The United States Congress should restrict the National Security Agency’s ability to collect “bulk data” without a warrant
Yüklə 1,17 Mb.
|
- Bu səhifədəki naviqasiya:
- Ext - Grid Impact
- Ext – ! Calc - Timeframe
Cyber Adv1AC Cyber Security AdvantageReform is vital to cybersecurity efforts Gorman 14 (Siobhan,- “NSA Chief: Spy Concerns Are Pre-Empting Cybersecurity Fixes”) The departing director of the National Security Agency acknowledged Tuesday that the U.S. government will have to address surveillance concerns before Congress can turn to bolstering cyberdefenses. Gen. Keith Alexander's comments, which began with a defense of NSA's surveillance programs, showed the degree to which his top priority—cybersecurity—has been overshadowed by the disclosures from former NSA contractor Edward Snowden. Speaking at a cybersecurity conference at Georgetown University in one of his final public appearances before retiring this month, Gen. Alexander said he realized Congress had to handle "the media leaks first" before moving on to cybersecurity legislation. He said White House officials were meeting Tuesday to discuss options to address concerns about NSA's program that collects millions of Americans' phone records and he anticipated decisions in the coming weeks. President Barack Obama has asked for a report on options by March 28. "If we make the right steps with the media leaks," he said, "it will make the cyber legislation easier." Last week, Gen. Alexander told Congress that the restructuring of the phone-records program could provide a model for managing cybersecurity-data sharing. On Tuesday, he amped up his case for giving NSA and other federal agencies a greater role in helping U.S. companies protect themselves from cyberattacks. "We have some tremendous capabilities in our government that we ought to share," he said. "If a bank is attacked by another nation state, our government should not say: Good luck with that." This is vital to secure critical infrastructure --- impact is hege, the economy, food prices, energy shocks, and chemical industry Sebastian ’09 (Rohan,- research for the office of Virginia Senator Mark Warner CS Computer Science from UVA, 6-24 “The Federal Government’s Role in Preserving Cybersecurity for Critical Infrastructure”) The intersection of critical infrastructure and cyberspace has presented many challenges to policymakers. Critical infrastructure includes areas like the water and food supply, telecommunications, nuclear power, transportation, banking, and energy---areas crucial to the functioning of society. Eighty percent of this critical infrastructure is owned by the private sector. The continual delegation of control of critical infrastructure to cyberspace without regard to security has posed many vulnerabilities that malicious actors could exploit. To address these vulnerabilities, policymakers can utilize three options: strengthening partnerships between the public and private sectors, installing a White House official to deal solely with cyber security issues, and encouraging collaboration between critical infrastructure operators for coordinating best practices and crisis management. In conclusion, this analysis recommends that the federal government follow a course incorporating all three options because the effects could be mutually reinforcing. A long term solution to cybersecurity must take note of the private sector’s insight to be successful; a national dialogue on the importance of cyber security needs to take its cue from the White House; in the meanwhile, proprietors of critical infrastructure should ensure that they can reduce the damage caused by disasters or attacks by establishing clear lines of communication. [End of Abstact – Start of Intro] Critical Infrastructure Government and the private sector have reaped digital networking’s benefits by using computer networks to control vital parts of critical infrastructure from cyberspace. However, remote access to critical infrastructure from cyberspace has placed these systems at risk of destruction by other countries, malicious actors, or terrorists. This analysis proposes three options that the federal government can implement: strengthening partnerships between the public and private sectors, integrating resources under a White House official, and increasing collaboration between levels of critical infrastructure. After scrutinizing these options under the criteria of political feasibility, industry acceptance, and efficacy, this analysis recommends that the federal government pursue a combination of all three policy options. Critical infrastructure includes areas such as transportation, water supplies, public health, telecommunications, energy, banking and finance, emergency and information services, nuclear facilities, food supplies, and defense and chemical industries (Moteff & Parfomak, 2004). According to the Department of Homeland Security’s National Strategy for Homeland Security, critical infrastructure consists of “assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof” (Homeland Security Council, 2007). Figure 1 illustrates the myriad of infrastructures and their interdependencies with one another. Simply put, critical infrastructures comprise the foundation for the modern economy and national security, so the federal government shares responsibility for protecting them. However, the government rests in a precarious position because the private sector owns about eighty percent of critical infrastructure (Forest, 2006, p. 78). Furthermore, about eighty percent of all American commerce occurs on privately owned telecommunications networks, primarily the Internet (Theohary, 2009, p. 20). Even the most valuable national defense systems rely on privately owned telecommunications networks (National Security Agency, 2009). As digital networking proliferates through society, builders will delegate control of more and more parts of critical infrastructure to the realm of cyberspace. In fact, every piece of software added to a system expands the “attack surface” accessible to external actors (Welander, 2009, p. 42). Therefore, cybersecurity is necessary to safeguard this infrastructure. The Need for Cybersecurity Proprietors often control critical infrastructure from cyberspace. According to the National Security Presidential Directive 54 and Homeland Security Presidential Directive 23 issued by the George W. Bush Administration, cyberspace consists of the “interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries” (as cited in National Cyber Security Center, 2009, p. 11). The intersection of critical infrastructure and cyberspace means that policymakers should strive to establish security while retaining a relatively open cyberspace. Several government officials have emphasized the catastrophic effects of compromised cybersecurity. Paul Kurtz, an advisor on President Obama’s transition team, warned of a “cyber Katrina,” a cataclysm in which government agencies would fail to coordinate after a cyber attack and would subsequently collapse (Epstein, 2009). Mike McConnell, a former director of both the National Security Agency and National Intelligence, declared that if the September 11th, 2001, hijackers had launched a focused attack on an American bank, the economic ramifications would have been of “an order of magnitude greater” than the destruction of the World Trade Center (Harris, 2008). Former cyber security advisor Richard Clarke, who served in the Clinton and Bush Administrations, asserted that the primary target for a terrorist’s cyber attack would be the economy whereas casualties and chaos would be secondary (as cited in Rollins & Wilson, 2007, p. 3). In fact, Director of National Intelligence Dennis Blair stated that cyber attacks against financial sectors and physical infrastructure could “severely impact the national economy” and disturb energy sources like oil and electricity for an indefinite period (Annual Threat Assessment, 2009). Beyond threatening the private sector, intruders have been specifically targeting the federal government’s information technology infrastructure. A report by the International Business Machines Corporation revealed that of the 237 million security attacks carried out in the first half of 2005, more than twenty-two percent, the highest percentage against any given group, aimed for government agencies (Fitzgerald, 2006, p. 57). Between 2008 and March 2009, the number of attacks against federal computer networks swelled about forty percent (Smith, 2009). The Department of Defense dubbed the military’s electronic information infrastructure the American military’s “Achilles’ heel” (Defense Science Board, 2008). Though these assorted officials would concur on the gravity of cybersecurity, they might dissent on the correct policy solution. As the White House’s Cyberspace Policy Review pointed out, cyberspace policy envelops the following: security of and operations in cyberspace,…,the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure (National Cyber Security Center, 2009, p. 5). This analysis will lay out three policy options to address these issues. Strengthening Partnerships between the Public and Private Sectors Any kind of long term solution to cybersecurity threats must consider the private sector since it owns about eighty percent of the nation’s critical infrastructure. Legislators cannot expect a law ignoring the private sector’s input to succeed because business’s efforts will ultimately determine effective cybersecurity policies. Thus, the government can continue encouraging the deepening of relationships with the private sector. Advocating a redefinition of government’s relationship to the software business, General James Cartwright stated that government should treat “cyber security as a weapon system” (Rutherford, 2008). A paradigm shift to Gen. Cartwright’s mindset would be favorable for government and business because the public sector widely uses private sector products. The Department of Defense, in particular, uses “Commercial-Off-the-Shelf” products since these packages are cheaper and more innovative than a government established standard. Communication between government and the private sector would be helpful for alleviating situations involving systemic software threats. For example, the Microsoft Windows operating system runs on “ninety-five percent of personal computers worldwide,” so hackers often exploit its vulnerabilities. In 2003, the Blaster worm infected “some 400,000 host PCs” in a single day. Microsoft responded by permitting “several governments across the world to take a peek at the precious Windows source code” for input and disclosure (Taylor, 2003). Thus, government benefitted by receiving insight into the potential problems the Blaster worm posed; business benefitted by receiving the government’s assistance with this problem. A number of forums already exist to serve as models for more formal mechanisms of public-private communication. Microsoft created a Security Response Center that works with the Department of Defense to secure its products (Information Technology in the 21st Century Battlespace, 2003). Learning from Carnegie Mellon University’s public-private alliance model, the Department of Homeland Security in 2003 founded the United States-Computer Emergency Readiness Team, a group of government and industry experts compiling software vulnerabilities (Barnes, 2004, p. 327). Similarly, the Protected Critical Infrastructure Information Program in the Department of Homeland Security represents the federal government’s first ever mechanism to collect and analyze data from private companies without fear of releasing that data to the public by the Freedom of Information Act (Grubesic & Murray, 2006, p. 65). In response to the government’s creation of federal agencies like the Critical Infrastructure Assurance Office and National Infrastructure Protection Center in 1998, industry responded with the creation of the Partnership for Critical Infrastructure Security as well as the generation of Information Sharing Analysis Centers (Michel-Kerjan, 2003, p. 136). Industry agents staff these Centers, which specialize in areas like telecommunications, electricity, and finance (Michel-Kerjan, 2003, p. 136). This analysis evaluates this option under the aforementioned criteria. Industry acceptance and political obstacles could obstruct the way to success. Politically, the Freedom of Information Act, which could force the disclosure of details of infrastructure weaknesses to the public, may make private companies apprehensive about sharing their data with the government. Laws like the Critical Infrastructure Information Act of 2002 protect the private sector from such disclosures, but companies may be reluctant nonetheless (Pozen, 2005, p. 678). Industry acceptance also affects this option’s efficacy. There are currently federal organizations like the United States-Computer Emergency Readiness Team bridging the communication gap between the public and private sectors, but only serious attention to these programs by both parties will evoke substantive results. Companies confront a tradeoff between security and efficiency as well as transparency and customer satisfaction. Noting this trend, Clay Wilson addressed studies revealing a low rate of cybercrime incident reporting because companies fear consumer backlash from “negative publicity” (Wilson, 2009, p. 24). According to a study conducted among Fortune 1000 companies, one of the most trenchant effects of compromised cyber security is damage to 6 reputation among consumers (Hansen, 2001, p. 1161). This option’s effectiveness is directly tied to political feasibility and industry acceptance. Extinction Adhikari ’09 (Richard,- leading journalist on advanced-IP issues for several major publications, including The Wall Street Journal “Civilization's High Stakes Cyber-Struggle: Q&A With Gen. Wesley Clark (ret.)”) The conflicts in the Middle East and Afghanistan, to name the most prominent, are taking their toll on human life and limb. However, the escalating cyberconflict among nations is far more dangerous, argues retired general Wesley Clark, who spoke with TechNewsWorld in an exclusive interview. That cyberconflict will take a far greater toll on the world, contends Clark, who last led the NATO forces to end the ethnic cleansing in Albania. There is a pressing need for new institutions to cope with the ongoing conflict, in his view. Clark is a member of the boards of several organizations. He has a degree in philosophy, politics and economics from Oxford University and a master's degree in military science from the U.S. Army's Command and General Staff College. Background: In November 2008, the Center for Strategic and International Studies, a Washington-based bipartisan think tank, presented recommendations on national security to the then-incoming Obama administration. These called for an overhaul of the existing national cybersecurity organization. Since then, the state of national cybersecurity has appeared chaotic. In August, White House cybersecurity adviser Melissa Hathaway resigned for reasons that echoed the departure in 2004 of Amit Yoran, who then held essentially the same post. In an exclusive interview earlier this year, Yoran told TechNewsWorld that national cybersecurity was still a mess. TechNewsWorld: Security experts warn that nations are preparing for a new cyberwar. Is our government doing enough to protect our national cyber-infrastructure? Or is it in the process of protecting the cyber-infrastructure? Gen. Wesley K. Clark: I think we're in the process of trying to get it protected, but unlike conventional security considerations, where one can easily see an attack and take the appropriate response, the cyberstruggle is a daily, ongoing affair. It's a matter of thousands of probes a day, in and out, against systems that belong to obvious targets like the United States Department of Defense; not-so-obvious targets like banks and energy companies; and individual consumers or taxpayers. It's ongoing, it's undeclared, it's often unreported, and it's very much an ongoing concern at all levels -- business, commerce and individual privacy. TechNewsWorld: The national security infrastructure has repeatedly been reported to be sorely lacking. Is the government moving fast enough? Does it need to do more? Clark: It does need to do more. It's in the process of doing more, and there's a tremendous amount of public and private sector effort going into cybersecurity right now. Whether it's going to be adequate or not is not the issue. There are many approaches to this problem that are mainly based on software, but software is vulnerable. When you open up to communicate with the Web, when you bring in data and programs from another source, when you bring in applications -- all that entails huge risks. It's dealing with those risks and trying to gain the rewards of doing so that make it such a difficult proposition. Online banking was a novelty 20 years ago. Now, everything happens on the Internet. People pay their bills, they do business, they do their work with customers. People don't fax documents any more if they don't have to -- they do webinars and briefings. All of this exposes the opportunity for mischief. You don't know the source of the mischief. You don't know whether it's individuals trying to solve a difficult technical challenge on their own or if they're connected to governments, or if they're cells attached to governments -- and it's very difficult to pin down ... incoming probes to a source. TechNewsWorld: While it's generally agreed that the next war may be a cyberwar, much of our infrastructure is either hooked up to the Internet or in the process of being hooked up to the Internet. Electricity companies, for example, are agitating for the use of smart meters. That being the case, and with hackers increasing the frequency and sophistication of their attacks, does the increasing pace of hooking everything up to the Internet pose a real security threat? Clark: We're going into completely digitized medical records, which could lead to a huge invasion of privacy. It could also lead to things like blackmail and is physically dangerous because people can tamper with records of vital signs, or can alter prescriptions. There's no telling just what could be done. Companies could lose their supply chain management, lose their accounting records, lose their customer lists. Trying to rebuild this on paper when we've all been interconnected on the Internet will cause years of economic decline. We are, as a civilization, quite vulnerable to disruption, and this security problem doesn't just affect one nation but the whole global economic infrastructure. You can't conceive of the threats from the point of view of a traditional war. Cyber-efforts are ongoing today; we're in a cyber-struggle today. We don't know who the adversaries are in many cases, but we know what the stakes are: continued economic vitality and, ultimately, global civilization. Ext - Grid ImpactThat’s key to the grid --- prevents economic collapse Hayden et al 14 (Michael,- former director of the Central Intelligence Agency and the National Security Agency. Curt Hébert is a former chairman of the Federal Energy Regulatory Commission. And Susan Tierney is a former assistant secretary of Energy. All three are co-chairs of the Bipartisan Policy Center's Electric Grid Cyber Security Initiative “How to protect our electric grid: Column”) Rather, cyber threats to critical infrastructure -- for example, water, energy and telecommunications — are important to our national security. There is evidence that energy systems, in particular, are becoming a popular target. The Department of Homeland Security recently reported responding to 198 cyber-incidents in 2012 across all critical sectors. Forty-one percent of these incidents involved the energy sector, particularly electricity. Although to date there are no reports of a successful cyber attack on the electric grid, we believe it is more a question of "when" than "if." A targeted cyber attack — either alone or combined with a physical attack — on the power system could lead to huge costs, with sustained outages over large portions of the electric grid and prolonged disruptions in communications, health care delivery and food and water supplies. Unlike traditional threats to electric grid reliability, such as extreme weather events, a cyber attack is less predictable in its timing and potentially more difficult to diagnose and address. Such an attack could come from various sources and target many potential vulnerabilities. The North American electricity grid is sprawling, with approximately 5,800 major power plants and more than 450,000 miles of high-voltage transmission lines. And our economy is pervasively dependent upon its functioning. Efforts to prevent and respond to cyber attacks on the electric grid are complicated by a complex governance structure. In addition to the countless companies involved with pieces of the grid and actions to protect it, numerous federal, state and local agencies are involved in some aspect of cybersecurity. Successfully managing cybersecurity risks and recovering from a destructive cyber attack will require effective coordination at several levels, including U.S. energy companies, the intelligence community and emergency management agencies; between relevant federal government and state and local authorities involved in energy, law enforcement, essential services and other issues; and between U.S. energy regulatory and security agencies and their counterparts in Canada and Mexico. To address new and evolving threats of cyber attacks on the grid, the Bipartisan Policy Center convened an expert advisory group to develop policy approaches that would improve protection of the grid and increase preparedness in the case of an attack. We believe there must be a series of new, innovative approaches to address the evolving threat. Recommendations include: Public-private partnerships that mobilize the respective assets and expertise of industry and government agencies, and improve the flow of information among government and companies -- such as this month's GridEx exercise, which joins industry and government in an extensive simulation of a cyber attack. Ext – ! Calc - TimeframeWe outweigh on timeframe Ernst 14 (Douglas,- Digital Editor at The Washington Times “Spy chief urges Congress to take on cybersecurity: ‘Attacks are coming’”) “Those attacks are coming, and I think those are near-term and we’re not ready for them. The nation needs an agency like NSA with its technical capabilities to help ensure that we can evolve to that future space to where we need to be,” Gen. Keith Alexander told the Senate Armed Services Committee, according to the Hill. “I think we have to get on with cyber legislation.” Gen. Alexander, who is set to retire next month, said it behooves Congress to address the issue now because technology “is changing so rapidly that our policy and laws lag behind it.” Sen. John McCain, Arizona Republican, agreed. “We’ve been kicking around this legislation, cybersecurity legislation, now for several years,” McCain said. The cybersecurity debate takes place in the wake of an Iranian attack on the Navy’s largest unclassified computer network that compromised 800,000 users at 2,500 locations. It took Adm. Michael Rogers, President Obama’s choice to succeed Gen. Alexander, four months to deal with the attack, which was deemed a “significant penetration” into the “bloodstream” of the Navy’s system by an official who spoke on condition of anonymity to the Wall Street Journal. “If we have an attack in two or three months from now and we haven’t done anything, we’re going to look pretty dumb around here,” Sen. Angus King, Maine independent, said Thursday, the Hill reported. “I think the next Pearl Harbor is going to be cyber and I certainly hope that we’re going to be prepared, better prepared than we were in 1941.” Yüklə 1,17 Mb. Dostları ilə paylaş:
|