RealTime IT News

FCC Panel: Cybersecurity Needs Incentives

With the Federal Communications Commission marching through nearly three-dozen workshops planned to gather information for its national broadband plan, it was only a matter of time before the agency took on cybersecurity.

FCC officials heard suggestions from an array of experts in academic, public and private sectors of the broadband community about how to address security concerns as the agency mulls strategies to spur greater expansion and adoption of broadband networks.

Don Welch, president and CEO of the nonprofit research group Merit Network, told the commission that the incentives for commercial ISPs to justify investments in network security are largely absent from the current broadband market.

"The real difficulty in the commercial world is it's very difficult to point to an ROI," Welch said. "If we're successful, nothing happens."

Welch argued that the FCC and other federal entities would have a tough time enacting meaningful cybersecurity mandate. Instead, he suggested, the federal government would be well advised to alter the market structure to incentivize security through policies such as requiring ISPs to disclose information about network breaches.

"If I can say 'my network is more secure than your network' ... I'll get some justification for investing in cybersecurity," Welch said. "Coming up with that return is really what's going to be hard for private industry."

The timing of today's meeting was a propos. Tomorrow, the first day of October, kicks off what has been designated National Cybersecurity Awareness Month. Homeland Security Secretary Janet Napolitano is scheduled to mark the occasion at an event in Washington hosted by the National Cybersecurity Alliance.

This morning's session also comes amid considerable soul-searching across the federal government as lawmakers and officials explore policies to shore up the nation's digital infrastructure.

"I firmly believe that security is the most important challenge facing the communications sector," FCC Commissioner Meredith Atwell Baker said at this morning's meeting. "I think it's really important we get this right, because if this is the part we get wrong, all the rest is for naught."

The FCC is due to present its national broadband plan to Congress in February.

Several of the presenters at this morning's meeting, including representatives of ISPs AT&T (NYSE: T) and Level 3 Communications (NASDAQ: LVLT), highlighted the challenge of sharing data about threats across the Internet community.

"One of the great questions is always 'where did this attack come from,'" said John Nagengast, executive director for strategic initiatives with AT&T's Government Solutions division. "That's probably the most difficult question to answer, and the only way we're going to get to that is global real-time monitoring."

An effective information-sharing regime gets into the thorny area of creating partnerships between the federal government and the private sector, which is at the heart of various policy proposals, including the cybersecurity policy review President Obama commissioned earlier this year. It also highlights the challenge of removing the barriers for corporate rivals to share threat data with each other, the presenters said.

"Health organizations seem to have found a way to get past this information-sharing problem," said Richard Perthia, director of the Carnegie Mellon University's Computer Emergency Response Team (CERT).

Perthia noted the success of the World Health Organization in monitoring the spread of pandemics such as the H1N1 flu in virtually real time.

"Whatever those mechanisms are I think we need to look to those to get past this hump of information sharing, because we're not there yet," he said.