Is government the odd man out in cyber defense?
Conficker group creates a 'new model,' but agencies contribute little
After years of lip service to public-private collaboration, the government apparently still has trouble working and playing well with others.
That is a conclusion drawn from a study, commissioned by the Homeland Security Department (DHS), of lessons learned from the Conficker Working Group (CWG). The working group is an ad hoc assemblage of more than two dozen companies, Internet registrars, universities and agencies including the FBI and DHS, that came together in 2008 to combat the Conficker worm.
“In coordinating to stop the botnet threat, the CWG became a model for cyber defense,” the report said. “Thanks to this effort, we can glean a number of valuable lessons to guide how future efforts may be initiated, organized and managed.”
According to the study, what worked was the collaboration between companies and Internet organizations. One of the things that didn’t work was the government’s collaboration.
“The group as a whole saw little participation from the government,” the report, released this month, said. “One person put it as ‘zero involvement, zero activity, zero knowledge.’ ”
Group finds a way to thwart Conficker (no thanks to government)
Have agencies scrubbed the Conficker worm from their systems?
The study was conducted by the Rendon Group, and although members of the CWG were interviewed, the conclusions are not necessarily those of the working group, CWG chairman Rodney Joffe wrote on the group’s Web Site. “Nonetheless the Core Committee of the Conficker Working Group believes the report has substantial value,” he wrote.
An evaluation of the government’s performance was complicated by a lack of clear expectations, the report found. “Those interviewed did not necessarily express a clear consensus on what the government role should have been, with some expressing a desire for greater communication and collaboration while others indicated that they felt the private sector is more capable of managing the effort.”
The government did play an important role in funding research on the worm and it apparently took full advantage of the group’s work. Joffe, senior vice president at Neustar Inc., a directory services provider that administers the domain name registry for the .us country code top level domain for the Commerce Department, reported last year that agencies apparently had cleaned Conficker out of most of its infected systems. By tracking the scanning activity of the Conficker worm, Neustar found that the number of infected government systems dropped from a peak of tens of thousands to less than 40 systems in the entire federal network.
But there remains the clear perception, at least, that the government either is not able or not interested in cooperating with the private sector. This is a dangerous situation, given that every strategy, study and musing on national cybersecurity has emphasized the need for a public-private partnership in protecting our critical infrastructure.
The bulk of this infrastructure — commonly published guesstimates put it around 85 percent — is owned and controlled by private companies. The nation’s two predominant cybersecurity organizations, DHS and the National Security Agency, have acknowledged they have neither the resources to nor the responsibility for protecting privately owned networks and systems, although they are critical to national security. The solution, everyone agrees, is public-private cooperation.
There probably is blame on both sides for the lack of effective collaboration. Businesses have different goals, structures and obligations than does government. But if competing companies can come together effectively with each other, and with universities and Internet governance organizations, to combat a cyber threat, it appears that government is the odd man out. The results of the Conficker Working Group study should be carefully evaluated to determine where and how improvements can be made.