Earlier this month, a computer virus threatened Internet access for thousands of Americans unless they took proactive steps to remove it. According to the FBI, which successfully stopped its spread, a group in Estonia used malicious Internet servers to infect millions of computers worldwide with a program called DNSChanger, which enabled them to manipulate online advertisements and cause additional problems for unsuspecting users while raking in $14 million in illegitimate income.
After the FBI’s sting, users who relied on those servers could no longer access the Internet without temporary assistance provided by the FBI, which worked with a private company to give computer owners a few extra months to check their systems.
The handling of this episode provides an excellent template for dealing with the vast majority of cybersecurity threats. Law enforcement did its job to stop the costly scam and provide notice to the public about its potential effects. In almost all cases, this is the most direct involvement one should expect from the government. As our society relies more and more on the Internet, we all have an individual responsibility to protect ourselves and prevent harmful programs from spreading by following basic security practices, such as installing anti-virus, anti-malware and firewall software, as well as applying software updates and patches as necessary.
In general, the government should have the lightest touch possible when it comes to the World Wide Web, respecting the innovation and freedom to communicate that result from Internet openness.
The government should instead focus on making as much security information as possible available to the public and facilitating the exchange of cyber-threat details with and among the private sector to increase awareness and help everyone defend themselves. Robust privacy protections are necessary for any information-sharing arrangement, but the increased data security that results from sharing is vital for the prevention of the wholesale theft of private information that occurs every day. And it is not just Americans’ personal data at risk — foreign competitors steal billions of dollars’ worth of intellectual property a year, jeopardizing our competitive edge in a global economy.
While the DNSChanger program inconvenienced many users, like most viruses it did not threaten significant damage to our national economy. However, a different approach is needed for a limited group of industries on which we most rely for our economic security and physical health: our critical infrastructure.
Legislation and other proposals that I and cybersecurity advocates have authored would create minimum safety requirements for our power grid, water plants and sectors with similar effects on our daily lives. These industries have made remarkable strides in efficiency and automation by attaching control systems, which run everything from power plants and oil pipelines to heating and heavy machinery to the Internet.
Unfortunately, many of these systems are uniquely vulnerable. Over years of review, we have found that too many operators have put profit ahead of public safety, forgoing basic protections and playing Russian roulette with the prospect of highly damaging attacks that could leave millions without power, safe water or other basic needs. Meanwhile, it is the American taxpayer who would ultimately be left to deal with the aftermath and pay the potentially astronomical cost of damages.