Crossroads Blog | CYBER SECURITY LAW AND POLICY

Criticism, NS-TIC

Cybersecurity: A View From the Front (NYT)

We already tweeted a link to this earlier today, but just to make sure you see it . . .

Here’s a great New York Times op-ed written by Toomas Hendrik Ilves, the President of Estonia.  This man is well-versed in cyber issues, speaks from experience (the 2007 DDOS attacks), and leads one of the world’s most-connected nations.  In short, he’s worth listening to.

His op-ed really interested me because it took a different approach to cybersecurity: identity verification.  We hear about active defense/hackback, sanctions, visas, better defenses, etc., but rarely about identity verification.  Moreover, Ilves writes persuasively on the aversion to government as a cybersecurity guarantor.  Here’s a few excerpts from the NYT op-ed:

At a time when the greatest threats to our privacy and the security of our data come from criminal hackers and foreign countries (often working together), we remain fixed on the idea that Big Brother, our own government, is the danger.

. . .

If the private sector is unwilling to take the necessary steps to guarantee the integrity of its online activities, the government must step in to fulfill its most fundamental task — to ensure the security of its citizens; that is, to provide them with a secure identity.

. . .

The key to all online security is a secure online identification system. But a nebulous fear of an imagined Big Brother prevents citizens in many places from adopting a smart-chip-based access key that would afford them secure online transactions.

 

Reading this, I can’t help but think he’s weighing in on the CISPA/Cybersecurity Act/mandatory standards debates on the USG’s role in cybersecurity.  I believe that the fear of Big Brother is definitely exaggerated (CISPA is not some massive privacy-killing bill), but it’s tough to say it’s nebulous.  I do agree with his take on the private sector, though.  Why should critical infrastructure providers avoid mandatory cybersecurity standards when they refuse to implement best practices?

While we’re here, take a look at NSTIC. 

Leave a Reply