Who Owns the Net?
IF THE ELECTRICITY GOES OUT after a major storm, power companies have a clear chain of command to ensure that repairs are made and service is restored in the shortest possible time. But if there should be a disruption to the Internet as a result of an attack or accident, who is responsible for getting things working again?
The answer, according to a white paper from the Business Roundtable, is that nobody quite knows. One candidate is the National Cyber Response Coordination Group (NCRCG) within the Department of Homeland Security (DHS), which is, according to the DHS Web site, “a forum of 13 principal agencies that coordinate intra-governmental and public/private preparedness operations to respond to and recover from large-scale cyber attacks.”
Unfortunately, as the Business Roundtable’s study points out, “few outside a small group of government officials know much about NCRCG and its authority over coordinating efforts in government and across the business community.”
The Business Roundtable’s members, CEOs who represent 160 U.S. companies, understand that the private sector, which owns and maintains much of the Web’s infrastructure, needs to play its part in responding to a disruption, “but the private sector as a whole is unprepared to work together on a wide scale,” the report notes.
The group cites three gaps in the nation’s “ability to reconstitute the Internet following a major disruption.” The first is a lack of “trip wires” that would indicate immediately that an attack or emergency was underway. Without these, there is no way to know when a mitigation measure would be necessary.
The second gap is that there are too many institutions that have responsibility for managing aspects of Internet reconstitution. For example, entities such as Information Sharing and Analysis Centers (ISACs) have roles that are unclear and undefined when it comes to responding to a Netwide disaster, and numerous government bodies have “overlapping and conflicting responsibilities.”
The third gap is that there are limited resources allotted to reconstituting the Internet’s infrastructure. Annual funding for the United States Computer Emergency Readiness Team (US-CERT) is approximately $70 million, representing “less than 0.2 percent of DHS funding,” the paper notes. And “almost none” of this meager funding targets reconstitution.
Recommendations include having the private sector “undertake most of the responsibility for fixing weaknesses in key Internet assets,” by establishing single points of contact and consolidating early warning and response organizations; having the federal government define key terms, designate responsible parties, and communicate a policy for Internet reconstruction; and ensuring that the public and private sectors work together to improve the ability to warn globally of and quickly respond to Internet attacks.