Many commonly-held policy assumptions about cyberspace are wrong, said James Andrew Lewis, director of the Center for Strategic and International Studies' technology and public policy program, during a Sept. 12 speech he delivered before the Sasakawa Peace Foundation in Tokyo, Japan.

Attribution? Espionage can identify the attacker without engaging in complex computer forensic analysis or tracing network paths. And anyways, when many incidents happen to track with a country's larger economic strategy and intelligence activities, the question of who is behind the penetrations has been answered.

Cyberwar is a major risk? It's a risk, but an overstated one. To date, there have been only three or four actual cyber attacks: Stuxnet, an electricity grid blackout in Brazil and possibly the use of cyber techniques by Israel in its 2007 air raid on a Syrian nuclear facility under construction.

Cybersecurity should be handled by the private sector, which owns most of the Internet's infrastructure? "The private sector owns most of the airplanes, but no one says it should be responsible for air defense," Lewis said. And the private sector will not supply adequate cybersecurity on its own; it's a public good that's missing as the result of market failure.

Cyberspace is a commons? Nope--and it's increasingly dawned on governments that they can exert their authority over it. "A better way to think of the Internet is as a condominium, where many owners share a common structure, but this condominium has few rules and a weak governing board."

"Perhaps this collection of ideas made sense in the early days of the internet, when it was a toy rather than a pillar of economic activity, but it is no longer adequate as a guide to policy," Lewis added.

The real immediate problems of cybersecurity are crime, economic espionage, and the risk of offensive military action, Lewis said. The primary malicious actors in cyberspace are national governments, some of which sponsor hackers and cybercriminals as proxies, irregular forces they can use for intelligence or military advantage.

Nonetheless, "cybersecurity is a national security and law enforcement problem where primary responsibility falls upon governments."

To that end, Lewis said, the first step in effecting a more secure Internet is to make Internet service providers responsible for the protection of consumers and small businesses. ISPs usually know when their customers are infected with malware; when they detect the presence of malicious traffic from a computer they should notify the customer and help users remove the infection. "There is a fear that this approach will increase ISP costs, but it is more likely that ISPs will end up saving money," Lewis said.

Governments should work with first tier telecommunication service providers and major ISPs to monitor the Internet backbone, Lewis added. Peering points are the logical place to intercept malicious traffic, although active monitoring does raise privacy concerns, Lewis noted.

"There must be adequate oversight rules and mechanisms to ensure that privacy and legal requirements for communications monitoring are being respected. In the United States, there are also issues over which agency should be responsible for active defense that revolve around defining the role of the military in cybersecurity," he said.

But a truly secure Internet will also require international cooperation, Lewis said.

"We need international agreement on the norms of responsible behavior in cyberspace, including how the laws of armed conflict are applied and how states are responsible for the action of those resident on their territory--no more ‘It was just a patriotic hacker' excuse."

International agreement will require consequences, Lewis also said, perhaps in the form of trade penalties, expulsion of diplomats, hearings before the World Trade Organization or even restrictions on Internet traffic from countries of concern.

"If there are no consequences for bad behavior, there is no incentive for nations to change their policies," he concluded.

For more:
- download a copy of Lewis's prepared remarks (.pdf)

Related Articles:
Lewis: Cyber attacks are rare 
Lewis: Privacy precepts need revising in light of new cybersecurity measures 
Lewis: CFATS could be model for public-private cybersecurity model 
New White House cybersecurity strategy needs new ideas, says CSIS commission