By Sterling Wright, Metanomics Government and Policy Correspondent

This past February, President Obama instructed the National Security Council and the Homeland Security Council to conduct a 60 day review of the nation’s cybersecurity. The 60 Day Cyberspace Policy Review published May 29, 2009 concludes a national dialog on cybersecurity must begin today.

“From now on our digital infrastructure—the networks and computers we depend on every day—will be treated as they should be—as a strategic national asset,” Obama said. “Protecting this infrastructure will be a national security priority.”

Focusing on protecting critical infrastructure, raising public awareness of cyber threats, and innovating the technologies and policies required for next-generation platforms, the Review lays out an overview of the path forward. But it is a call to action rather than a set of definitive steps, and between this rallying cry and a blueprint for action, extends a precarious path.

The Cyberspace Policy Review forwards many of the same recommendations as the proposed Cybersecurity Act of 2009 (S.773), which is currently circulating in the Senate, and which we discussed in our Metanomics Spotlight segment on 13 May 2009. However, on several key issues the executive Review deviates from the recommendations articulated in the bill (S.773).

For instance, President Obama announced he will appoint a cybersecurity “Czar” responsible for coordinating security polices and activities throughout government and between the public and private sectors. But it is unclear how much direct access Obama’s Czar will have to the President. Cybersecurity responsibilities are currently spread across government agencies with numerous redundancies and overlaps, and most networks remain in the hands of private entities. So, it remains to be seen whether this role will carry enough authority to mitigate existing disputes over responsibilities and the distribution of billions in newly-allocated funding.

S.773, on the other hand, calls for the establishment of a cybersecurity advisor in the White House, who would be empowered to assign cybersecurity duties directly to the heads of federal agencies. Additionally, it would grant exceptional powers to the Department of Commerce, which by virtue of being an agency with people and resources, could actually execute policy.

The Review, however, calls for the establishment of a National Security Council directorate overseen by the Czar who is linked to both the NSC and the National Economic Council. But the Councils are strictly deliberative bodies—they can formulate and issue directives to government agencies, but they have no authority to enforce those directives if the agencies do not wish to play along. Moreover, a “Czar” has no resources or staff to execute policy decisions.

S.773 also calls for legislation that would mediate information sharing between public and private sector networks, mandate security standards, and allow the President emergency powers to disable networks in the case of a catastrophic cyber attack. By contrast, the Review emphasizes “creative and collaborative” partnerships between the government and private companies. However, these mechanisms remain to be defined.

One might suggest that an appeal to “creative and collaborative” partnerships is a statement that functions more as a balancing act on a political tightrope rather than an actionable set of solutions. On one side of the rope lies private industry concerned with government interference, which the President addressed by reiterating his commitment to net neutrality. On the other side of the rope remains the demand for effective cybersecurity, which the President addressed by commissioning this report. Forward steps depend on public-private collaborations being forged—either through legislation or voluntarily—but neither the Review nor S.773 say how this should happen.

Industry, nevertheless, has responded favorably to the Review. Ed Mueller, CEO and chairman of Denver-based Qwest Communications International Inc., issued a supportive statement in response: “President Obama and his administration have taken an important first step toward creating a safe cyber environment by releasing the 60-day Cyberspace Policy Review. Through this initiative, the president is supporting the values of civil liberties and protected privacy, as well as promoting economic growth, while enhancing the trustworthiness of the global cyberspace.”

Given the myriad of complex issues surrounding cyber security, the 60 Day Cybersecurity Review does not achieve much in the short term beyond placing a check in the box labeled— “yes, cybersecurity is important and we are thinking about it.”

So…how might all of this affect Virtual Worlds? Good question….

Independent of both the Review and S.773, the Pentagon has said it also plans to create a new military command to complement the civilian effort. Pentagon officials have said they now view cyberspace as “a war-fighting domain” and are preparing the armed forces to conduct both offensive and defensive computer warfare. This raises large questions.

If cyberspace is now considered by the U.S. military as a domain analogous to the traditional battlefield, it will be very interesting to see how the country succeeds in crafting the international partnerships necessary to assure a secure global cyber infrastructure. In this context, one cannot avoid entertaining the notion that cyberspace could end up being divided into spheres of national interests and even national sovereignty.

What would this mean for various virtual worlds and other user-generated communities? And beyond this, what would it mean to the vision coveted by many of cyberspace as a tool breaking down national barriers and evolving human community toward global collaboration and citizenry? What if one wanted to travel from a community hosted on a U.S. server to one housed in China? Would a cyber passport be required?

Also, if cyberspace is a war-fighting domain, what are the rules of conduct? Who or what enforces them? Will the equivalent of the Geneva Conventions ultimately need to be crafted for cyberspace?

It remains to be determined how to even designate different areas of cyberspace as “critical infrastructure” in need of defense as opposed to private realms defined by free speech and other democratic ideals. Privacy and civil rights advocates have raised red flags regarding government accessibility to private networks, and President Obama assured the new policy frameworks “will not include monitoring private sector networks or internet traffic,” and that a civil liberties official will be appointed to the NSC cybersecurity directorate.

But a senior intelligence official has clarified the dilemma: “It’s the domestic spying problem writ large…these attacks start in other countries, but they know no borders. So how do you fight them if you can’t act both inside and outside the United States?”

As large percentages of “critical infrastructure” networks are controlled by private interests, delineating “public” sectors from “private” is challenging. And with the potential for attacks originating from outside of the country and then being routed through U.S. networks, the cyber battlefield might take on the cast of urban warfare, where defenders are unable to distinguish the civilian from the insurgent.

Beyond issues of privacy and spying, declaring cyberspace a war-fighting domain might also raise questions related to the Posse Comitatus Act, which prohibits US military actions within national borders except where expressly authorized by the Constitution or Congress. If the U.S. military were prohibited from counter-strikes against attacks originating on or passing through U.S. servers, we would then be dependent on the “creative collaboration” between government and industry to protect us.

As we contemplate how to move forward on cybersecurity, the tightrope stretches across a field of rabbit holes, each tumbling into the complexities of these and other questions. Where the 60 Day Cyber Review and bill S.773 agree is on the need for greater public awareness of cyber threats. By becoming an informed international community of cybercitizens able to recognize threats and play our role in countering them, an organic defense could develop. Through this spirit of global collaboration, we might maintain our balance.