Govt. Needs Plan, Leadership to Combat Internet Threats, Say Witnesses
The U.S. has no plan for dealing with a major Internet attack, witnesses told the House Telecom Subcommittee Wed. Balking at mandatory controls, witnesses urged authority be centralized and communication among agencies improved to avoid a “Hurricane Katrina” of cyber-disasters.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“It’s unclear what government entity is in charge,” David Powner, GAO dir.-Information Technology Management Issues, said: “There’s a lack of consensus about the role of DHS in cyber-protection.” Corporate America isn’t much better off, according to Powner. “The govt. and the private sector are poorly prepared,” he said.
The criticisms were echoed in a DHS report on results of “Cyber Storm,” a Feb. simulated cyber attack on govt. systems. Scenarios included attacks on the HIPAA (Health Insurance Portability & Accountability Act) database, a threat to public medical records (WID Feb 13 p1). Agencies tested did not communicate or coordinate effectively, DHS admitted in its summary of the report, released Wed.
The U.S. needs leadership as attacks gain sophistication, Symantec’s Vincent Weafer told the committee, citing use of the Internet by terrorists and profit-driven hackers. “The nature of risk has changed,” he said: “Now, cybercrime is the primary risk. In the past [the point] was to destroy data and gain notoriety; now it’s for profit and to gain advantage.” Weafer urged more U.S. spending on cyber safety education and R&D and a national data breach law. “Intelligence on global trends [indicates] that terrorists may develop cap to conduct physical and cyber attacks,” said Powner.
DHS Undersecy. for Preparedness George Foresman got a pillorying by Rep. Eshoo (D-Cal.) for the agency’s still not having an asst. secy. for cyber and telecom, a position vacant since its creation in Oct. 2005. “Not having someone direct this part of the orchestra is dangerous,” Eshoo said: “We've placed ourselves in a real ditch here by not having the administration name someone.” Claiming DHS is “in the final stages of the security review for a candidate,” Foresman said the agency “very soon” will make an announcement. He and a deputy handle DHS cybersecurity supervision, but lack of an official leader hasn’t put the agency in “neutral,” he said.
DHS has had some private-sector success, Foresman said. Microsoft used its U.S. Computer Emergency Readiness Team (US-CERT) to publicize vulnerabilities in the company’s software. US-CERT monitored Internet traffic to ensure hackers weren’t exploiting vulnerabilities as Microsoft developed patches.
Powner called Microsoft a rare good example. Most govt. and private sector information sharing on cyber protection is failing because the private sector doesn’t “see value” in it, and doesn’t trust the govt., he said.
The govt. must get all layers to work together, Cyber Security Industry Alliance Exec. Dir. Paul Kurtz said. “This is not a call for regulation and intervention, this is a call for leadership,” he said: “It’s not just DHS. A broader review is required that extends beyond DHS.” Larry Clinton of the Internet Security Alliance agreed: “Regulation would only reach to borders and is likely to be outdated by the time it is implemented. DHS needs to articulate the chain of command. The new secretary will help.”