2011 saw the U.S. Congress finally begin the task of explicitly addressing cybersecurity (as a general matter) through legislation, rather than foisting the responsibility on executive agencies like the FCC with little explicit statutory mandates. Regrettably, the two signature pieces of cybersecurity legislation currently before Congress, PROTECT-IP/SOPA and the Cybersecurity Information Sharing and Protection Act (CISPA), are fatally flawed. The former conflates the concerns of intellectual property rightsholders with unquestionable cybersecurity threats such as malware distribution; the latter provides virtually no guidance on the controversial question of what information should be considered cybersecurity information, and does little to promote data sharing within the broader cybersecurity community. 2011 also saw ICANN's WHOIS policy review team recently produce what is sure to be a foundational document addressing the growing problem of establishing accountability for domain name holders and the registrars who serve them. My wish list for 2012:
- Congress should revisit PROTECT-IP and CISPA with an eye towards addressing the problem of badware websites, and creating civil causes of action that allow motivated cybersecurity researchers to seek the suspension or revocation of domain names being used for malicious purposes.
- The FCC should use its statutory authority to promote greater data sharing among firms with cybersecurity data and an interest in maintaining the integrity of their networks, and should consider imposing sanctions on ISPs and hosting providers who act with reckless disregard for the health and safety of their networks.
- The Department of Commerce, as the legal guardian of the global DNS, should strongly encourage ICANN to adopt the recommendations of the WHOIS policy review team and act with all deliberate speed to improve the accuracy of the WHOIS system and the accountability of those who disregard it.
In cybersecurity practice, 2011 also saw a number of high-profile botnet takedowns: Rustock in March, Coreflood in April, and DNSchanger in November, among others. The FBI has successfully modeled a public-private partnership that places the government in the driver's seat, draws on private sector expertise, and submits disputes about the legality of malware distribution to the appropriate judicial authorities. This is cause for celebration and substantial hope. In 2012, I hope that other companies well placed to assist the DoJ and FBI will go out of their way to do so, following Microsoft's lead.