James Cunningham

[Commentary] What is the future of cybersecurity policy? How do we maintain the innovative Internet ecosystem, protect consumer privacy, and ensure national security?

The Center for Internet, Communications, and Technology Policy took its first steps towards answering those questions with its conference at AEI: “After Snowden: The Road Ahead for Cybersecurity.”

Two key steps to lead us down the right path emerged from our conference: 1) we need more effective public-private partnerships with freer opportunities for sharing information and 2) the government needs to educate the public about cyber threats.

Achieving these goals will require rapid, legislative action. The success of any cybersecurity policy will hinge on the effectiveness of the relationships between government and industry and the open exchange of information between the two -- as well as both inter- and intra-agency communication. Any effective cybersecurity policy must entail legislation, such as the Cyber Intelligence Sharing and Protection Act, which Chairman Rogers and his ranking member, Rep Dutch Ruppersberger (D-CA) have championed.

As General Keith Alexander (ret) explained, legislation should ensure that companies are able to share information with each other and with the government, while protected from liability. The challenge will be identifying the limits on that liability, on the extent of corporate responsibility, and on government engagement.

[Tews is the Chief Policy Officer at 463 Communications; Cunningham is a Research Assistant at the Center for Internet, Communications, and Technology Policy]

[Commentary] If you happened to turn your eyes towards Capitol Hill, you might have witnessed the latest round of senatorial efforts to discover an effective cybersecurity strategy.

In a pair of hearings, Senators and administration officials focused on stricter data breach reporting regulations and expanded liability protection. Sen John McCain (R-AZ) again proposed a separate committee on cybersecurity. Federal Trade Commission Chairwoman Edith Ramirez stressed that the government needs stricter rules for data breach reporting and greater freedom to prosecute offending institutions.

Our congressmen and women would do well to read “Navigating Conflicts in Cyberspace: Lessons from the History of War at Sea” by Professor Jeremy Rabkin of the George Mason School of Law (and Adjunct Scholar here at AEI) and his son, Ariel Rabkin. In their article, published in the Chicago Journal of International Law in the summer of 2013, the Rabkins redirect the reader’s gaze from small-scale modifications to a broader, more ambitious proposal: “ground American policy on cyberattacks in…[the body of law] dealing with armed conflict on the high seas.”

Currently, the law of armed conflict governs American and international cyber conflict. These rules, the Rabkins argue, unduly limit national and private cyber defense options. Cyberattacks, however, do not solely target military facilities, personnel, or capabilities, nor do they solely originate from military facilities or personnel. The law of armed conflict, by designating military objectives as the only acceptable targets of armed responses -- cyber retaliation included -- fails to account for the civilian involvement that is an unavoidable reality of conflicts in cyberspace.

Underlying the Rabkins’ proposal is a basic and natural argument for adopting the laws governing conflict at sea: the right of self-defense. The same should apply to companies operating in cyberspace.

[Cunningham is a Research Assistant at the Center for Internet, Communications, and Technology Policy (AEI)]