RealTime IT News

Black Hat: U.S. Needs 'Cyberweapons' for Security

WASHINGTON -- Is it time for the U.S. to develop "cyberweapons"?

Paul Kurtz thinks so. A former cybersecurity and homeland security expert for the Clinton and Bush White Houses blasted the current state of U.S. network defenses during a keynote here at the Black Hat security conference, arguing that the country's efforts are both poorly coordinated and outgunned.

"Fusing information from the local level and data derived from national intelligence is critical to our success in cyberspace," Kurtz said. "Think back to 9/11: We know what happened when information is not fused and shared properly. The same thing is happening in cyberspace today."

Kurtz, a partner with IT security and risk management consultancy Good Harbor, served previously as the founding executive director of the Cyber Security Industry Alliance (CSIA). Earlier in his career, Kurtz served as a special assistant to President Bush and a senior director for the White House Homeland Security Council. Kurtz also aided President Obama's transition team prior to the January inauguration.

To help defend the country, Kurtz called for more aggressive collection and sharing of intelligence, along with new capabilities to strike back with the U.S.'s own cyberweapon arsenal.

"We need a policy that shows where attacks are coming from so the U.S. government will connect the dots in cyberspace ... to better understand who is attacking our networks," Kurtz said. "That is the beginning of a deterrence policy."

Kurtz's keynote comes as the new administration in Washington is itself pushing for increased security within the government, even as high-profile vultnerabilities and security breaches continue to surface.

While Obama's agenda for cybersecurity includes the development of standards for tougher security standards to protect U.S. infrastructure, Kurtz said that the nation needs to go further -- perhaps uncomfortably far for some at Black Hat -- in response to the increasing militarization of cyberspace.

"If I say the NSA [National Security Agency] has an important role to play in cybersecurity, some of you might get queasy," Kurtz said. "I would argue they do have an important role. Today, we have limited capability to determine origin of attacks. Adversaries are taking advantage of the fact that we are not connecting the dots in cyberspace."

"Beginning of a deterrence policy"

To help rectify that situation, Kurtz called for greater sharing of data between commercial enterprises and law enforcement services.

He also added that the U.S. needs cybersecurity oversight that would ensure a degree of transparency, arguing that the U.S. intelligence services has an obligation to share information with other parties -- though he admitted that the question remains as to which agency would be the likely one in charge.

"NSA has the infrastructure to collect and analyze information," Kurtz said. But the Department of Homeland Security "doesn't have much to offer other than what the private sector shares with them."

Kurtz also said that the U.S. needs to establish a National Cybersecurity Center that coordinates activities and information. Such a center would not be tasked with replacing big commercial security vendors, but instead to focus on larger problems of cyberspace that affect strategic U.S. interests.

Being able to gather intelligence on who's attacking is only one part of Kurtz's deterrence plan, however. The other portion involves developing the capability to launch cyberweapons, he said.

One example Kurtz described is an Internet-based attack that could "suppress" an enemy's arsenal of conventional weapons. He did not elaborate.

"We need to have to have a long-term strategic vision for the development of cyberweapons to destroy our adversaries' capabilities," Kurtz said. "We cannot sit back and not have the capabilities to defend ourselves in cyberspace, but we need clear principles to define where we are going."

Part of developing those principles involves understanding who is responsible in the event of a large-scale cyberattack. Kurtz argued that the answer to the question of government responsibility is another area that's currently unclear -- but one that he said Obama must address.

"Is the FCC [Federal Communication Commission] responsible?" Kurtz asked. "The FCC has yet to step up to the plate to ensure the reliability of the Internet, and they have not kept pace online with what our adversaries are capable of today."

Kurtz argued that telecom carriers don't want more FCC regulation, but the government needs to think through who ultimately is in charge in case of a large-scale cyberattack.

"Is there a FEMA [Federal Emergency Management Association] for the Internet?" he said. "I don't think there is, and I don't think we don't have the capability today."