Location of Cybersecurity Authority Said Secondary to ‘Market Incentives’
Self-described geeks had their say on U.S. cybersecurity policy at a House Communications Subcommittee hearing Friday, and their recommendations boiled down to: Make business and personal security cheap and easy to implement. The raging debate among House and Senate committees of where to locate primary authority for cybersecurity in the federal government is a secondary matter, most said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Vice Chairman Anthony Weiner, D-N.Y., seemed sympathetic to a minor government role at least as applied to businesses. An agency’s “help with some of the R&D,” similar to the National Institutes of Health’s role in medical research, may be all that’s required to protect private networks, he said. The government should help industries to avoid acting as “silos of self-interest.” Noting the absence of government officials on the witness list, Weiner said Friday’s hearing was intended to “inform our reactions to the administration’s proposals” when they come out. Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils, gave her cybersecurity recommendations to President Barack Obama April 17.
There were only fleeting references to a bill introduced Thursday by Commerce Committee leaders, HR-2165, that would give the Federal Energy Regulatory Commission authority to protect the electric grid against cyberattacks. It’s similar to companion bills by Sen. Joe Lieberman, I-Conn., and Rep. Bennie Thompson, D-Miss, chairmen of the Senate and House Homeland Security committees. A bill by Senate Commerce Chairman Jay Rockefeller, D-W.Va., would give the government sweeping authority to cut off private networks at risk, while a measure by Sen. Tom Carper, D-Del., would give the White House less-intrusive cybersecurity authority (WID April 29 p5).
The impact of the evolving Conficker worm on security practices was the dominant theme. Dan Kaminsky, director of penetration testing for IOActive and known for discovering a critical flaw in the DNS last year, said 99 percent of Windows machines were safe from the worm but “we still have no idea what the authors want.” The ad hoc group of security researchers trying to dismantle the botnet created by Conficker has had “no real success,” said Rodney Joffe, senior technologist for Neustar. But recently Neustar and others managed to identify a particular set of LAN-connected medical devices that had been infected by the worm. When told, the hospitals said they actually couldn’t modify their infected systems without 90 days notice under FDA rules, Joffe said.
About three in five network penetrations come from the inability to authenticate other nodes -- a password problem, Kaminsky said. Yet passwords are the only way to “reasonably make things work at all. … Security is too expensive and too difficult to deploy” either for personal or business use. Some of the most expensive failures in government tech projects were for cryptographic authentication, he said. The U.S. needs to improve “market incentives” for companies to do better security, not write regulations that put U.S. companies at a comparative disadvantage, said Larry Clinton, president of the Internet Security Alliance. These could include “relatively modest investments,” such as giving companies cybersecurity insurance or Small Business Administration loans to bulk up, he said.
There’s too much shared vulnerability for businesses to take expensive steps on their own, Clinton said. The best way to launch a cyberattack on the Pentagon is to target a defense subcontractor, who won’t take a Pentagon project if it’s subject to stringent cybersecurity requirements, he said. But the government is only asking that subcontractor to “do what is intuitive,” Weiner said. The answer will be “'what’s in it for me?'” in the absence of government help to all businesses, Clinton said. The writers of Conficker and other worms are “as good as we are, if not better,” he said, and even if users are “sloppy” in security -- as Weiner suggested -- worm writers will always find new holes. Greg Nojeim, senior counsel for the Center for Democracy and Technology, agreed the government should give tax credits or procurement bonuses for companies who meet such elevated security rules.
Weiner was incredulous that no researcher had emerged who was “at least as smart as the guy who wrote” Conficker, which has continually evolved new capabilities. Researchers will probably never be on par with the Conficker writers in fighting new updates, but researchers have a “sustainable advantage” in detecting new infected hosts, which the writers tried hard to prevent, Joffe said. Conficker may turn out to be “all about monetization,” Kaminsky said, noting its latest iteration also dropped on user computers what appeared to be unrelated malware. That new malware stopped showing up in detections of Conficker two weeks later, Joffe said, “almost as if the authors of Conficker rented the use” of the worm.
The security of the electric grid and mobile devices are reason for concern, experts said. Smart-grid power meters increasingly are connected in a “peer-to-peer mesh” formation, by an industry that hasn’t had to deal with a decade of constant cyberattacks, Kaminsky said. The lack of mobile-focused attacks isn’t because of any superior security ability, he said: “The bad guys figure things out, but not immediately.” But the wireless carriers have actually done a pretty good job of securing their networks, Clinton said. Kaminsky said Research in Motion is the most security- conscious mobile device maker, given its focus on corporate customers sending sensitive data, adding that he’s not a consultant for the company. The “ObamaBerry controversy,” over the president’s desire to have a BlackBerry that meets the NSA’s security requirements, has been overblown, he said.
Nojeim was the only expert with firm views on where cybersecurity authority should be located, and he recommended the White House. Industry participation will be inhibited if another agency is in charge, especially the NSA, which shouldn’t have the dual role of protecting domestic systems and cracking into foreign systems, he said. DHS is a “natural place” for actual cybersecurity operations, though. Whether DHS, Commerce or the NSA, the organization in charge of cybersecurity needs “actual control,” including budgetary authority, Clinton said. Some sort of “White House structure” is probably best. Weiner said all parties should be careful not to turn cybersecurity into a media frenzy, as with shark attacks years ago. “We have to make sure we don’t allow the tail to wag the dog.”