Cyberspace has been a technological bounce house for the better part of a quarter century, churning up new ways to communicate, transact business, make friends and generally enhance the quality of nearly every aspect of human life. It has attracted an enormous amount of capital and helped many people become extravagantly rich. The dizzying explosion of all things crypto has further underscored the mesmerizing effect of technological innovation and its incomparable air of inevitability, helping to addict us to loading every scrap of data and economic value onto an insecure digital foundation in cyberspace without evaluating the risk.
Digital technologies – a complicated amalgamation of the internet, coding, software, computers and networks – and the new products that they have generated have surely added enormous benefits and efficiencies to the quality of our business and personal lives. But the SolarWinds, Colonial Pipeline and JBS hacking and ransomware events reveal the risk of becoming mesmerized by technology and the revenues that it can produce.
We have built a cyberspace that is so flawed that we now live with the expectation that water could stop flowing, power grids could collapse, ATMs could stop dispensing money and gas, meat and chip distribution could grind to a halt at any moment.
The private sector and the government have not giddily underwritten all things digital. They have made choices based on efficiencies, profit potential and an evolving risk/reward analysis. But the risk/reward ratio is changing in ways that may not have been anticipated. If individuals, businesses and nation states cannot expect privacy, security and data integrity from the platforms they are using, they should not use them — a choice few have accepted.
The looming specter of advanced artificial general intelligence and quantum computing, both of which China may dominate by 2030, will exponentially change the risk/reward ratio, and in many ways not for the better. These developing technologies potentially make every digital thing that we do today even more vulnerable to attack by malicious users of technology tomorrow.
Since 1996, I have read nearly 30 executive orders, presidential directives, commission and congressional and agency reports that have dispatched two-dozen federal agencies to oversee a dozen or more critical infrastructures. As you might expect, no single federal agency appears to be in charge or responsible. Another 20 reports from private and international organizations have artfully identified the threats that the internet poses and offered solutions.
The most important flashing red signs in that regard are reports issued by the New York Cyber Task Force, the Cyberspace Solarium Commission and the Carnegie Endowment for International Peace in the last four years. They essentially beg for remedial action before every critical infrastructure in the country is brought to its knees.
The U.S. government has not followed through, leaving cyberspace as the new wild west in which most of us are defenseless. Corporate America is disjointed on the issues. It knows the stakes but is concerned about information sharing, and is reluctant to allow the government to set the rules of the digital road. So, both the government and the private sector have been left staring at each other, waiting for the other to solve the problems.
After 25 years, there are no rules of engagement for malicious activity, and no definitions of what digital behavior constitutes criminal behavior or an act of war. Moreover, corporations are prohibited by law from counter-attacking even if they are being brought to their digital knees.
As I discussed in pieces in this publication in May 2021, and December 2018, we are facing an existential threat that seems not to be able to garner the attention it deserves. Inaction is no longer an option. Here’s what must be done to fix the internet.
First, Congress and the Biden administration must realize that this is the issue of the moment — the real existential threat to civilization that could explode today, not 10 or 20 years from now. Someone must be put in charge of fixing the problem.
Second, we must agree that anything of value should not occur on a network that will not meet certain security standards now and in the future.
Third, hardware, coding and software must meet high security standards at every level and become the foundation of a new internet that works.
Fourth, any new internet should be a licensed, permissioned one — much like any highway. Every individual and organization that wants to use it should have to satisfy standards analogous to anti-money laundering “know your customer” rules. Every license should include a kill switch. Obey the rules, or you lose your license, right to travel or worse.
Fifth, a secure internet requires human and electronic cops to monitor it and establish clear standards of enforcement. Responsibility for pipelines and networks should be established. When malicious events are initiated from computers, servers, networks or humans located in a particular jurisdiction, every participant as well as the jurisdictions used should be subject to economic, political and military sanctions. That is the only way to ensure that everyone and every country gets serious about stopping the so-called independent actors operating freely throughout many countries.
Online security requires more than technological hygiene. It needs leadership and the rule of law anchored to responsibility for digital behavior. If the United States does not take the lead in forming a coalition of nations to take these first five steps now while it has the economic heft to do so, it may be too late by the end of this decade.
Frankly, this will have to begin with the private sector, which must elevate long-term security over short-term profit and encourage Congress to act. Treading water as we float down the current river of informational and economic insecurity, where the threats multiply at velocities that far exceed the development of solutions, is the best way to undercut the future of democracy and freedom.
Thomas P. Vartanian is the author of the new book, “200 Years of American Financial Panics: crashes, Recessions, Depressions, And the Technology that Will Change It All.” He has been a federal bank regulator, private attorney, academic and the chairman of the American Bar Association’s Cyberspace Law Committee.