Cybersecurity and the Warfare State

In a small safe in my basement rests a government-issue .45 caliber pistol. When I tell friends that I inherited this piece from my father, they assume he carried it back from his service in the Pacific in the Second World War. Actually, it is a war souvenir of a different kind.

The pistol came from a crate of firearms that the War Department sent, unannounced, to the Niagara-Mohawk Power Company for use in dispatching saboteurs.  As far as I know, no saboteurs died at the hands of pistol-packing linemen.  When the War ended, some Niagara-Mohawk employees liberated the crate’s contents and took the weapons home.  One pristine example found its way to my Dad and, eventually, to me.

Today, it is common to refer to Niagara-Mohawk and other utilities as the nation’s “critical infrastructure.”  Because today’s critical infrastructure facilities are networked and vulnerable to cyber-attacks, their protection calls for measures somewhat more sophisticated than passing out guns.  Today, technically-trained employees patrol virtual perimeters, looking for the signatures of hackers trying to penetrate their networks’ firewalls and disrupt vital services.

Cybersecurity is an important concern for the companies involved, their customers and their shareholders.  Because cyber-attacks can be tools of terrorism and warfare, it also is reasonable to treat cybersecurity as a national security problem.  Encouraging public and private sharing of cybersecurity threat information and solutions is therefore a legitimate concern of government—especially to the extent current laws may discourage such sharing.

That said, experience teaches that when national security is the cause, attacks on liberty often are the effect.  The thirteen cybersecurity bills now pending in Congress reinforce this ancient lesson.

Of the bills now pending, the most troubling is Senator Joe Lieberman’s S. 2105, which would empower the Department of Homeland Security to dictate cybersecurity standards to private industries designated as critical infrastructure. Even more controversially, the bill would (where communications thought to contain cyber threats are concerned) suspend the Electronic Communications Privacy Act’s prohibitions on communications service providers’ voluntary disclosures of private communications to “cybersecurity exchanges,” which, in turn, could relay that information to law enforcement.

Proponents of these measures should bear a high burden of proof as to their necessity.  Power companies, telephone companies and other service providers already have substantial incentives to protect their property from attack, and will do so without mandatory regulations backed by the threat of prosecution or civil lawsuits.  Similarly, no one has suggested that those companies would not willingly contribute threat information to clearinghouses established for that purpose, in exchange for the ability to draw upon intelligence contributed to those clearinghouses by others.

Such voluntary programs also could work without exempting communications service providers that are classified as critical infrastructure owners from the usual prohibitions against disclosing the contents of private communications.  Most threatening transmissions do not carry personal information or communications.  In the event that sharing of a cyber threat transmission requires disclosure of a person’s identity or communications, legal process can be obtained for that purpose under present law.

The threat of cyber-attack is real, just as the threat of sabotage was real — if somewhat overstated — during World War II.  The government’s role in preventing such attacks should be limited to making the necessary exchanges of threat information and technical knowledge more efficient.  Curtailments of liberty in the cause of stopping saboteurs are no more necessary now than they were in the 1940s, when the government at least confined itself to the relatively benign activity of passing out guns that civilians could use for their intended purpose or, in many cases, just slip in their pockets and take home for a long career of plinking at cans in the back yard.

Charlie Kennedy is a Washington attorney, a Senior Adjunct Fellow at TechFreedom, and a lecturer in law at the Catholic University of America.  The views expressed in this article are his own.