The Washington PostDemocracy Dies in Darkness

We’re under constant threat of cyberattack, and Congress isn’t prepared to do anything about it

(EPA/Ritchie B. Tongo)

Last October a coordinated cyberattack sabotaged massive parts of the American and European Internet. The Mirai Botnet turned our Internet-connected devices against us. Millions of webcams, VCRs, baby monitors and telnet services were seized and used to take down Twitter, major news outlets and commercial infrastructure. Web access was cut off, electronic systems stopped working, and we couldn’t get news about what was happening.

It wasn’t a team of sophisticated hackers behind the attack, but one angry gamer — reportedly a man with a grudge against the PlayStation network. The truth is that someone with minimal technical knowledge can set up a node of the Mirai Botnet in less than 15 minutes.

One would think that members of Congress would lie awake at night at the thought of a malicious botnet whose next target could be military and financial institutions. And yet, no major federal initiatives were launched in the aftermath of Mirai. Rather, the security of vital infrastructure was left for private industry to solve.

SEC reveals it was hacked, information may have been used for illegal stock trades

Rep. Marsha Blackburn (R-Tenn.) did appear on CNN to comment about the Mirai botnet. But instead of announcing plans to force recalls of the hijacked devices, Blackburn blamed the attack on software piracy — an utterly unrelated subject. (It’s like watching your house burn down and declaring it’s time to buy a new car.)

This lack of understanding might be less concerning if Blackburn were just one of the 435 voices in Congress. But she serves on the House Communications and Technology subcommittee, where just 15 votes determine the fate of much of the legislation related to technology, including cybersecurity, communication and privacy. She used her cable news interview to plug legislation that would allow law enforcement to shut down websites based on copyright allegations, widely seen as a giveaway to corporate interests — which makes sense given that two of Blackburn’s top campaign contributors are telecom interests AT&T and Verizon. When the main voices giving you perspective on privacy and cybersecurity are powerful business interests that make money from the status quo, the American people are going to lose more than we win.

When it comes to cybersecurity, Americans remain extremely vulnerable, and our representatives seem ill-prepared to do anything about it. Earlier this month, it was revealed that Equifax disregarded warnings of security vulnerability and was hacked by a relatively simple exploit; we can expect to suffer years of identity theft and credit fraud thanks to the worst theft of private information in history.

Why didn’t Equifax protect your data? Because corporations have all the power.

Biotech giant Merck was hit with a ransomware attack in June that halted manufacturing. We’re only now beginning to understand the scope of Russian attempts to influence the 2016 election, but we know it included attempts to hack local election offices. And just last week, the SEC said it had been hacked last year and that the information stolen could have been used to make Wall Street trades.

Although states such as Massachusetts are suing Equifax for recklessness, and President Trump has started to move some government systems to the cloud, there is no credible national plan for securing American electronic infrastructure. The issues go further than cybersecurity. In 2014 and 2015, I was one of the primary targets of the Internet harassment campaign known as Gamergate, where women in the game industry were subjected to death threats, rape threats and malicious exposure of personal information in attempts to professionally discredit them. We found that law enforcement was utterly unprepared to prosecute crimes when they happened online.

Answers to all of these problems exist, but federal officials seem unable to implement them. Unlike so many issues that cause gridlock in Congress, the axis of conflict on technology isn’t right versus left — it’s informed versus uninformed. A prime example is Congress’ effort to criminalize strong encryption in the aftermath of the deadly San Bernardino, Calif., mass shooting. After a terrorist attack on a government training event, the FBI sought access to the perpetrator’s smartphone. Apple refused, and the FBI brought the tech giant to court to force it to engineer a backdoor to smartphone email, text messages and contact information.

Companies struggle to recover after massive cyberattack with ransom demands

Proving that no political party has a monopoly on bad technology ideas, President Obama warned tech leaders in a speech at SXSW last year that if they didn’t give government a secret backdoor to encrypted data, Congress would force them to. The tech industry was nearly unanimous in its horror at the idea. Is this because technologists are unconcerned about terrorism? No, it’s because people with a deep understanding of cryptography know there is no such thing as a backdoor that only the government can use. Aside from ideas of protecting civil liberties, this was simply a matter of understanding the reality of encryption.

Even when the nation’s leaders acknowledge tech issues, details are lacking. Hillary Clinton’s presidential campaign was ravaged by malicious cyberattacks, which she recounts in her new memoir, “What Happened.” And yet, even in posing an argument for investing in cybersecurity, Clinton doesn’t offer specifics, just a general call for “significant investments to protect our networks and national infrastructure.” She adds: “Corporate America must see it as an urgent imperative, because government can’t do it alone.”

Crises like the Mirai botnet can’t be prevented by vague calls to protect our cybernetworks or platitudes about working with private industry. We need to be able to force recalls on consumer devices with massive security vulnerabilities. We need to invest in telecommunication infrastructure with redundancies to combat denial of service attacks. We need to introduce civil liability for companies that ship products with reckless security vulnerabilities. Congress has yet to take up legislation on any of these issues.

I criticized Google. It got me fired.

Consider the now routine data breaches that leave Americans’ personal information vulnerable on the dark web. Politicians love to praise the power of the free market, but the market can never keep your information safe. Neither the buyer nor the seller wants to pay for expensive information security. This is the kind of problem only government regulation can solve. We must make it more expensive to ignore cybersecurity than to correctly address it. Only civil liability can make companies like Equifax take securing your information seriously.

Net neutrality is another frustrating example where the people advocating for consumer rights don’t have a seat at the table. Ajit Pai, the chairman of the Federal Communications Commission, doesn’t come from consumer advocacy background. Rather, he hails from from the legal team at Verizon, one of the companies most hostile to net neutrality. When it comes to protecting our rights online, the fox is guarding the henhouse.

Few members in Congress are equipped to address these concerns. As scientist Neil deGrasse Tyson put it: “57 percent of the Senate and 38 percent of the House cite law as their profession. What happens in the courtroom? [Decisions] do not go to what’s right, they go to who argues best.” Congress is filled with people who are trained to win arguments, not create solutions — and certainly not to address our most pressing technological challenges.

The time is long past where technology policy is a niche issue. We need to get serious, not just in improving policy but in setting ambitious goals for decades down the line. Without action, it isn’t just our economy that will suffer, it’s our national security. To quote a line from “Homeland”: “The soldiers are hackers, the battlefield is online, and it’s not a matter of if, but when.”