The private sector may own most of the critical infrastructure in this country, but, you know, it also owns most of the land in the United States, too. Does that mean that we don't need an army? The ownership question is largely irrelevant. Businesses don't like to be regulated. I understand that, but when it comes to national security we can't depend on voluntary action. That's largely what the bill tackles. You'd give Homeland Security more authority to mandate security in critical infrastructure, and that's a good thing.
Are attacks on the U.S.'s critical infrastructure an imminent threat?
One of the problems we've had with the debate is that people have been really imprecise in what they mean by a cyber threat. The normal practice is to call everything cyber war and cyber attack. We know that a cyber attack, a real cyber attack, is now part of an advanced military's arsenal. Some of our opponents have even done the necessary reconnaissance on U.S. critical infrastructure to find vulnerabilities. The director of the National Security Agency (NSA) has told me this. It's just going to be part of warfare in the future. It's a weapon that many major militaries have and that probably 20 to 30 countries are trying to acquire.
If that is the case, why haven't any cyber attacks on U.S. critical infrastructure taken place?
They also have missiles, airplanes and ships. It doesn't mean they just use them freely. That's why I think we haven't seen any critical infrastructure cyber attacks so far. People have the weapons, but they're no more likely to use them frivolously than they are any other weapons for fear of reprisal.
Is the Protecting Cyberspace as a National Asset Act an effective approach to protecting utilities, communications networks and other critical infrastructure?
The bill is on the right track, although it's now being rewritten, and we don't know what the current version looks like. They're trying to figure out what it is you need to do to become really effective. Information-sharing and public-private partnerships don't work. The bill tries to say that we need to move beyond these old and somewhat sterile debates and think of new ways to protect national security. People don't like that because it goes against the sort of utopian ideology that the Internet was built around, and it goes against the desire of companies not to be regulated.
The Act calls for an Office of Cyberspace Policy, which would have it's own director. Where would this director fit into the government's cyber security hierarchy, and how would this impact Howard Schmidt's role as White House Cyber Security Coordinator?
I think the authors of the bill think they would be upgrading Howard Schmidt's position. He would still be where he is, but he would have more ability to actually shape policy and action. Some of what they feel is that Howard's position doesn't have the authority it needs. Put aside Howard for a minute, I think the Office of Cyberspace Policy would be like the White House's Office of the Trade Representative. In other words, there would be a White House staff with enough members to cover the problem and that have the ability to say this is U.S. policy, this is what people will do.
There's a school of thought that too much control of the Internet, even for the sake of cyber security, is counterproductive. Should the government consider a more collaborative approach to security?
We're in a transitional moment, and this debate over an Internet kill switch is part of that. You have the old-school Internet thinkers who are wedded to this pioneering vision that we have to keep the Internet open and unstructured because that will empower innovation. People really believe that. People also believe in flying saucers, and these ideas are about equal. But you also now have people saying, let's look at the data and see what really has worked. We know from the data that although there haven't been cyber attacks on critical infrastructure, there has been espionage against it. We know that an approach such as the 2003 National Cyber Security Strategy (pdf)—which was: we'll share information with people and when they realize the scope of the problem they'll immediately do the right thing—is just not going to happen. Some companies may not realize what they need to do and underestimate their vulnerabilities. When you ask critical infrastructure companies whether their control systems are connected to the Internet, almost all of them say "no," because that is the right answer. And they probably believe it's no. But when you actually go and do the checking you'll find that about one third of them actually are connected to the Internet and the executives just didn't know.