2014 was a banner year for cybersecurity. In March, a group of hackers installed a malicious piece of software in Target’s security and payments system and obtained` 40 million credit card numbers and 70 million private addresses. In September, a security flaw called Shellshock was discovered in Bash, a software shell built into 70% of the world’s computers that allows users and running programs to interact with a computer’s operating system. In November, a series of mysterious events at Sony Pictures began to unfold that the FBI later determined was a security breach by the North Korean government. On Christmas day, a hacker group called Lizard Squad took down PlayStation Network and Xbox Live simply to increase its own publicity.

These events have installed cybersecurity into the American vernacular and have shed light on the necessity of swift and calculated responses by governments and private companies alike.

On February 25, the White House announced the creation of the Cyber Threat Intelligence Integration Center (CTIIC), a new agency designed to improve US public and private sector cybersecurity. According to a White House fact sheet, the agency’s purpose is as follows:

The CTIIC will provide integrated all-source intelligence analysis related to foreign cyber threats and cyber incidents affecting US national interests; support the US government centers responsible for cybersecurity and network defense; and facilitate and support efforts by the government to counter foreign cyber threats.

The CTIIC is thus intermediary by design. It will not be a large agency; initial targets are 50 employees and a $35 million budget taken from the 2016 defense budget. The CIA’s 2013 budget, by comparison, was an estimated $15 billion (the actual figure is classified). The CTIIC’s purpose is coordinating information across existing intelligence agencies such as the FBI, CIA and NSA. It will not deal directly with cyber attacks, but will rather focus on facilitating communication to ensure a fast response. The FBI, CIA and NSA each has its own dedicated team of cyber specialists whose job it will be to respond to attacks.

Since details are scarce at the moment due to the recency of the CTIIC’s creation announcement, I will instead examine the key indicators of success or failure for this new agency.

1. Is more bureaucracy the answer?

It is difficult to ascertain the actual operational purpose of the CTIIC. The high-level purpose is clear, but what will the 50 employees do on a day-to-day basis? The CIA is currently responsible for being the ears to the ground for cyber and terrorist attacks, so it seems unlikely that CTIIC will help in that capacity. Furthermore, if the purpose of the agency is simply to facilitate better communication between existing agencies, then why does an entirely new agency need to be created? Could a more efficient solution be to assign explicit communication roles to members of those other agencies and do away with the middleman?

One possibility is that the agency will focus on the strict analysis of cyber incidents, leaving the FBI to focus more exclusively on investigation. I assume that the coming months will see the release of more specific details. Right now, it is hard to tell why this solution is the best one.

2. How closely will the agency work with the private sector?

The most specific information that we have right now is that roughly half of the 50 target staff members will be permanent employees of the CTIIC while half will be detailees from other intelligence agencies that will be the CTIIC’s clients. The troubling nature of this information is that there are no plans to include the private sector in any capacity. In fact, during the announcement of the CTIIC, White House cybersecurity coordinator Michael Daniel stated that private sector cyber specialists from key industries such as finance and energy will not being included.

The success of the agency will depend on heavy cooperation with the private sector, so this balance of staff will have to change for the CTIIC to be effective. Private sector companies are also operating America’s critical systems along with the government. Major cyber attacks to date have not been terrorist in nature; future attacks could include security breaches in American energy, water, or financial systems.

Relations between the White House and the private sector have recently been strained over consumer privacy issues. Stanford University hosted the White House Summit on Cybersecurity and Consumer Protection in February. The White House invited several major tech CEOs, but only Apple CEO Tim Cook attended. Facebook Chairman and CEO Mark Zuckerberg, Yahoo CEO Marissa Mayer and Google CEO Larry Page each declined to attend the summit. Although the companies did not explain their executives’ decisions, one likely factor is the recent souring of relations with the White House. The companies have clashed with the Obama administration over issues such as government information sharing and the privacy rights of users.

The CTIIC also has the potential to be a boon to private sector companies themselves. The agency should focus on downgrading select pieces of intelligence to the lowest levels of classification to make it widely available to private sector companies. This way, if the new agency is successful in analyzing threats and establishing cyber standards, everyone can benefit.

3. Will the creation of CTIIC be the extent of the White House’s response to recurring cyber threats?

After several of the most devastating cyber attacks of the last decade, the White House needs to ensure that existing agencies become more effective. I assume that changes are happening behind the scenes at the FBI, CIA and NSA; but this information is mostly kept confidential. If the Obama administration is betting on an agency focused on communication as opposed to response to bolster American cybersecurity, then cyber incidents will continue to wreak havoc on US public and private institutions in the years to come.

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff, editors, or governors.

The post Analyzing the White House’s New Cyber Agency appeared first on Glimpse from the Globe.

Recent geopolitical events in Africa have shed light on an unfortunate trend in Western media: the neglect of substantial African stories. When stories on Africa do make headlines, they are usually the most sensational pieces. These pieces reveal two unfortunate tendencies by the Western media: one, the portrayal of Africa as one geopolitical bloc; two, the portrayal of Africa as little more than a disaster-ridden continent. To learn more about this harmful pattern and its causes, I spoke with Dr. Cheikh Anta Babou, a professor of African history and the history of Islam in Africa at the University of Pennsylvania.

Dr. Babou, a native of Senegal, joined Penn’s history department in 2002 and now teaches courses entitled Africa Before 1800, Decolonization and Africa, Religion and Colonial Rule in Africa, and Islam and Society in America. His research focuses on mystical Islam in West Africa, as well as the new African diaspora. Dr. Babou’s articles have appeared in African Affairs, Journal of African History, International Journal of African Historical Studies, Journal of Religion in Africa, Africa Today and other scholarly journals in the US and France.

GLIMPSE: It seems that Western news outlets cover only the most sensational stories out of Africa. Boko Haram, Ebola and Somalian pirates make mainstream news in the US, while things such as the Nigerian elections and the Central African Republic crisis aren’t covered. Why does this pattern exist? 

BABOU: The coverage of Africa is crisis-driven. This pattern has roots in the past, specifically in the tradition of Africa’s being perceived by Westerners as the bottom of the ladder. You also have to deal with the problem that always exists with the media, which is that news outlets publish stories that people want to read. There simply isn’t enough demand in the US for African stories. When people think about Africa, they think of crisis, war and disease. That’s what comes to mind when you hear the word “Africa”. There are too many good things happening that you don’t hear about.

GLIMPSE: What are some recent examples?

BABOU: There are two things that come to mind. First, you have the elections that happened two weeks ago [January 20] in Zambia. Michael Sata [the incumbent president]died in office and was replaced via a peaceful and democratic election. The election was tight and the winning candidate [Edgar Lungu] won by a small margin. Power was transferred peacefully. The second example isn’t as recent: in 2007, Senegal also had a successful multi-party election. Again, these events don’t receive wide publication as do elections in European countries.

GLIMPSE: It seems that the success of the democratic process is something we take for granted in the US.

BABOU: It is. In Burkina Faso last year, the president [Blaise Compaoré] tried to manipulate the constitution and run for a third term. The people rose up and protested throughout the country, putting so much pressure on him that he was forced to resign. In the Republic of Congo, the same thing just happened. [President] Joseph Kabila tried to amend the constitution to consolidate his own power, and protests also ensued across the country. These were great moments for Africa, great moments for democracy. Africans took control of their own destiny in these countries and didn’t call on Europeans for help. They took charge and democracy happened the way it’s supposed to. But again, these are stories that you don’t hear about in the US.

GLIMPSE: What about Africa’s growing middle class? That issue seems to be covered in the West.

BABOU: Sometimes you’ll hear from the business world or the academic world that Africa is experiencing economic change or economic progress. There is a theory that Africa is the world’s next great frontier. The growing middle class of economically mobile Africans, the increasing GDP of African nations, the anti-corruption efforts of governments and an occasional economic referendum—these are all things that represent change and movement in Africa. But when an African government bolsters its economy or develops its infrastructure, American news outlets do not find an interesting story. As I said before, people are interested in the unusual parts of Africa—the parts that scream “not us” to the Western world.

GLIMPSE: Some of the improvements that you listed are truly pivotal for African countries. 

BABOU: Yes, and the best thing about it is that these changes are happening not because former colonial powers are willing them, but because the African people are willing them. Even compared to the US, this growth is superior. In the US, we still have the issue of the 1% and the 99%. There’s no movement like there used to be. In Africa, though, there is popular demand for these things. More people are paying attention to how their tax money is used and they’re responding if that money isn’t being used appropriately.

GLIMPSE: What other issues do you think should receive more Western coverage?

BABOU: The World Cup captures the attention of people around the world every four years, but few people outside of Africa follow the continent’s major soccer tournament, the Africa Cup of Nations. The Cup, which is going on right now, is held every two years and has become very popular. The youth are mobilized because of it. Similar to the World Cup, countries that haven’t been able to make economic or political inroads can do well in the tournament. The special thing about this year’s cup is that even countries that were engulfed in the Ebola crisis are participating. Guinea, for example, has been plagued by Ebola – almost 2,000 people have died – but still sent a team to the Cup. The entire continent is mobilized.

GLIMPSE: What can we as journalists do to increase news coverage of Africa in the US?

BABOU: That’s a tough change to bring about. You can’t forget that news making is a business; it’s about making money. One thing I’d like to see more news outlets do is bring on more African correspondents. I was just reading an editorial piece in the New York Times responding to many people’s concerns about coverage of Boko Haram. When this year’s unfortunate events in France took place, the Western media responded with a huge amount of coverage. Around the same time, Boko Haram killed an estimated 2,000 people in Nigeria and the Western media gave it minimal coverage. Many readers expressed their frustration with this inequality, and the editor responded by explaining that the Times has only one correspondent for all of West Africa. If you have only one person trying to cover that large a region, where so much is happening, how can you expect to cover important issues?

GLIMPSE: What sources of news do you follow for coverage of important African issues?

BABOU: Unfortunately, to receive good news about Africa, you have to go through former colonial outlets. Radio France Internationale and BBC do a good job. BBC in particular has reporters on the ground, people from Africa, who report almost every day. It’s contextual news. Al Jazeera also does a good job, much better than CNN, whose coverage of Africa is superficial. I don’t even think that CNN has a correspondent physically in Africa—this person might fly from Europe and spend 48 hours in Africa when something “newsworthy” happens. Former colonial powers still have a stake through European expats living in Africa. These people are highly interested in what’s going on and often contribute to good coverage like BBC’s.

GLIMPSE: It probably doesn’t surprise you that CNN still hasn’t published a major story about the ceasefire in South Sudan, even though it’s been over 24 hours [February 2]. 

BABOU: You will rarely find an African piece of news among the first stories of any major news outlet in the US.

GLIMPSE: Unless it’s Ebola.

BABOU: Exactly. Ebola does have to be part of the story, though. When it was incubating in Guinea, it wasn’t covered. But when an American aid worker got infected, it became an American story and people talked about it and worked themselves into a frenzy. All the while, people in Guinea were dying. Entire villages were being wiped out but no one was talking about it. Once the aid worker was cured and the scare on US soil died down, the coverage stopped entirely.

GLIMPSE: Liberia just got the figure for new confirmed cases per week under 100, but the American media didn’t circulate that story either.

BABOU: Mali, Nigeria and Senegal have also been successful in stopping the spread of the disease. They contained it, but you don’t hear about those successful stories. You only hear about the cases where it’s running amok. That’s just what people in the West too often associate with Africa – things going wrong. That’s the heart of the problem. When there’s good news in Africa, it’s just not interesting to people.

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff, editors, or governors.

The post Africa and the Western Media: An Interview with the University of Pennsylvania’s Dr. Cheikh Babou appeared first on Glimpse from the Globe.

Despite the existence of previous cyber incidents more severe than the recent attack on Sony Pictures Entertainment, the last month has seen cybersecurity penetrate the American psyche and affect day-to-day news like never before. The involvement of a major movie studio, an anticipated film, two famous actors and a direct effect on moviegoers’ holiday plans have caused fallout from the Sony cyber attack to make national headlines over the last few weeks.

Due to the complex nature of these events, I will provide a timeline before presenting my analysis.

June 20: Sony Pictures Entertainment releases the first trailer for its upcoming comedy The Interview, which depicts an assassination attempt on Kim Jong-un, supreme leader of the Democratic People’s Republic of Korea (DPRK), by American celebrity journalists recruited by the CIA. Kim Myong-chol, executive director of The Centre for North Korea-US Peace and unofficial spokesman for Pyongyang, issues the following statement in an interview with The Telegraph:

“There is a special irony in this storyline as it shows the desperation of the US government and American society. A film about the assassination of a foreign leader mirrors what the US has done in Afghanistan, Iraq, Syria and Ukraine…President Obama should be careful in case the US military wants to kill him as well.”

June 25: Pyongyang releases an official statement promising “merciless retaliation” against the US if The Interview is released. Most notably, the statement contains the following excerpt:

“The act of making and screening such a movie that portrays an attack on our top leadership…is a most wanton act of terror and act of war, and is absolutely intolerable.”

November 24: A month before the scheduled release of The Interview (Christmas Day), Sony suffers a major cyber breach caused by unknown attackers identifying themselves only as the “Guardians of Peace.” Sony employees are unable to access the company’s network, and instead see this ominous image (a large red skeleton making a menacing gesture) on their computers instead. Personal information, private emails and unreleased movies such as Annie, To Write Love, Fury, Still Alice and Her Arms are compromised in the attack. The attackers begin releasing the sensitive data in large dumps over the next two weeks. Due to the aforementioned statement from Pyongyang over the summer, some pundits speculate that the attack was perpetrated by the DPRK in response to the imminent release of The Interview.

November 28: After spending several days over the Thanksgiving holiday restoring functionality to its network and mitigating public relations damage, Sony begins investigating the possibility that the DPRK was behind the attack.

December 1: The FBI announces that it is also investigating the possibility that the DPRK was responsible for the attack. It issues a warning to US businesses announcing that unidentified hackers have used malicious software to launch a destructive cyber attack against Sony. The statement describes the nature of the attack: the malware involved overrides all data on the hard drives of computers affected, and even wipes the master boot record (the mechanism that enables computers to boot up). The result of the attack is that employees cannot use their computers at all—they finish the day’s work with pens and paper. The warning concludes by urging companies to contact the FBI immediately if they detect similar attacks.

December 3: An unnamed DPRK diplomat tells Voice of America that the DPRK was not responsible for the attack. The official states: “linking the DPRK to the Sony hacking is another fabrication targeting the country. My country has publicly declared that it would follow international norms banning hacking and piracy.”

December 7: The Korean Central News Agency, a state-run media outlet, issues a statement calling the attack a “righteous deed” but denies any involvement by the DPRK. The statement also says the following:

“We do not know where in America the Sony Pictures is situated and for what wrongdoings it became the target of the attack, nor do we feel the need to know about it. But what we clearly know is that the Sony Pictures is the very one which was going to produce a film abetting a terrorist act while hurting the dignity of the supreme leadership of the DPRK by taking advantage of the hostile policy of the US administration toward the DPRK.”

December 11: The Interview’s West Coast premiere takes place in Los Angeles at a red carpet event. The event is open to photographers, but closed to reporters.

December 15: Two former Sony employees file the first of several class-action lawsuits against the company, alleging that Sony ignored obvious signs that their computer network was vulnerable to attack. The breach exposes tens of thousands of employee Social Security numbers, medical records and personal emails. The plaintiffs also state in their filing that Sony “kept employees in the dark” regarding the extent of the breach for a week after the attack occurred.

December 16: The Guardians of Peace release the following message (note: nonsensical in some places):

“We will clearly show it to you at the very time and places ‘The Interview’ be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to. Soon all the world will see what an awful movie Sony Pictures Entertainment has made. The world will be full of fear. Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time. Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment. All the world will denounce the SONY.”

Immediately following the threat, a number of major theater companies announce that they will no longer be showing The Interview at all, Christmas Day or otherwise. Sony cancels the New York City premiere of The Interview. Homeland Security releases a statement saying that “there is no credible intelligence to indicate an active plot against movie theaters within the United States.”

December 17: In light of the threat made by the Guardians of Peace, Sony announces that it will no longer release The Interview on Christmas Day.

December 19 (morning): The FBI’s National Press Office releases a statement announcing that “the FBI now has enough information to conclude that the North Korean government is responsible” for the attacks on Sony. The FBI’s conclusion, according to the statement, is based on the following pieces of evidence:

1. Technical analysis of the data deletion malware used in the attack revealed links to other malware that the FBI knows to have been developed by DPRK actors.

2. The FBI observed “significant overlap” between the infrastructure (hard-coded IP addresses that indicate the origin of an attack, for example) used in the Sony attack and the infrastructure used in other malicious cyber activity that has been linked to the DPRK.

3. The tools used in the Sony attack displayed “strong similarities” to a cyber attack in March 2013 that the DPRK propagated against South Korean banks and media outlets.

December 19 (afternoon): In an end-of-the-year press conference, President Obama says the following about the Sony cyber attack:

“I think they [Sony] made a mistake…I’m sympathetic that Sony as a private company was worried about liabilities and this, that and the other, but I wish that they had spoken to me first.”

Mr. Obama also warns:

“We will respond…we’ll respond proportionally, and we’ll respond in a place and time and manner that we choose…if somebody is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary that they don’t like, or news reports that they don’t like.”

December 21: David Boies, a top lawyer for Sony, says in an interview with Meet the Press that while Sony will not show the movie in theaters over the Christmas holiday, the film will eventually be released.

December 22: For reasons currently unknown to the American public, the DPRK’s entire Internet system fails for about 10 hours. The country’s computer connections were limited to begin with (roughly 1000 IP addresses compared to billions in the United States) and connections to the outside world were available to only the elite, but networks across the country fail nonetheless. Some people speculate that the outage was the result of a cyber counter-attack.

December 23: Sony announces that The Interview will have a limited theatrical release on Christmas Day (roughly 200 independent theaters). Michael Lynton, Sony’s Chairman and CEO, says that the company will continue its efforts to secure more platforms and theaters to show the film.

December 24: Google announces a partnership with Sony whereby users of Google Play and YouTube Movies can rent or buy The Interview on their computers and phones.

December 25-28: More cybersecurity experts begin to doubt that the DPRK propagated the attack.

Even the smallest details of the above events are worth noting because of the implications that this saga has for future cybersecurity incidents against both private companies and national governments. Although previous cyber attacks against the US have succeeded – and thousands of unsuccessful attacks occur every day – there has never been an attack that has elicited such strong responses from both the American public and American officials. Furthermore, if indeed propagated by the DPRK, then the attack was orchestrated for ideological reasons rather than financial reasons. This fact alone is a new development in large-scale cyber crime.

I will present my opinion on the following questions in this whirlwind of activity:

1. How confident can we be that the DPRK indeed propagated the attack?
2. Did Sony provide a befitting response for private company?
3. Did Mr. Obama provide a befitting response for a US President?
4. Was the US behind the DPRK’s recent Internet outage?

1. How confident can we be that the DPRK indeed propagated the attack?

Despite the ostensible confidence by the FBI in its findings, not enough evidence was released to prove that the DPRK was behind the attack.

Discounting potential motives and past behavior, the situation is still essentially a “he said, she said” situation. The FBI has clearly stated that it believes that the DPRK propagated the attack, and the DPRK still denies its involvement. Pyongyang even offered its assistance: “As the United States is spreading groundless allegations and slandering us, we propose a joint investigation with it into this incident…we have means to prove that this incident has nothing to do with us.”

The statement ends with a promise of “grave consequences” if the US rejects the joint inquiry proposal, also noting that the accusations by the FBI have “hurt the dignity of the supreme leadership.”

From a technical perspective, attribution is usually difficult with cyber attacks. The FBI could have a smoking gun, or they could have little actual evidence. The uncertainty stems from the lack of evidence released, and some experts are beginning to question the validity of the FBI’s accusation. Kurt Stammberger, a senior vice president with the cybersecurity firm Norse, said: “We [Norse] are very confident that this was not an attack masterminded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history.”

On December 23^rd, two scholars at the War Studies Department of King’s College London published a scholarly paper describing the key challenges in attributing cyber attacks. The authors, Thomas Rid and Ben Buchanan, conducted focus groups with commercial security software vendors and spoke to intelligence officials to survey the state of attack attribution practices. Their paper outlines the process of finding a culprit and communicating that information.

The authors’ first point is about the victim’s ability and willingness to respond to the cyber attack with an investigation. Although seemingly obvious, this assertion raises an interesting question about the FBI’s resources: “The more severe the consequences of a specific incident, and the higher its damage, the more resources and political capital will a government invest in identifying the perpetrators.” The Sony attack was certainly prolific enough in terms of reputational and financial damage done to the company (Variety estimates that the company stands to lose $75 million) to warrant a large amount of leeway given by Washington for an FBI investigation of the attack.

Furthermore, the attack struck a nerve with many Americans, who judged Sony’s response as a failure of free speech and an act of censorship. Given the attack’s impact on Sony, as well as the strong emotional reaction from the American public, I believe it likely that the FBI was given adequate resources by Washington to conduct a thorough investigation. Nonetheless, the fast turnaround time (18 days from announcement to conclusion) still raises questions about the investigative methods employed, and calls into question the conclusion that the DPRK did indeed propagate the attack. The majority of Rid and Buchanan’s 30-page paper, in fact, deals with the challenging issue of determining who propagated a cyber attack. The authors argue that attribution is rarely an open-and-shut case. “On a strategic level, conclusions are further removed from forensic artifacts, and may contain a significant amount of assumptions and judgment,” they write.

The authors’ third point is about communication of the results of an investigation. The FBI’s statement clearly outlines the reasons why it believes that the DPRK instigated the attack, but fails to provide actual evidence. I do not mean to imply here that I think that they should provide evidence, as doing so would jeopardize their sensitive process, but I do mean to say that the lack of evidence is ample cause for numerous experts to question the validity of the result. Rid and Buchanan seem to agree: “Publicising intelligence can harm sources as well as methods,” they write. Unfortunately, there is no easy solution here. The tension between the public’s desire for hard evidence and the FBI’s need to protect its information-gathering process cannot be resolved.

The authors’ final point is about the credibility of all parties involved. As mentioned previously, few can doubt the resources or capabilities of the FBI. The DPRK, though, may be a different story. Is it possible that the DPRK could have executed such a successful cyber attack on American soil? Previous cyber incidents, such as the DPRK’s attack on South Korea, would seem to indicate so, but this question may never be answered definitively.

While arguably lacking capability, the DPRK did not lack motive. The DPRK’s propaganda machine is well oiled; decades of history have shown that the government will go to extreme measures to defend the sanctity of the supreme leadership. Furthermore, The Interview charted new territory: never before has the assassination of a current government official been so prominent. Imagine if a major Russian movie studio had planned to release a comedic movie about the assassination of Mr. Obama on its most celebrated national holiday. Needless to say, there would have been plenty of uproar from the American public; it is not a large leap to say that many would have believed the movie to be anti-Western and anti-American.

Although the threats and extreme statements about war and merciless retaliation seem to be empty, they are threats nonetheless. While it is unlikely that the DPRK would resort to physical violence or acts of war over just The Interview, it is obvious that Pyongyang wanted to send a strong message and assert itself. If the DPRK was indeed behind the attack, then Pyongyang certainly celebrated a wide victory given Sony’s strong response.

2. Did Sony provide an appropriate response as a private company?

As mentioned above, the American public reacted strongly to Sony’s decision to pull The Interview from theaters. Despite the numerous allegations that Sony “let the terrorists win” and “sacrificed free speech,” I believe that the company responded appropriately to the threat.

First of all, a threat with the magnitude and seriousness of the one that Sony received can never be taken lightly. The reference to September 11^th alone is an immediate red flag that demands a thoughtful response. The threat by the Guardians of Peace to target movie theaters also triggers an emotional response, given the history of incidents like the Aurora shooting in recent memory.

More importantly, though, we have to remember that Sony is a private company with business interests. Its decision to pull The Interview was not, in fact, a loss for free speech, as so many would like to believe. As a company, Sony received a threat that promised horrible violence and death to moviegoers. Even if the chance of those events actually occurring was slim, Sony made the correct decision. Why endanger the lives of thousands of people and risk the reputational ruin of the company?

Furthermore, the issue was determined by the FBI two days later (after Sony’s decision not to show The Interview) to involve a foreign national government. Do we expect a private American company to have a standoff with the government of the DPRK? Such issues are meant for the American government, not private sector, to decide. Sony had to protect its own interests (not to mention the public safety of moviegoers) immediately.

Finally, it is important to remember that individual movie theaters (both large movie chains and independent theaters) acted even before Sony did. Especially given the unwillingness of theaters to screen The Interview, Sony was wise to avoid risking a humanitarian tragedy.

3. Did Mr. Obama provide a befitting response for a US President?

First of all, the fact that Mr. Obama has been talking openly over the last few days about the DPRK as instigators of the attack seems to indicate that the FBI’s unreleased evidence may be stronger than most experts think it is.

I believe that Mr. Obama’s categorization of the attack as “cyber-vandalism” and not cyber warfare is correct. Despite the strong rhetoric from the DPRK, it is unlikely that the attack was intended as a true act of war. It seemed to be a long shot revenge attempt on Sony that resulted in surprisingly successful chaos on American soil due to discord between the company and the American people.

The problem with Mr. Obama’s response is that he bought into the public rhetoric that Sony’s business decision to pull The Interview was somehow an act of censorship. This meme is convenient because it provides an easy explanation for an otherwise complex situation. Unfortunately, it is misleading. In an interview with CNN, Mr. Obama said the following: “If we set a precedent in which a dictator in another country can disrupt through cyber a company’s distribution chain or its products, and as a consequence we start censoring ourselves, that’s a problem.”

Again, there is nothing about the situation that involves censorship. Sony made a legal and measured business decision. Unfortunately, Mr. Obama has offered the company little support, while repeatedly vowing a “proportional response” on a national level to the DPRK. The President’s first priority here should have been supporting Sony in its decision to protect the safety of the American people. Instead, he publicly criticized Sony and offered little understanding of the company’s business decision.

This case is an example of having your cake and eating it too. If Mr. Obama wants to categorize the act as cyber-vandalism and make the issue one of censorship, then perhaps the government could have subsidized Sony for some of its losses or supported an online release of The Interview. The main problem here is that the American government left a private corporation with the responsibility to manage the fallout from an attack by a foreign government. Mr. Obama offered nothing himself but a vague and predictable threat.

4. Was the US behind the DPRK’s recent Internet outage?

While some have speculated that the DPRK’s Internet outage was also the result of a cyber attack, this possibility is unlikely. Although Mr. Obama promised a response to the attack, disabling the country’s limited computer connections would hardly qualify as proportional to the attack on Sony. China has also denied its involvement in the outage (the DPRK’s Internet is provided by a Chinese company).

In reality, the DPRK or its Chinese provider may have taken the system offline in advance of a possible cyber threat. It is also possible that independent hackers took down the system. Given the timing of the outage, though, mere coincidence was probably not the cause. Regardless, I think that the outage is unlikely to affect directly any relations or talks between Washington and Pyongyang in the future.

In conclusion, I believe it unfortunate that the narrative regarding the fallout from the Sony cyber attack has been centered on the future of Hollywood and free speech. The lesson to be learned from this situation is instead about the relationship between the private sector and the government in the wake of cyber incidents. In this case, the United States may have set a dangerous example for the future. That a private company is being so widely blamed – by both the public and the American government – for being the victim of an attack ostensibly propagated by a foreign government is troubling, to say the least.

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff, editors, or governors.

The post Making Sense of the Sony Cyber Attack appeared first on Glimpse from the Globe.

In the spring of 1776, the American Revolution was still in its infancy. It had been just over a year since a decade of British grievances against the citizens of the American colonies had exploded into actual warfare at the Battles of Lexington and Concord. Thomas Paine had just published his now-famous pamphlet Common Sense in January, and the leaders of colonies such as Massachusetts, Virginia and North Carolina were beginning to think about how they wanted to frame their own governments.

In April, the North Carolina Provincial Congress, one of several unicameral legislative bodies formed by the people of North Carolina, passed a resolution that asked for Adams’s suggestions on the establishment of a new government and the drafting of a constitution for the colony. In response, Adams penned a letter to James Warren, his friend on the Provincial Congress, entitled: “Thoughts on Government: Applicable to the Present State of the American Colonies. In a Letter from a Gentleman to His Friend.”

The letter, which would later be widely published across the colonies as a pamphlet, became known as “Thoughts on Government” and would have a significant influence on the framers of state constitutions in New York, New Jersey, Massachusetts and Virginia. Adams’s ideas would also influence the American Constitution itself.

Adams began the letter by demonstrating his enthusiasm for the formulation of government structure: “the divine science of politics is the science of social happiness, and the blessings of society depend entirely on the constitutions of government.”

Adams then entered into a counter-proposal to the idea of a unicameral government proposed by Thomas Paine in Common Sense. Adams wrote frequently, and often heatedly, against Paine on this subject. While the majority of Americans originally agreed with Paine that the legislature should have just one chamber (for instance, New York colonists once burned 1,500 anti-Common Sense pamphlets), Adams’s ideas ultimately prevailed in the Constitution, which established both the House and the Senate. Adams wrote: “a single Assembly is apt to be avaricious, and in time will not scruple to exempt itself from burdens which it will lay, without compunction, on its constituents.”

Perhaps the most powerful defense of the bicameral legislature, and the necessity of frequent elections, was Adams’s point that a single assembly may eventually vote itself perpetual. In this sense, he borrowed from Montesquieu in arguing for a fundamental separation of powers. The argument, later made apparent to all Americans by George Washington when he voluntarily stepped down from the presidency, would become a cornerstone of the Constitution.

Adams next stated his belief that state positions such as Governor, Lieutenant Governor, Secretary and Treasurer should be chosen via joint ballot by both legislative bodies. He argued that these elections should be annual: “where annual elections end, there slavery begins.”

He ended Thoughts with a statement that can be interpreted as nothing but pure passion for the formation of a virtuous government:

“You and I, my dear friend, have been sent into life at a time when the greatest law-givers of antiquity would have wished to have lived. How few of the human race have ever enjoyed an opportunity of making an election of government more than of air, soil, or climate, for themselves or their children.”

Adams, in Thoughts, provided a vision for a republican government that would inspire the creation of numerous state governments and ultimately the Constitution. I believe that this document is worth revisiting for three reasons. First, it is one of the most concise and powerful pieces written by our Founders about the principles upon which the United States was founded. Second, we tend to prioritize classical works by Plato, Aristotle, Machiavelli, Hobbes, Locke, Montesquieu and Rousseau as Constitutional blueprints, missing some contemporary works that had a more immediate effect on our Founding Fathers. Perhaps this prioritization is justified, but Adams cannot be overlooked as one of the most learned and thoughtful among the Founders. Thoughts is the distillation of his political thinking.

Third, and most importantly, the simple ideas outlined in Thoughts can explain much of what will happen over the next two years in the US Congress in light of the midterm election results. The GOP’s victory breathed hope into the potential White House bids of Republicans Jeb Bush, Rand Paul, Chris Christie, Marco Rubio and Ted Cruz. These conservative thought leaders, while differing slightly in their vision of what challenges will be most important leading up to 2016, agree that liberty in the classical sense must be the focal point for the new Senate majority.

In his speech on victory night, Rand warned that if the President vetoes Republican bills too frequently, “in 2016 the people will rise up and reclaim our heritage and elect a lover of liberty who will restore the values of our founding fathers.” Jeb Bush made similar remarks about the importance of effective governance given that the GOP won’t have a filibuster-proof majority in the Senate.

Adams was similar to other Founders in his equation of liberty and happiness. He wrote in Thoughts that “the form of government which communicates ease, comfort, security, or, in one word, happiness, to the greatest number of persons, and in the greatest degree, is the best.” These principles, simple as they are, evoke a bygone era in which the ideals of liberty were not so conflated with political jockeying. Both parties would be wise to remember that during the next two years.

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff, editors, or governors.

The post Historical Spotlight: Adams’s Thoughts on Government appeared first on Glimpse from the Globe.

On September 12^th, software security specialist Stéphane Chazelas discovered a security flaw in a core component of popular operating systems that run on personal computers, web servers and other connected devices. Within two weeks, the vulnerability was announced publicly and US-CERT (United States Computer Emergency Readiness Team, a branch of Homeland Security) had released a report.

The vulnerability, known colloquially as Shellshock, exists in a piece of software called Bash that was written in 1987. Bash is an interactive shell, or a piece of software that allows either a computer user or a running program (e.g., a web browser or a text editor) to interact with the computer’s operating system. Familiar examples of an interactive shell are Command Prompt for Windows users and Terminal for Mac users. Bash is built into roughly 70% of computers in the world since it is run on most Linux and Unix operating systems.

The Shellshock threat exists because of a bug, an error in programming that causes unintended consequences, introduced during the creation of Bash. If exploited, Shellshock allows attackers to run malicious code as soon as Bash is invoked on a machine. Hackers have proven (after only about one week) that a number of different security attacks are possible because of Shellshock. The security company FireEye announced on September 27^th that it has already observed at least four significant types of attacks. This diversity of threat exists because of the wide variety of ways in which Bash interacts with the operating system. The operating system, in turn, interacts with the lowest-level parts of a computer, including the parts that store users’ private information.

Although updates and fixes from several sources were released in the days following the public announcement of Shellshock, recent reports indicate that the bug is going to cause lasting problems. Bash is run not only on personal computers, but also on systems such as medical devices, power plant controls, municipal water systems and common objects such as refrigerators and cameras. While personal computers and web servers are relatively straightforward to patch, or fix with additional software updates, these other devices present unique challenges. Some systems, like traffic lights, are not designed to be patched and will be especially obstinate.

The implications of Shellshock are ominous. An expert hacker can exploit Shellshock to take over an entire machine and gain access to all of its stored information. To put this risk in perspective, the Heartbleed security bug that caused widespread panic when it was discovered in April 2014 gave hackers the ability only to do things like steal passwords from a server. With access to entire machines and devices, attackers will have the ability to accomplish much more malicious goals. The National Institute of Standards and Technology has already rated Shellshock a 10 on its 10-point severity scale. Heartbleed was rated a five out of 10.

In the coming weeks, several parties will collaborate to fix the bug in Bash and limit the impact that hackers can have on machines. The main movers behind the fix will be members of the open-source (publicly available collections of software to which anyone can contribute) community, both independent and in established groups like Red Hat, a leading provider of community-driven open-source software. Aiding in the effort will be large technology companies like Amazon, which played a large role in fixing the problems that Heartbleed created. Google and Apple are already working on Shellshock fixes themselves.

What can we learn from Shellshock? One obvious question is why the vulnerability from a piece of software written in 1987 was just discovered now. The answer is that continuous testing, review and updating is part of the normal process of software development. With programs that comprise hundreds of thousands of lines of code, errors are inevitable. The best that developers can do is remain vigilant about testing and stick to rigorously defined processes.

From this perspective, the open-source technology community will grow as a result of Shellshock. It may be months or years before the threats posed by the bug are put to rest, but the process of going through traditional software development routines (especially as private companies collaborate with open-source developers as they did to fix Heartbleed) will be healthy for the community.

The community will need to be proactive as people around the world ensure that their internet-facing machines are protected from hackers. There will undoubtedly be a surge in cyber attacks in the coming weeks, some of which are likely to succeed given the difficulty of patching certain devices. Although a major data breach at a large corporation or government is unlikely to occur given the traditionally fast response times of these entities, hundreds of thousands of smaller-scale networks and machines will be at risk. It is up to the collaboration of the open-source community and tech companies to ensure that the damage is limited.

The views expressed by these authors do not necessarily reflect those of the Glimpse from the Globe staff, editors, or governors.

The post The Shellshock Fallout appeared first on Glimpse from the Globe.

For decades, South Korea has been among the top nations worldwide in student test scores and literacy and graduation rates. Following the Korean War, the administrations of Syngman Rhee and Park Chung Hee moved control of the education system from local school boards to a new Ministry of Education in an attempt to achieve economic development through centralized bureaucracy. The Ministry has been responsible for setting enrollment quotas, certifying schools and teachers, curriculum development, resource allocation, and school administration.

These policy decisions contributed to rapid modernization and economic growth. The adult literacy rate grew from 22% in 1945 to 93% by the late 1980s. Enrollment numbers quickly surpassed those of other industrialized countries such as Japan. In 1985, 99% of students attended an optional year of middle school. In 1987, 34% of secondary school graduates attended institutions of higher education (compared to 30% in Japan and 20% in Britain). Government expenditure on education grew from 2.2% of GNP in 1975 to 4.5% of GNP in 1986.

Accompanying these changes was the rise of an education-centric culture among the South Korean population. The “tiger parenting” tradition that has recently gained attention in the US has been commonplace in South Korea since the early 1990s. Families stress the importance of academic success, no matter what the cost, as the stepping stone to a university education and a respectable white-collar job. The average student spends 13 hours per day at school and logs 5.5 hours of sleep per night. Much of the time in between is spent on homework and further studying.

A “double shift” of school is normal for most students. South Korean families frequently spend thousands of dollars per year on hagwon (known as “cram schools”), which are industrial-scale private schools that tutor high school children every night starting after dinner until around 11pm. South Korea has over 100,000 hagwon today, and roughly 75% of children attend them. In 2012, South Koreans spent $17.9 billion (12% of total consumer spending) on private tuition.

Some families split themselves up geographically so that their children can attend prestigious English-speaking secondary schools. Typically, the mother will move with the children to a planned community bordering a Canadian- or American-run school while the father will remain at home to work, living a pseudo-bachelor life until the children leave for college. A Korean term for these families, kiroji kajok (“goose families,” since they have to migrate to reunite) has made its way into the national vernacular. A recent estimate placed the number of goose families nationwide in the low six figures.

Unsurprisingly, this culture has resulted in consistent top rankings for South Korea’s education system among all countries. In 2014, South Korean students ranked at the top of the Programme for International Student Assessment (PISA) in reading, mathematics, and science. In 2011, 64% of the South Korean population had university degrees, well above the Organisation for Economic Cooperation and Development (OECD) international average of 39%. In 2014, the OECD’s aggregate index (an average of ratings across several major categories) placed South Korea atop the rankings, with a score of 1.30 standard deviations above the mean. The next closest country, Japan, had a score of 1.03. The United States placed 14^th with a score of 0.39.

In recent years, however, the national conversation regarding education has shifted to include non-academic factors. Since 2011, suicide has been the leading cause of death among young people. 53.4% of South Korean youths who have considered suicide cited excessive academic competition as the main reason. Furthermore, a shrinking middle class has led to a decrease in youth employment. According to a 2013 report by McKinsey & Company, an American consultancy, the proportion of middle class households shrank from 75.4% in 1990 to 67.5% in 2010. This decline was fueled by a shrinking number of high-paying jobs with major business conglomerates; these companies have historically provided the plurality of jobs in South Korea. Earlier in 2014, Statistics Korea reported that youth employment dropped below 40% for the first time since 39.7%. South Korea’s rate of graduate employment among university-educated citizens aged 25-34 is 75%, below the 82% OECD average.

Education experts report that South Koreans have mixed emotions about their education system. The international ranking numbers are impressive and the envy of many nations (including the US). But some administrators believe that this academic success has come at the cost of students’ emotional well-being. Professor JuHo Lee, a former education minister, believes that intensive education was appropriate during Korea’s rapid economic growth, but may now be unnecessary. “We now must look into the ways to reform our education system, not based on test scores, but based on creativity and social and emotional capacities,” he said in January 2014.

Few countries in history have achieved the rapid growth that South Korea has in recent decades. The success of its education system has transformed the country from a war-torn region to an industrialized player on the world stage. However, recent statistics detailing the results of heightened academic pressure, along with the appropriate concern by key administrators, mean that the next decade may hold great change for South Korean education.

The views expressed by these authors do not necessarily reflect those of the Glimpse from the Globe staff, editors, or governors.

The post Goose Families and Cram Schools appeared first on Glimpse from the Globe.

Every four years during the World Cup, the US press fixates collectively on the “will it/won’t it” question of soccer’s future. Each World Cup seems to bring higher TV ratings and more water cooler conversations than the last. Soccer optimists, imbued with fresh hope by scenes of fervent US supporters with painted faces and patriotic apparel, proclaim that soccer is here to stay in America.

Now that the US out of the 2014 World Cup after a 2-1 loss to Belgium, will this year be any different? Have the past few weeks been a sign that soccer will someday find a home as a mainstay of US sports, or are they just part of the same ebb-and-flow pattern that we see every four years?

First, a by-the-numbers look at this year’s World Cup viewership in the US.  According to Variety, the US-Portugal game drew 18.20 million viewers on ESPN; the US-Belgium game drew 16.49 million. Those two games were the two most watched US World Cup telecasts in American history. Through the Round of 16, ESPN and ABC averaged 4.08 million viewers – a record audience for the World Cup, up 44% from 2010 and 122% from 2006. According to the New York Post, WatchESPN (ESPN’s online viewing service) attracted an average audience of 1.1 million viewers per minute during this World Cup.

These numbers are to be expected. Aside from reasons related to the sport itself, this year’s record numbers likely have several major contributing factors.  According to the World Bank, the number of internet users in the US grew by 10.1 million from 2012 to 2013. According to comScore, the number of smartphone users in the US grew 7% from October 2013 to January 2014. Twitter’s userbase alone grew from 183 million at the end of 2013 to an estimated 227 million at the end of 2014 (estimated by CNET). The World Bank pegs the annual growth rate of the US population at 0.74% per year.

These greater numbers of internet users, smartphone users, and social media users mean that more people will hear about the World Cup and share news with their friends by roughly an order of magnitude more than they did during the previous World Cup. I am not making any statistical conclusions here, but I do think it’s fair to say that articles and opinions proclaiming soccer’s inevitable destiny as a major US sport need to be taken with a grain of salt if they tout World Cup viewing statistics as conclusive evidence.

Furthermore, the World Cup takes place during a dry period for other US sports. The NFL is at its least interesting (long past the conclusion of the postseason and about a month past the draft), the NBA has also put its postseason and draft in the rearview mirror, the drama of the NHL Stanley Cup has ended, and the Olympics is long over. The only major competing sport is MLB baseball, which is in the midst of its regular season. Additionally, summer brings a dearth of active TV shows, meaning that Americans have even less to watch.

What about factors related to soccer itself? Are Americans growing more accepting of a sport fundamentally different from the ones it already treasures? This question is tough to answer. Other than a few minor rule changes, soccer is the same as it was four years ago. All of the reasons provided by soccer critics as to why the sport will not catch on in the US (infrequent scoring, too many fake injuries, overly subjective officiating, and lack of sudden death overtime) are just as valid or invalid as they were four years ago. Shifting American sentiment toward soccer would be a result of externalities, and that discussion is best left for another time.

Perhaps one reason is a lack of initiative by the MLS. Recent years have seen the league take an aggressive approach to bolstering soccer’s popularity. According to The Economist, although average MLS attendance per game is down from 2013, it surpassed both the NBA and NHL with 18,600 spectators per match (although both of those leagues play considerably more games per season, making each game less appealing as an excursion). According to Forbes, the average MLS franchise is now worth $103 million, up more than 175% over the past five years. The league had 13 clubs in 2007 and will have 21 by next year. This year’s US World Cup team had ten players from the MLS compared to just four in 2010. Finally, the MLS signed a new eight-year deal worth an estimated $90 million per season that will result in more of its games being broadcast on more TV channels.

My theory is that Americans simply enjoy coming together to celebrate our national pride. Other than the Olympics, no major sporting events have the ability to unite entire countries in support of the same team. Take the support of the Iranian national team this year as an example. Following the 1979 Islamic Revolution, the Iranian government banned women from entering most sporting events because they deemed the enjoyment of sports by mixed crowds un-Islamic. This year, according to CNN, Tehran’s billboards advertising the World Cup featured only men, and state TV stations used a delay of several seconds to censor images of racy female fans so that viewers at home wouldn’t learn to accept mixed crowds. Nonetheless, some restaurants in Iran defied a national ban on broadcasting the World Cup this year, and men and women enjoyed the games together in public. Does this increased support from the female population indicate that soccer is growing in popularity in Iran? No – it shows that the Iranian people, this year more than ever, are eager to show their nationalism and support gender equality as a reaction to recent actions by the government.

Along the same lines, an ineffective Congress, an inconsistent Supreme Court, and an unpopular president have given US fans an increased longing to show their nationalism in 2014. Most notably, a volatile balance of power on the world stage has left Americans in uncertain territory. Both Russia’s aggression against Ukraine and ISIS’s first steps toward forging an Islamic state in the Middle East this year have spurred a growing national desire to display a uniquely American style of patriotism. Especially in the context of the World Cup, with competition unfolding at an international scale, patriotism is linked more to foreign policy than it is to domestic issues.

Perhaps the recent changes rolled out by the MLS are making a greater immediate impact on soccer than I’m giving them credit for, but I believe that the outpouring of US support for the Men’s National Team this year was more a result of our desire to be patriotic than it was a precursor to soccer’s rise to American prominence. Now more than ever, Americans are eager to come together and celebrate their national pride.

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff, editors, or governors.

The post World Cup Ratings a Sign of Patriotism, Not Soccer’s Rising Star appeared first on Glimpse from the Globe.

Cyber warfare, defined as espionage or sabotage conducted through politically motivated hacking, has existed as long as networked devices. In 1998, US officials discovered systematic unauthorized access to sensitive data at NASA, the Department of Energy, private research labs, and the Pentagon. The DoD traced the attacks to a mainframe computer in the former Soviet Union, although Moscow to this day denies any involvement. In 2003, cyber attackers gained access to the networks of several major US defense contractors, including Lockheed Martin. The SANS Institute, a US security company, determined two years later that the attacks were “most likely the result of Chinese military hackers attempting to gather information on U.S. systems.” In the decade since these two milestone incidents, known by their codenames Moonlight Maze and Titan Rain, networked systems have experienced order-of-magnitude growth. Over 80,000 pieces of malware are reported daily in the United States. Despite the best efforts of financial institutions and large corporations, defending against cyber warfare has never been so difficult.

Recent events have revealed that cyber attacks can come from various sources, including national governments, militaries, organized crime, or individuals. In March 2014, a group of unknown hackers installed a malicious piece of software in Target’s security and payments system designed to siphon customer to a remote server. Over the course of two weeks, the hackers obtained 40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information that Target had been trusted by its customers to protect. Just a few days later, the tech world was rocked by the discovery of the Heartbleed Bug, an accidental mistake in the coding of the OpenSSL cryptography library – part of the backbone of the Internet. In this case, a concerned citizen reported the vulnerability; had it been exploited, an attacker could theoretically have decrypted the web traffic on 20% of the world’s servers.

If cybersecurity was not in the national spotlight already, then these two events certainly pushed it in. The Pew Research Center reported that 39% of Internet users surveyed either changed at least one account password or shut down at least one online account to protect personal data as a result of Heartbleed media coverage.

The private sector was similarly quick to respond. On May 9, General Electric (GE) announced its acquisition of the privately held company Wurldtech, a Vancouver-based leader in cybersecurity solutions for oil refineries and power grids. On May 14, Gap, JC Penney, Lowe’s, Nike, Safeway, and Walgreen’s partnered with a large group of other retailers (including Target) to launch the Retail Industry Leaders Association (RILA), an independent organization combining the cybersecurity efforts of private retailers with those of the Department of Homeland Security. Finally, private firms funded this year’s United States Cybercrime Conference – an annual gathering of hundreds of private-sector administrators and CISOs (Chief Information Security Officers) – instead of the DoD as is typical.

There is little argument in Washington with the opinion that the government must now protect public infrastructure and sensitive national data at all cost. Homeland Security, in its 2013 year-end report, stated that it responded to 256 cyber invasion incidents last year, 151 of which occurred in the energy sector.(2) The thought of hackers compromising energy grids, or troop configurations and weapon designs falling into the hands of a foreign military, is chilling. A repeat of Moonlight Maze or Titan Rain in 2014 could compromise America’s position in a number of domestic and international affairs.

But the rapid emergence of cyber threats elicits two difficult questions. One, what should be the role of the government in protecting private sector institutions against cyber attacks? Two, how will voters and policymakers balance the need for cybersecurity with their desire for online privacy?

In a 2009 speech, President Obama declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.” He commissioned a comprehensive review (entitled “Cyberspace Policy Review”) of the US government’s ability to defend information and communication infrastructure. The resulting report outlined a ten-point plan designed to accomplish two objectives: improving US resilience to cyber incidents and reducing the general threat of cyber attacks. The ten-point plan, like the two objectives it was supposed to accomplish, was vague and largely procedural. Its scope was limited to the appointment of officials, the creation of preparedness plans, the promotion of national awareness, and the creation of new international relationships.

In February 2013, the President urged Congress to pass a more comprehensive and action-oriented plan named the Cyber Intelligence Sharing and Protection Act (CISPA). CISPA’s aim is to help the US government investigate cyber threats and ensure the security of networks against attacks. Introduced in 2012, the bill has twice passed the House and twice failed to pass the Senate due to concerns over a lack of civil liberties safeguards. Dozens of Internet privacy activist organizations have decried the bill for its failure to provide specificity on when and how the government can monitor an individual’s browsing history. Ron Paul (R-TX) labeled the bill “Big Brother writ large.”

Recent reports from Capitol Hill suggest that Intelligence Committee Chair Dianne Feinstein (D-CA) and Ranking Member Saxby Chambliss (R-GA) have drafted a new piece of cybersecurity legislation currently being circulated for comment. Yet, the stated aim of the bill sounds too similar to that of CISPA to have a chance of passing the Senate. The new bill’s goal is reportedly to “allow companies to monitor their computer networks for cyber attacks, promote sharing of cyber threat information, and provide liability protection for companies who share that information.”

Two new proposals have also been introduced in the Senate. The first, proposed by John Thune (R-SD), would allow the Federal Trade Commission to punish companies retroactively for failing to adopt “reasonable” data security practices and would preserve Congress’s authority to determine what those security practices should be. The second, proposed by Jay Rockefeller (D-WV), would give the Federal Trade Commission (FTC) legislative authority to set cybersecurity standards, removing Congress’s authority altogether.

Given the rapidly increasing threat that cyber attacks pose and Congress’s relative lack of cybersecurity knowledge compared to the FTC, Rockefeller’s plan seems more reasonable. But the past history of the Senate’s concern for privacy indicates that neither bill will garner enough votes to pass.

The unfortunate reality for cybersecurity policy is that online security is simply not a top priority for enough Americans. Edward Snowden’s unauthorized disclosure of the PRISM program profoundly altered the public psyche toward online privacy, creating a largely irrational belief among many technology users that the government should not have a right to ensure maximum cyberspace security with their personal data. In CISPA’s case, people seem to value the privacy of their Internet browsing histories alone over the reduction of imminent cyber threats. Given Washington’s inability to pass legislation promoting cooperation between the private sector and the government, and that its chief responsibility is to ensure the security of nationwide systems and government facilities, individual companies are beginning to realize that the security of private sector networks is their prerogative alone.

Evidence suggests that the private sector is up to the task. In April, the National Retail Federation, a trade association comprising both independent and chain retailers, established the Information Sharing and Analysis Center, which links the threat data of all member retailers and shares anonymized data with the US government. The steps of GE in protecting its infrastructure through the acquisition of Wurldtech will bolster private sector confidence in the value of cybersecurity and will dispel fear that the return on investment of protecting critical information is outweighed by its cost.

In the coming years, companies will need to focus their efforts in these areas:

1. Transitioning the chief objective of cybersecurity from preventing attacks to reacting quickly and determining their source. Given the difficulty of predicting hacker behavior and the inevitability of eventual breaches, companies must develop robust internal programs that can destroy cyber attacks before they do damage. Target’s shortcoming was not its failure to prevent a breach, but rather its failure to act swiftly once it diagnosed the problem. The post-mortem investigation showed that Target’s systems set off unmistakable red flags, yet officials waited several days before acting on the information. Had they responded immediately, the stolen data would never have made it to the hacker’s servers.

2. Holding third-party providers to a higher standard. Most major company data breaches come through third-party service providers rather than through the company’s infrastructure. Data security is inconsistent across platforms and industries, and companies need to subject all of their partners and contractors to rigorous stress tests to ensure that attackers have no easy entry points.

3. Building stronger relationships with the government and the police so that attackers can be prosecuted. Regardless of what legislation is passed in Congress, the government’s role in cybersecurity should include, at a minimum, the vigilant pursuit of known cyber marauders.

While the burden may seem to fall hard on private sector companies today, the government will eventually pass definitive and meaningful legislation. The political climate toward national cybersecurity is simply too charged for a bill not to pass at some point in the next few years. The Pentagon’s annual reports to Congress have become increasingly direct in their condemnations of national militaries and governments. The 2012 report openly accused both the Chinese government and the People’s Liberation Army of propagating cyber attacks against the United States in deliberate attempt to “gain strategic advantage.” The government is aware of the grave threat posed by cyber attackers; it now needs to match its rhetoric with legislation and action. Although largely symbolic, the Justice Department’s May 19 indictment of five members of the Chinese People’s Liberation Army for hacking into US networks was a step in the right direction. The hackers allegedly compromised the networks of Westinghouse Electric, the US Steel Corporation, and several other private companies. Attorney General Eric Holder Jr. stated that these actions crossed the line because the government commissioned covert actions for the purpose of gaining a commercial advantage, not for advancing national security.²²

Nonetheless, it is not and should never be the government’s responsibility to ensure the full security of private sector networks. For the sake of both national security and auxiliary benefits to individual companies – such as liability protection after security breaches in exchange for sharing data with the government – Washington should still attempt to pass legislation that will improve cooperation between the private and public sectors. Perhaps the upcoming midterm elections will yield a Congress more appropriately focused on pushing a cybersecurity bill into law. If the Senate, as well as the American public, can realize the relative importance of national cyber attack preparedness over the disclosure of personal user data to the government, then US cybersecurity strategy may have a promising near-term future.

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff and editorial board.

Update 8/13/2014: Citations format updated

The post Defense in the Information Age appeared first on Glimpse from the Globe.