Even though U.S. higher education in the main has not been hit hard by this cyber attack, let’s use our Lessig four factor analysis to think through this event. We have an unusual moment wherein we can take time to think through next steps without being totally distracted by operational need to get services restored and functional for our colleges and universities.
I’m a broken record, but here it goes again. The principal challenge to addressing cyber insecurity is the absence of international internet governance. Pushback suggests that it will not be a match for criminals, but my reply is ‘then why do we have criminal laws that apply to physical space?’
Trespass, breaking and entering, larceny, blackmail, and fraud exist, but there are clear federal and state laws that apply to these acts. Nothing of the same nature exists internationally to thwart international cyber insecurity events. Cyber insecurity is not a part of diplomacy. We have no treaties, agreements, law or courts. No wonder the information technology landscape is a mess, and no wonder that at this point, among lone wolves, organized crime, and nation state attacks, the last has become particularly pernicious. Countries, rogue as North Korea, and including the U.S., are fighting each other with no rules of engagement.
On the criminal side, the Computer Fraud and Abuse Act of 1986 addresses events such as this one, but does not do much good when it is exercised by criminals outside the United States.
On the civil law side, have you ever wondered about the liability of the corporate software developers? Back in the bad old days, I did not understand how Microsoft avoided tort suits for insecure software (except that I do, in terms of “contract” law and public policy that favored innovation over responsibility), and I do not understand why vigorous plaintiff lawyers don’t challenge it now.
Microsoft Vice President and Legal Counselor Brad Smith appeals to the NSA to stop stockpiling zero day vulnerabilities (I have long agreed with that point, and more in fact, see this post) but their appeal falls on deaf ears without global internet governance.
Microsoft and other companies (certainly the other Big Four) should get serious (i.e. put $$$ into) non-partisan efforts at global internet governance. A proactive approach wins hearts and minds. It is better than the defensive posture of fighting regulation or the courts or investing in yet another round of public relations firms to rehabilitate its brand.
(Full Disclosure: SafeGov, funded by Microsoft, has been a client. See list of clients here if that statement has made you curious.)
No technological solution exists. Cyber (in)security will always be a game of cat and mouse, whack a mole - choose your metaphor, you get the point. If a technological solution were the silver bullet, it would have been invented by now; it has not because a technological solution alone cannot fix this problem. And remember, security is always administrative, technical and physical in its operations.
Users better WAKE UP. Most technical vulnerabilities rely on social engineering, i.e. phishing. Any user who does not make security as routine as brushing teeth has bad hygiene. Now here’s a metaphor. Who likes to be around someone who consistently has bad breath?
Institutional leaders that still have not gotten the memo about funding information security functions on campus should be given one last chance and then relieved of their positions if they don’t do it. It would be a lucky break for them to lose their jobs because negligence law suits are a-coming. Better not to be around when they do. A president or other institutional leader, i.e. executive vice president or CFO, would look really foolish on the witness stand. How did they get in those high positions and not understand the need to protect institutional assets and research data?
Big software, security, and computer companies make trillions off of cyber insecurity. They will not stop until and unless consumers make a difference with their wallets (just ask Bill Gates), or government steps in on the consumer’s behalf because of the obvious differences in bargaining power between consumers (including higher education) and vendors.
My Analysis Per Higher Education
Given the pro-industry disposition of the administration and Congress, I will not hold my breath. But in an era more amenable to regulation, I could write a whole treatise on what the F.C.C. and the F.T.C. and the Commerce Department and NIST should be doing to make it right to consumers - including, yes, higher education.
Higher education deserves regulation from government on matters that include the cybersecurity industry. Well-balanced regulation would help alleviate liability, reduce costs, and support our missions. Unfortunately, higher education, its associations in particular, are so stuck in the habit of poking a head into government when it wants money from NIH/NSF or support for the Higher Education Act but then goes running like a bunny from everything else. It has forgotten how to take stock, reassess and rethink its role and responsibilities, and, finally, how to act in its own interests. Remember the old adage about not wasting a crisis? A dodged bullet would be an ever bigger waste.