a National Security Agency snooping program called Einstein 3 to Americans’ Internet activities.

Under the White House plan, communications companies would submit their cybersecurity plans to auditors. Homeland Security would intervene if plans fall short of the agency’s desires. The Congressional Budget Office found last year that a similar approach proposed by Senators Joe Lieberman and Susan Collins would cost $1.5 billion to implement and would affect 50,000 entities.

Creating such a giant bureaucratic operating system will take years. It is the opposite of the kind of agile, innovative response needed to counter online threats. The administration’s definition of “critical infrastructure” -- to which the Commerce Department objected -- also sweeps far too broadly.

Defining Dangerous

Internet access is unquestionably critical to our economy. As Deputy Defense Secretary William Lynn said at a conference earlier this year, though, “the most dangerous cyber threat is destruction,” involving the use of cyber tools to cause physical devastation or loss of life. Rather than worrying about YouTube, we should focus on protecting dams and nuclear-power plants from catastrophic sabotage.

The omnibus bill also contains supply-chain mandates that will make it even harder for federal workers to use up-to-date technology. Deputy Secretary Lynn has pointed out that the iPhone took only 24 months to develop, but Pentagon procurement processes already take seven or eight years. Further delays would be intolerable. The U.S. government should take advantage of the innovative bargains developed by the competitive marketplace.

Luckily, the administration’s approach may collapse under its own weight. In October, a House Republican cybersecurity plan that focused on targeted voluntary efforts -- rather than the construction of a novel superstructure for the dictation of security standards -- grabbed the attention of legislators.

This month, Senate Majority Leader Harry Reid wrote to Senate Minority Leader Mitch McConnell saying that the House plan was consistent with his own cybersecurity vision, while noting that bipartisan working groups in the Senate hadn’t been able to agree on a comprehensive legislative draft. Four Republican Senators (Kay Bailey Hutchison, Saxby Chambliss, Charles Grassley, and Lisa Murkowski) wrote to President Barack Obama supporting the targeted House approach.

We need to allow companies to defend themselves rather than having the government do it for them. We could solve 90 percent of cybersecurity problems by doing better at locking up bad guys, improving information sharing, and enhancing research, education and awareness.

Streamlined Bill

The House Intelligence Committee is working on a streamlined bill that would target precisely those issues. It also would let the government and Internet service providers voluntarily share digital patterns characterizing potential vulnerabilities, in the interests of speeding responses to cyber problems. This won’t be easy; real privacy and civil-liberties implications could arise from this kind of information transfer.

If we can find a way through the privacy issues, though, we should follow the House’s lead on cybersecurity. Fixing the problems on which there is now consensus -- applying the patch -- is better than a protracted wait for a new operating system for the commercial Internet.

(Susan Crawford is a law professor at Cardozo School of Law in New York and is a Bloomberg View columnist. In 2009, she was a special assistant to President Barack Obama for science, technology and innovation policy. The opinions expressed are her own.)

To contact the writer of this article: Susan Crawford at, or @scrawford on Twitter.

To contact the editor responsible for this article: George Anders at

    Before it's here, it's on the Bloomberg Terminal.