DHS: Government Has Limited Role Fighting Cyberthreats
While cyber-attacks continue to be a threat to the United States and its economy, a Department of Homeland Security network security expert said the government alone should not prescribe how the nation’s computers are kept safe.
With millions of computers falling victim to infectious software, most experts agree that standards should be in place so victims can effectively and uniformly respond to a threat. The difficulty is that so many stakeholders are involved in the issue — consumers, Internet service providers, government agencies — no one knows who should be writing the rules.
Companies are leery of government regulations that would require cybersecurity measures within their networks, advocating instead for a blended authorship of response protocols shared by the government and the private sector.
Officials at the Departments of Homeland Security and Commerce, along with the Federal Communications Commission, are studying the problem. They agree government should not take the lead in prescribing a battle plan against cyberthreats, said Bruce McConnell, senior counselor and director of Cyber Strategy at DHS’ national protection and programs directorate. Instead, the departments are playing a “facilitative role” in devising standard responses to certain types of cyberattacks, he said Oct. 4 during a panel discussion at the Center for Strategic and International Studies.
By bringing together private companies, technical experts and government agencies, the goal is to emerge with an agreed-upon, uniform national response plan that can be enacted when certain cyberthreats are detected, he said.
One of the most malevolent threats to cybersecurity, botnets, affect as many as 4 million computers a month. A collection of computers infected by a single person or program, they can compromise personal information and exploit the machine’s internet access and computing power. The malignant software can steal information or can use other infected computers to crash websites or other computing networks by flooding them with information from multiple sources at once.
“Botnets truly are a scourge. They can be the vectors of serious threats or can hide other threats and make them harder to find,” McConnell said. Despite the threat to both the public and private sectors, “Homeland Security has been focused on an educational role, rather than a protect-and-prevent role,” he said.
Because the problem is manifested at the user level, government officials consider it an enemy best fought through education rather than a top-down mandates of how to address botnet infections, he said.
Congress, however, is likely to consider some form of legislation to get the process going and bipartisan consensus exists on the issue, said Cameron F. Kerry, general counsel for the Department of Commerce. McConnell agreed that legislation should and likely would be enacted by the current Congress, though no one knows how it will read.
ISPs especially are resistant to government oversight of their customer service, said Kate Dean, executive director of the U.S. Internet Service Provider Association.
“The government needs these companies to remain dynamic,” Dean said. “Any kind of uniform response in going to handcuff us from responding in this dynamic threat environment.”
ISPs cannot be held solely responsible for providing Internet security to the customer, she said.
DHS and Commerce have launched a request for information — open through Nov. 4 — that solicits input on how to develop a plan of attack against cyberthreats that includes customers, ISPs, application vendors, the government and other stakeholders. The plan seeks information on how to detect threats, what to do when they appear and who will help victims cleanse infected computers.
“You can’t just focus on the ISP,” said Michael O’Reirdan, chairman of the Messaging Anti-Abuse Working Group, a trade association that monitors online exploitation. “It’s a team sport and everyone has to play their position.”
O’Reirdan cited several examples of how foreign governments work with the private sector to combat cyberthreats. Australia has enlisted 90 percent of its service providers to monitor customers’ computers and notify them when symptoms of infection are detected. Customers can then address the problem either personally or by seeking assistance.
Japan has implemented a similar system, but victims of cyber-attacks can consult a national “cyber clean center” that works with tech companies and the Japanese government to help computer owners battle malware. Germany has a similar national response infrastructure in place, O'Reirdan said.
Another difficulty is identifying who is responsible for the penetration of a computer when almost anyone can remain anonymous. That will also be an issue tackled by DHS and Commerce.
With continuing assaults on the nation’s computing networks, why has the issue not emerged in the national security debate until recently? While footage of the smoldering World Trade Center towers burned into the national consciousness the need to retaliate, cyber-attacks are often invisible, said McConnell.
“It always baffles me when I hear ‘we had a really bad attack,’” McConnell said. “There’s no video [of cyberattacks]. It’s an almost invisible crime that’s being committed. … We need to reach a national consensus on this and move forward.”