At the White House Summit on Cybersecurity and Consumer Protection on Feb. 13, the challenges and ironies that the modern Internet presents, as well as its benefits, was the topic of much discussion. The Internet is a source of openness and commerce, but the Web is also the medium by which new forms of cyber-attack and theft can occur.
On one hand, the Internet has enabled an unparalleled era of innovation and collaboration. On the other, the Internet has also enabled attackers to cross nation-state borders at will in the digital realm and impact Americans.
In his remarks at the summit, President Obama referred to the dichotomy of the modern Internet as a paradox in that the same openness that has enabled the Internet to be successful is the same openness that has allowed attackers to be successful, too. President Obama noted that connectivity brings benefits but also brings risks.
The executive order on cyber-security information sharing that President Obama signed on stage at the event is all about industry and government working together as partners.
President Obama stated that it’s not appropriate for the U.S. government to secure the private networks of private businesses.
However, the other paradox of Internet cyber-security is that, in some cases, the government is the only organization that can respond fully to a nation-state based cyber-security incident.
Responding to Attacks From Abroad
During the daylong summit, Kevin Mandia, former CEO of Mandiant and currently senior vice president and chief operating officer at FireEye, served on a panel, along with representatives from the Federal Bureau of Investigation and the U.S. Secret Service, about international law enforcement cooperation. Mandia said that if a U.S. company is attacked by a foreign nation-state, then the United States should respond.
That assessment makes a lot of sense.
During the Cold War era, no individual American company was responsible for defending itself against the potential risk of a tactical missile strike from the Soviet Union. So how can any individual American company be fully responsible for defending itself and responding against the coordinated attack of a nation-state threat actor?
Then again, the United States simply cannot defend every American company from cyber-attack; the attack surface today is too large. Defending American interests is—not just about securing networks—but about the ability of law enforcement to identify and bring attackers to justice.
Mandia expressed some concerns about the ability of the U.S. government to bring attackers outside the United States to justice.
As it turns out, the long arm of U.S law enforcement does extend beyond the borders the United States. So, even today, even before any impact from the president’s executive order on cyber-security information sharing, the FBI and the U.S. Secret service are, in some cases, making strides on that front.
Joseph Demarest, assistant director in the FBI’s Cyber Division, and Ed Lowery, deputy assistant director, Office of Protective Operations, U.S. Secret Service, both commented that information sharing between countries is helping U.S. law enforcement deal with hackers outside the United States. However, they acknowledge that the process of working through law enforcement agencies outside the country can be lengthy.
The Paradox of Today’s Internet and Cyber-security
The Paradox of Openness Is Necessary
While sharing information with the U.S. government to protect against adversaries is a presidential directive, in the banking sector, sharing information across banks has been successful.
In a panel at the cyber-security summit, Richard Davis, chairman and CEO of the U.S. Bank, explained how the Financial Services Information Sharing and Analysis (FS-ISAC) effort has helped protect the financial sector from cyber-attacks. The concept of ISAC grew out of Presidential Decision Directive 63 (PDD-63) in 1998—which, much like the new directive signed by President Obama on Feb. 13, is about fostering collaboration and information sharing.
Enterprises, whether they are banks or otherwise, can help each other defend themselves.
The Internet can be used for both good and evil as with many things in life. Consider water, which brings life to this planet, but that can also take life in the event of a flood. Much like water, the Internet needs to flow freely, but just as there are control points for water quality and storm sewers, there is a need for control points on the Internet, too.
The paradox of openness needs to be maintained in a free society. There isn’t a need to create a surveillance state for the Internet to continue to prosper, but there is a need to share information and there is key role that government plays in that regard.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.