Industry to Congress: Hands off cybersecurity
A panel of network executives warned legislators in a March 7 hearing that government regulation could hamper efforts to get ahead of innovative bad guys, and said market forces are the best tool for encouraging cybersecurity.
“Anything you can write down as a best practice is already being done,” Edward Amoroso, chief security officer of AT&T Services, told the House Energy and Commerce subcommittee on Communications and Technology. “The new things we’re working on you don’t know about.”
The hearing was part of a response to a GOP cybersecurity task force that last year recommended Congress concentrate on targeted, easy-to-achieve legislation rather than a comprehensive cybersecurity bill. The task force also recommended that Congress avoid regulation in favor of incentives for voluntary cooperation, a sentiment that was echoed by the witnesses.
Legal, policy frameworks can hamper cybersecurity
Bipartisan cyber bill now the center of partisan turf war
“More can and should be done, but carefully,” said David Mahon, chief security officer for the Tier 1 backbone provider Century Link. The government should focus on enabling information sharing within industry and with government, without prescriptive regulations. “We and our peers already have the strongest commercial incentives to protect our networks,” he said. “There is neither a lack of will nor a lack of commitment,” but he said that private-sector efforts could be diverted by checklist requirements.
“Market forces are better suited to respond to constantly changing cyber threats,” said John Olsen, CIO of MetroPCS Communications.
What industry needs are safe harbors from liability and public disclosure of threat and vulnerability information, together with greater access to and freedom to use government information, witnesses said.
The lone voice on the panel in favor of any security standards was Scott Totzke, senior vice president of Research In Motion’s BlackBerry Security Group, who spoke in favor of baseline standards for vendors, with testing programs to validate vendor claims for the security of products. Although now being challenged by other products, RIM’s BlackBerry has for years been the dominant mobile device in government.
“Greater adherence to security standards like FIPS [the Federal Information Processing Standards] would help customers better understand their personal and professional investments in protecting their information,” Totzke said. “The assurance that the information is trusted and suitable for use by some of the most security-conscious organizations in the world is an essential cornerstone in developing trust and confidence.”
Witnesses described a common set of security efforts being taken to secure their networks, with multiple layers of defenses. Comcast has taken an additional step by becoming the first large Internet service provider to implement the DNS Security Extensions to help protect the Domain Name System.
Comcast vice president for Internet systems engineering Jason Livingood said that the 2008 announcement of a critical vulnerability that would allow easy DNS poisoning “scared the heck out of us.” The company began implementing DNSSEC to help it reach the critical mass needed for better security. “It will require adoption across the entire ecosystem,” he said.
Despite market-based incentives to secure their networks and the current lack of government-mandated security, commercial networks still are falling behind in their efforts to defend themselves, however.
“We are being out-innovated by our adversaries,” AT&T’s Amoroso said. He described malware “so good, so well-crafted that we are amazed at how far our adversaries have come.”
Amoroso said that any government regulation would stifle innovation needed to get out in front of the bad guys, and said that service providers should not be responsible for providing additional security for their customers. He also was doubtful of the value of DNSSEC, saying that cryptographic applications are “incredibly complicated to run,” and that “complexity of the infrastructure is the biggest problem in cybersecurity.”
He conceded that DNSSEC does have some benefits, but warned that unintended consequences of implementing the technology could make security worse.