Chertoff Calls For Private Sector to Help Secure ‘Net

Michael Chertoff

Source: DHS/RSA

SAN FRANCISCO — Uncle Sam needs you.

While the U.S. government can’t be sure what the next big cyber-threats will be and from where they’ll come, that isn’t stopping the Department of Homeland Security (DHS) from working to develop preventative measures.

But it can’t go it alone. In an address here at the RSA security conference, DHS chief Michael Chertoff detailed ongoing cyber-dangers in an effort to lobby for new and deepened partnerships between government and the private sector to head them off.

It’s a tall order since, as Chertoff readily conceded, private business is generally focused on profit and less on preventative security investments that might not be needed — or that might not pay off at all.

But Bob Blakeley, research director in identity and privacy strategies at Burton Group, told InternetNews.com that Chertoff needs to continue to lobby for business involvement.

“You need public funds to protect the infrastructure,” Blakeley said. “But the private sector has to have an interest in the country’s security. Maybe you need an incentive structure, but it’s a very important issue.”

Unfortunately for Chertoff, the DHS secretary was preceded by a skeptical warm-up act. During a cryptography panel discussion preceding his talk, one expert questioned whether DHS made smart investments in security.

“Sometimes the United States seems to do just the opposite,” said Adi Shamir, a computer science professor at the Weizmann Institute of Science in Israel.

Shamir said a recent New York Times article noted DHS is promoting a $300 million upgrade of fingerprint systems used at airports which scans two fingers, to a more sophisticated one that scans all ten fingers. That system has already been upgraded in a number of airports, according to the report.

Despite such investments, Shamir claimed the payoff has been scarce.

“The track record so far is they’ve caught about 2,000 people, most of whom were guilty of overstaying their visas” — that is, not necessarily criminal threats, he said.

“I think if they went to a ten-finger system they’d probably catch one more guy, a very expensive guy,” he added, to a chorus of laughs from an audience comprised chiefly of security professionals.

Chertoff didn’t mention the fingerprint system in either his prepared remarks or the press conference that followed.

[cob:Pull_Quote]Rather, the he emphasized the size, scope and impact of online threats, which he said could well be on par with the Sept. 11 terrorist attacks.

“We do know there are far-reaching consequences because so much of the world depends on the Internet to conduct activities, both in the public and private sectors,” Chertoff said.

As a result, he urged greater cooperation between government and the private industry to share information and develop better, more extensive security solutions.

“The risk of a cyber attack is not the same as managing a transit system or securing borders,” Chertoff said. “The government doesn’t own the Internet, thank God, and the federal government can’t be everywhere at once … it can’t protect every computer system or home computer from attack.”

Unlike past conflicts and periods like the Cold War era — where the U.S. had a clear idea of who it was fighting — Chertoff said the rise of the Internet has given equal opportunity for individuals, small groups and nation-states to inflict massage damage on foes.

Continued from Page 1.

One example Chertoff noted was last year’s cyber attack on Estonia, which virtually crippled that country’s computer systems for weeks.

He said the Estonian government’s computers were inundated with over 2,000 visits per second as part of the botnet attack.

“There were more than a million computers involved in that attack,” he added.

Determined attackers

The U.S. government worked with Estonia to repair the damage and better secure its systems, Chertoff said.

“But it’s an example of what determined terrorists or others can do,” he said. “Imagine if a sophisticated attack paralyzed our financial system … or our air traffic system? It’s easy to see such an attack would have very real-world consequences.”

In addition to appealing for greater corporate support in combating such threats, Chertoff pointed to ways in which the government is doing its own share of safeguarding the country’s information infrastructure.

In particular, he singled out President Bush’s January signing of a National Cyber Security initiative — describing it as a needed “quantum leap” in how the nation can address online threats.

He compared the effort behind that bill to the Manhattan Project that led to the development of the atomic bomb.

Specifically, the National Cyber Security initiative aims to have the DHS and other departments developing and deploying technologies that will protect Internet domains and secure the reliability and security of the nation’s network infrastructure.

For instance, Chertoff said the new initiative would close thousands of access points into federal Internet domains, helping government agencies better manage and identify threats by reducing them to about 50.

[cob:Special_Report]

Organizational considerations are also heavily influencing DHS’s efforts. Chertoff said that because a reactive, command-and-control system is not adequate to deal with today’s attacks, his department is working to develop a flatter, more distributed system to identify and mitigate threats.

“It takes a network to beat a network,” he said.

For security reasons, Chertoff declined to detail specific technologies or the scope of DHS’s efforts. But he did discuss a system, called “Einstein”, that records and analyzes Internet traffic.


“Ideally, our vision is to work with others, including intelligence agencies, to look more deeply at the Internet and what might be launched before it comes.”

Despite those efforts, Chertoff emphasized that the government’s role remains limited.

In the case of individuals, he said Internet users can help by availing themselves of the latest commercial security solutions.

“I think our role in preparedness is to give people the information they can use to protect themselves,” Chertoff said. “It’s not to sit on individual people’s computers. There are hundreds of reasons we don’t want to do that.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web