President Obama’s new approach to cybersecurity likely is more of an Internet game-changer than many appreciate. Initial reporting and commentary has been superficial and has not connected dots or analyzed the broader logical implications of this new policy emphasis and trajectory.
Why is it a game-changer for the Internet?
- First, it formalizes a new leading priority for the Internet.
- Second, it formalizes the lack of cybersecurity as the Internet’s leading problem.
- Third, it practically redefines what “open Internet” means.
- Fourth, it practically takes any extreme form of net neutrality off the table.
Moreover, the new cybersecurity focus will likely have a practical effect on the trajectory of Internet 3.0, which embodies:
- Cloud computing (where security has not been a primary priority by many);
- The Mobile web (where security has always been a very high priority); and
- The Internet of Things (where security will be imperative to prevent theft, intrusion, and sabotage).
I. Cybersecurity — New #1 Internet Priority
President Obama said:
- “This new approach starts at the top, with this commitment from me: From now on, our digital infrastructure — the networks and computers we depend on every day — will be treated as they should be: as a strategic national asset. Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.”
- “In short, America’s economic prosperity in the 21st century will depend on cybersecurity.” …”It’s about the privacy and economic security of American families.” “…this is also a matter of public safety and national security.”
From the White House Cyberspace Policy Review:
- “The digital infrastructure’s architecture was driven more by considerations of interoperability and efficiency than of security. Consequently, a growing array of state and non-state actors are compromising, stealing, changing, or destroying information and could cause critical disruptions to U.S. systems.”
In short, while security may have been an afterthought or a lower priority for the Internet before, increasingly cybersecurity will be the #1 priority for the Internet/cyberspace going forward. If the Internet/cyberspace is not safe and secure, other Internet priorities/benefits cannot be achieved.
II. Lack of Cybersecurity: the Internet’s Leading Problem
President Obama said: “It’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. President Obama called cyber-attacks: “weapons of mass disruption.”
So why is security/safety such a core problem for the Internet?
- The Internet’s original co-designer, Vint Cerf, explained the Internet’s inherent security flaw last year:
- “It’s every man for himself…” “In the end, it seems every machine has to defend itself. The internet was designed that way.”… “
- “The idea of a virtual private network was not part of the original design…” “It was actually an oversight. It didn’t occur to me that it would be useful until afterwards.”
In other words, the inherent security problem with a pure end-to-end IP network architecture (with no reasonable network management of bits) is that every user is architectually alone, isolated and vulnerable to attack and abuse from any anonymous cyber-attacker anywhere in the world.
- A serious practical problem in compensating for the Internet’s inherent security flaw is that the vast majority of end users do not have the expertise, time or inclination to fully protect themselves or their devices from the continuous and exploding number of cyber threats. Simply the phalanx of cyber threats has vastly outpaced any end user’s ability to protect him/herself.
As President Obama said: “The status quo is no longer acceptable — not when there is so much at stake. We can and we must do better.”
In a word, the President has designated cybersecurity as the new #1 Internet/cyberspace problem to solve.
III. Practically Redefines an “Open Internet”
The President’s cybersecurity statements in support of privacy, civil liberties, and net neutrality were widely reported and I include them here.
- “Our pursuit of cybersecurity will not — I repeat, will not include — monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans. Indeed, I remain firmly committed to net neutrality so we can keep the Internet as it should be — open and free.”
What has not been reported or analyzed is what the rest of the President’s remarks mean on balance for the practical definition of an “Open Internet.” The President also said:
- “From now on, our digital infrastructure — the networks and computers we depend on every day — will be treated as they should be: as a strategic national asset. Protecting this infrastructure will be a national security priority.”
Clearly these competing goals must be balanced, integrated and coordinated.
If cybersecurity is indeed important, it is now fair to assume that an “open Internet” does not practically mean:
- An unprotected Internet where there is no means of closing or barring against threats or dangers;
- A lawless Internet that protects offenders at the expense of victims; or
- An every-person-for-him/herself Internet where end-users are abandoned and alone to defend themselves from cyber-threats.
Moreover, the President’s commitment to public/private partnerships and not dictating private standards in tackling the cybersecurity challenge, strongly suggests the Government is not going to force “openness” on the private sector in the form of dictates or mandates.
- President Obama said:
- “...we will strengthen the public/private partnerships that are critical to this endeavor. The vast majority of our critical information infrastructure in the United States is owned and operated by the private sector. So let me be very clear: My administration will not dictate security standards for private companies. On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity.”
Given the President’s above committment to collaborate with the private sector, it is fair to practically assume the Government won’t be forcing an “open Internet” that:
- Abandons smart network precautions, prevention, and protections;
- Invites new dangers, risks and harms; or
- Prohibits common sense discretion, judgement and reasonable network management to enable rapid and effective responses to, and recovery from, crises, intrusions, infections and outages.
Simply, the dual goals of an “open and free Internet” and a “safe and secure Internet” will require a balanced policy approach and public/private partnership.
VI. Practically Takes Extreme Net Neutrality Off-the-Table
The President’s new emphasis on cybersecurity creates a new and very different policy context for the net neutrality issue to play out.
- In effect, the emphasis on cybersecurity appears to practically take off the table the extreme net neutrality position of an end-to-end architecture principle where no bit can be interfered with in any way. Let’s analyze why.
In the The White House’s 78 page Cyberspace Policy Review “Assuring a Trusted and Resilient Information and Communications Infrastructure” “net neutrality” was not mentioned once.
- However, near the end of long remarks making cybersecurity a new national security priority and mobilizing Federal, State and local governments and the private sector to protect our digital infrastructure, the President devoted one sentence to net neutrality:
- “I remain firmly committed to net neutrality so we can keep the Internet as it should be — open and free.“
Given that the President has made cybersecurity the #1 Internet policy priority, and given that the President also said: “… let me be very clear: My Administration will not dictate security standards for private companies,” it is logical that the President’s general support of net neutrality would not involve dictating net neutrality standards/regulations that could limit or handcuff network companies’ ability to protect the nation’s communications infrastructure from cyber-attack.
Moreover, it appears that the scope of “reasonable network management” in the FCC’s Broadband Policy Statement for all practical purposes now involves a new and substantial cybersecurity dimension.
- Since most cyber-threats/attacks use the Internet to reach their targets or victims, reasonable network management is not the problem, but an essential part of the cyber-security solution.
- In the new cybersecurity context, the extreme net neutrality position of a pure end-to-end IP network, where any bit interference is assumed to be illegal discriminaton, would:
- Force every end-user and end-device to battle cyber-risks alone; and
- Prevent network operators from offering consumers and businesses the choice of network mangement protections from known cyber-threats.
- Listening to the totality of the President’s approach and remarks on the critical importance of cybersecurity and the need to “strengthen the public/private partnerships that are critical to this endeavor,” it is not logical to assume that the President’s support for the concept of net neutrality would not allow for network operators to contribute to improving cybersecurity.
- This is especially true because of the critical importance reasonable network management protections can/will play in the future to counter ever expanding and ever more sophisticated cyber attacks.
- Network operators could more quickly, broadly, efficiently, and effectively address many types of cyber-attacks than relying on end-user patch-work application defenses that are routinely out-of-date for many of the users that use them.
- And only network operators, not end-users, could address or hope to thwart some of the more sophisticated and severe cyber-attacks that involve rapidly-changing and distributed (p-2-P) sources of cyber-attack.
- Simply, the Government’s definition of:
- “Net neutrality” is unlikely to mean no one but an end user may counter cyber-threats on the Internet; and
- A “neutral Internet” is unlikely to mean an unprotected Internet where the President’s strong commitment cannot be fulfilled:
- “We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.”
In short, net neutrality is no longer just about the watchwords of net neutrality proponents: “discrimination,” “block,” “degrade,” “impair,” the President has implicitly added new important watchwords to the Internet lexicon: “deter,” “prevent,” “detect,” “defend” and “recover.”
In conclusion, the President’s new approach to cybersecurity is more of a game-changer than many appreciate because it:
- Formalizes cyber security as the Internet’s #1 priority for the first time;
- Formalizes the lack of cybersecurity as the Internet’s #1 problem for the first time;
- Redefines an “open Internet” effectively to not prevent reasonable network protections; and
- Takes the most extreme net neutrality position — a pure end-to-end IP architecture with no bit interference — practically off-the-table of serious consideration.