WASHINGTON — A Friday afternoon in spring might not be the best day to hold a hearing on the Hill if you’re looking for a strong turnout, even if the subject is something as important as cyber threats to the nation’s infrastructure.
Nonetheless, New York Democrat Anthony Weiner sat alone on the dais last week, probing for answers from a panel of cybersecurity experts on the proper course for the federal government to take as it contemplates what could be a dramatic overhaul of its cyber-defense operations.
The most coherent message Weiner received from the witnesses in the far-ranging hearing was the hope that the government will do more to further cooperation with private industry to combat the fast-moving threats that defy the jurisdictional boundaries for which the government is known.
“The problems that we are trying to solve are smeared across company boundaries, smeared across individual boundaries, and indeed smeared across public-private sector boundaries,” said Dan Kaminsky, a noted security researcher with IOActive best known for discovering the Domain Name System vulnerability that threatened to bring the Internet to its knees last year.
Cybersecurity has been a popular topic in Washington these days. Aside from the Conficker scare and the alarming reports of data breaches in the systems behind the electrical grid and a U.S. warplane, those involved in the policy debate are eagerly awaiting the results of a sweeping review of government cybersecurity commissioned by President Obama. That report, currently on the president’s desk, could set the stage for a major reorganization of the federal cybersecurity apparatus and lay out a roadmap for government cooperation with the private sector.
Meantime, in April a pair of senators introduced a far-reaching cybersecurity bill that would promote government cooperation with private industry. But the Cybersecurity Act of 2009 would also grant the president the authority to declare a “cyber emergency” and direct commercial ISPs to shut down their networks, as well as giving the Commerce Department the ability to bypass existing privacy laws to monitor electronic communications.
That level of authority has raised serious concerns among digital-rights groups, most vocally the Center for Democracy and Technology. At Friday’s hearing, CDT Senior Counsel Greg Nojeim said the government should adopt a tiered approach to cybersecurity that would apply stricter controls over its own digital infrastructure, such as the networks behind the electrical grid or defense systems, than the consumer-facing Internet.
“While some have proposed giving the president this extraordinary power over all critical infrastructures, we believe it should extend only to governmental systems,” Nojeim said. “To our knowledge, no circumstance has yet arisen that would justify a presidential order to cut off Internet traffic to a private critical infrastructure system when the operators of that system think it should not be cut off.”
Nojeim also appealed for the government to concentrate its cybersecurity authority within the civilian Department of Homeland Security, rather than the National Security Agency, which is administered by the Defense Department. The question of which agencies should handle the brunt of the work is likely addressed in length in the report Obama is currently reviewing. Many have warned that the secretive nature of the NSA is poorly suited to partnerships with industry.
“Where the work is located will have an impact on industry participation,” Nojeim said. “DHS is a natural place for a lot of this work.”
Public-private partnerships in an area such as cybersecurity, which virtually everyone agrees are a good idea that needs to be encouraged, invariably invite the argument over how much control government should have in dictating the operations of companies business world.
Larry Clinton, president and CEO of the Internet Security Alliance, an industry group, cautioned against the type of excessive regulation that can bog down cyber defenses. A firm supporter of a coordinated public-private approach, Clinton suggested that the government’s most appropriate role would be to enact policies that would incentivize private firms to implement a more sophisticated security framework. The main impediment to cybersecurity, after all, is that it is expensive to implement, so some form of government grant or insurance break could shore up some of the weaker nodes in the commercial sector.
Kaminsky agreed, telling Weiner, “I don’t think enough of the discussion happens around how can we reduce the cost of delivering a secure solution.”