How to Save the Net: A CDC for Cybercrime

Forming an agency whose core mission is cybersecurity research and information sharing would help change the nature of the game.
Image may contain Human Person and Text
Gary Waters

The Internet may be made up of software and hardware, but it is an ecosystem that depends on a key human value: trust. The networks and systems must be able to trust the information we are sending, and in turn we have to be able to trust the information we receive.

This system of trust has allowed businesses around the world to share data rapidly and reliably on almost every issue—except their own security. Too many firms are still unwilling to share crucial information about the network attacks, data breaches, and outright cybertheft they’ve experienced—and what they do to defend themselves. Companies keep everything from basic facts to crucial technical details from one another and, notably, from the government, largely because they’re suspicious and fearful about what others might do with that information. The fears run the gamut: Tech companies worry about their brand, potential prosecution, even exploitation by the intelligence community; consumer firms wonder how the stock market will react; oil companies fear aiding their competitors; and energy companies are nervous that information will end up being exploited by those they fear far more than hackers: environmental lawyers.

The result is that, as cybersecurity guru Kevin Mandia of FireEye puts it, “Nobody gets smarter.” Victims of attacks may learn how to adjust to a new threat, but only after the fact, while the world at large too often doesn’t get the guidance needed to bolster defenses in a timely manner.

Just as the CDC plays a key part in public education on preventative health care, so too could a cyber-CDC be a hub for better “cyberhygiene.”

Discussions of what government should do about this predicament tend to focus on some kind of change in the law to raise regulations and/or lower liabilities. That is well and good, but government should also think about building a new organization for the cyber age. And it can do so by taking inspiration from one of the most successful agencies created in the past.

The Centers for Disease Control and Prevention started out in 1946 with a mission to prevent malaria in the US. It has since become the bulwark of the modern American public health system, not only ending the scourge of malaria within the US, but helping to eliminate global killers like smallpox. Now it stands guard against new outbreaks like Ebola and pandemic flu. The CDC succeeded because it established itself as a hub for research on threats that the private market wasn’t equipped or motivated to confront and the public system wasn’t well organized to handle. In so doing, it became a trusted clearinghouse for public and private actors, by sharing important but anonymized information with anyone who needed it. Though its leadership is appointed by the government, its staff is recruited from a wide range of specialties to enhance its independence and credibility.

A similar gap could be filled by creating a cyber-CDC. Forming an agency whose core mission is cybersecurity research and information sharing would help change the nature of the game. It’s not just that there are many similarities between the spread of malware and communicable disease (even the terminology is the same—“viruses,” “infection,” etc.), it is that the CDC plays a key role now missing in cybersecurity in terms of the trust factor. We similarly need a publicly funded research organization, trying to understand emerging trends and threats, as well as a reliable clearinghouse, transparently sharing information to anyone and everyone who needs it

As with the CDC in public health, the cyber version would not replace all the other players, but fill a gap that now exists between the public and private space, especially when it comes to the trust factor. It could be structured in a similar way, with leadership appointed by the government, but with staff recruited across a wide range of specialties to aid its independence and credibility. Or, as one writer for the Cyber Security Law and Policy blog joked, “Essentially, take everything the CDC already does and slap a cyber in front of it.”

Forming an agency whose core mission is cybersecurity research and information sharing would help change the nature of the game. By having a research focus and origin, it would distinguish itself from organizations like the NSA, law enforcement agencies, the federal Computer Emergency Readiness Team, trade groups, and private companies that now all try to play this intermediary role. These groups each bring strong capabilities, but they also often have mixed interests and dueling motives that can undermine trust. What’s more, this new agency would have a more cohesive structure, mandate, and funding than the valiant but outgunned volunteer outfits that also play in this space.

###### The Complete ‘How to Save the Net’ Series

By Reed Hastings
By Bruce Schneier
By Vinton G. Cerf
By Danny Hillis
By Mitchell Baker

Implementing a cyber version of the CDC might even have a wonderful side benefit to the diplomatic tensions that so trouble the Internet today. By focusing on research and information sharing, it could serve as a hub for cooperation with all the various state and international agencies as well as non-state actors that matter in cyberspace. Such an entity might serve as a key intermediary in evermore heated political environments, just as the CDC proved to be a trusted diplomatic back-channel during the Cold War.

The benefits would extend all the way down to the individual level. Just as the CDC plays a key part in public education on preventative health care, so too could a cyber-CDC be a hub for better “cyberhygiene.” When the Heartbleed security bug was discovered in April—creating potential web vulnerabilities on a mass scale—everyone from software companies and media outlets to the NSA was asked for answers, but none of their responses were fully trusted.

There are many technical, policy, and legal gaps in cybersecurity today. But maybe what is missing most is an intermediary we can trust. This new problem might be best answered by an old success story.

Peter W. Singer is a strategist at the New America Foundation.

This article is part of our “Save the Net” series, featuring bold solutions to the biggest problems facing the Internet today.