Chertoff Seeks Spy-Agency Help on Earlier Cyberattack Warnings
SAN FRANCISCO -- Homeland Security Secretary Michael Chertoff wants intelligence and other federal agencies to “look into the Internet more deeply” and create an “early warning system” on network attacks before they arrive, he said Tuesday. This can be done by extending the government’s Einstein cybersecurity technology, Chertoff said at the RSA Security conference.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The early detection and warning that US-CERT provides isn’t “sufficient,” especially concerning a threat that keeps changing, Chertoff said: “The time has come to take a quantum leap forward.”
Chertoff offered to make available to businesses “early warning intelligence” on threats that the federal government will develop. He emphasized that this wouldn’t involve the government sitting “on the Internet” to control what’s on it, like unspecified foreign governments, or “telling you you must do something.” Answering reporters’ questions later, Chertoff indicated the U.S. government wouldn’t expect in return any information from businesses accepting the intelligence other than any security worries they might disclose.
Chertoff warned businesses to be on the watch for “Trojan horse” intrusions built into components sourced elsewhere in the world, to “build a culture of security- mindedness” among people in their organizations, and to help sell the public better on the idea that security and privacy are “complementary,” not “at odds,” in giving users confidence they can use the Internet without their information being stolen. The most advanced technology, including biometrics, must be used to limit damage from security breaches to the “fluidity” of online activity, Chertoff said.
And Chertoff urged businesses to send the federal government their “best and brightest” to help improve cybersecurity. The government can’t compete in compensation but does offer unique opportunities for service and responsibility, he said.
Under the National Cyber Security Initiative announced in January, in partnership with the rest of the federal government, Homeland Security is working to reduce the number of network “entry points” to agency domains to “about 50” from thousands, planning to use its accreditation and certification authority to get all agencies “up to a minimum baseline” with “24 hour watch capability” for signs of possible attacks, aiming to respond more broadly to threats and within minutes instead of the hours it takes now, Chertoff said. He said his department must work “to raise the standards for everyone in the federal government.”
A cyberattack could cause “human and economic” damage “on a par” with 9/11, Chertoff said. The huge botnet attack that shut down the Estonian government and affected its media and financial system over two weeks in May 2007 shows the “enormous” harm a small group or even one person can do, he said. A cyberattack could shake confidence long-term in air- traffic control or the financial system, Chertoff said. The “traditional model of deterrence” works “only imperfectly” because the source of an attack may not become apparent for some time, he said.
But psychology works against businesses and individuals making needed security investments, Chertoff said at the media briefing. “We're biased in favor of present gain instead of protecting against future loss… We're not always rational.” Incentives are needed to offset that, he said. “Litigation also tends to make directors be a little more rational,” Chertoff said. But ultimately, motivating private action requires an appeal to “moral obligation,” he said. “You don’t rob your kids’ college fund to go on vacation.”
“Maybe we ought to be a little more open” in government discussion of security events, to get the threat across to the public, Chertoff said. And perhaps the government should encourage businesses to be more forthcoming than they have been in disclosing attacks, he said.
Most of the states that have objected to the REAL ID Act are “moving forward in the right direction” anyway, Chertoff said in response to a reporter’s question. But he acknowledged that some may not comply with the federal law before 2010 as required. Though states have passed laws saying they oppose REAL ID “in principle,” Chertoff said, he thinks the objections are actually “basically monetary.”
Chertoff said the law had been dogged by the “lie” and “myth” that the system would create a federal database on everyone -- when it’s really consistent with state information-sharing that has long taken place -- and would allow tracking of people through their driver’s licenses, when that would require collecting data from every place it’s recorded.