A panel of cyber-security experts at the RSAConference agreed on one thing – the nation’s cyber-security strategy needs beefing up. Finding a way to do that without sacrificing privacy however is more elusive.
“You don’t want necessarily to have the government literally sitting there and operating the internet and opening and closing doors because it’s not hard to imagine a situation like you have in other countries where someone makes a decision that the threat isn’t just an attack by a botnet but an attack on ideas the government doesn’t like,” said Michael Chertoff, former U.S. Secretary of Homeland Security. “So the key is to build a system that allows a sharing of information that does put on critical infrastructure a responsibility to maintain itself…but preserves a certain gate between them and a certain amount of accountability so that the government can’t simply just roughshod over the privacy.”
Chertoff was part of a three-man panel today at the conference in San Francisco that also included Marc Rotenberg, executive director of the Electronic Privacy Information Center ( EPIC), and Richard Clarke, who served as special advisor to Pres. George W. Bush for cyber-security and is now chairman of Good Harbor Consulting.
“What we’re looking at are for architectural solutions that don’t rely on every company doing everything right,” Clarke said. “To say to every company you have to have all your patches up to do date, you have to have all these systems, it’s not going to happen. Therefore you want to look for ways further up the food chain that you can have some effect.”
Clarke’s suggestion: require Tier 1 ISPs to do deep packet inspection to protect users. However that could open up its own can of worms, Rotenberg argued, by giving businesses access to content they could use for advertising purposes.
“Now you know a lot about your customers that you didn’t know before,” Rotenberg, who added that businesses could deflect criticism by saying they have to look at the content because of the mandate. “If we go down this road you really have to be very careful because one rationale easily collapses into another.”
When it comes to regulations, the devil is in the details, said Chertoff, adding that writing those types of rules can be difficult.
Part of the problem is the government has discredited itself in the last 10 years, Clarke said, referring to controversies involving privacy violations. In addition, the agency best equipped to lead the charge on the issue – the National Security Agency (NSA) – is the wrong agency for the job, he said.
“NSA is the wrong organization to defend the private sector…they’re the right organization to defend the military,” Clarke said.
“The problem is right now no one is defending the private sector,” he continued. “The theory of the Obama administration seems to be cyber-command defends the military, DHS (Department of Homeland Security) – which can’t do it yet – defends the .gov community, and the rest of us are on our own.”
The challenge is to strike the right balance between those who don’t want government regulation and those who recognize the government has both unique capabilities and access to insights about the threat landscape that isn’t always available to the private sector, Chertoff said. The question is how do build an architecture that allows the sharing of information and facilitates a coordinated response, he added.
“I don’t think there’s any real dispute about the need to improve network security to recognize there are threats to U.S.federal agencies, U.S.firms and I should say U.S.consumers…I think the big questions are what do we do?” Rotenberg asked rhetorically. “Do we give the government a lot more authority? Do we start authenticating all users? Do we start tracking all communications? This is where the debate really begins.”