Most everyone knows about the government’s role in protecting the .gov Internet domain from cyberattacks. But what role, if any, does the government play in protecting the larger, .com domain?
Private sector experts say the government needs to be careful not to overstep their bounds.
James Lewis, director and senior fellow with the Center for Strategic and International Studies in Washington, says that the proper role for the National Institute of Standards and Technology in coordinating the battle for cybersecurity between the public and private sector is to represent the United States in working with other countries on setting standards for cybersecurity hardware and applications.
Don Proctor, senior vice president for cybersecurity at CISCO, says past experiences show the government needs to be careful.
“In the early 1990s, we had a set of security protocols called GOSIP, the Government OSI Protocols,” Proctor says. “The government decided it would mandate through its purchasing power a new set of protocols, not the protocols that had been adopted by industry, but a different set of protocols, and that it would require every business that sold information technology to the federal government would comply with those new protocols.”
Proctor says after spending billions to comply with GOSIP, the protocol was never launched on a production computer network, and was eventually rescinded.
He also counsels that being mindful of the law of unintended consequences is a good rule of thumb to try to determine the right role for government in protecting cyberspace.
At the same time, Proctor says the government has done some things well.
He cites the work that industry has done with NIST on the Secure Content Automation Protocols (SCAP), in which cybersecurity systems can be monitored for compliance on an ongoing basis through automated tools, rather than being audited manually every quarter on a checklist basis. At the same time, Proctor reminded his audience that the cybersecurity battlefield is littered with failed attempts to impose one standard across the government space.
Lewis, Proctor and others discussed these issues recently at the “Symposium on Cybersecurity in the Commercial Space,” hosted by the Commerce Department, including the National Institute of Standards and Technology, the International Trade Administration and the National Telecommunications and Information Administration.
NIST director Patrick Gallagher says when it comes to cybersecurity the stakes are high for the nation.
“Taking into account business to consumer, and business to business transactions, online commerce in 2007 accounted for $3 trillion in revenue for these companies. In the business-to-consumer e-commerce space, the U.S. economy enjoyed an increase of up to 500 percent,” he says.
Lewis says for the most part, when it comes to cybersecurity, most Americans and business leaders prefer to “live in the moment.”
“We as a nation won’t do anything about cybersecurity until after some big event,” he says. “This is sort of the pattern in the U.S. It’s a few years off, so we have some time to get ahead of the trend line. And that might be a good task today. This isn’t about war; there may be some risk there. Maybe in the future. It’s about competitiveness. Think of it as competitiveness with military implications.”
Some of the most thoughtful comments on the panel came from Mischel Kwon, the well-respected and long-time former director of the Department of Homeland Security’s US-CERT, and before that, deputy director for IT security at the Justice Department. Today, she is vice president of public sector security solutions with RSA. She says when it comes to the public and private sector defending against cybersecurity attacks, one of the biggest challenges is to fully understand the threat:
“Having moved to (the) private sector,” she told the audience, “my biggest battle cries [are] ‘It’s not just fraud, it’s not just state-sponsored, and it’s not just happening to you.’ I think we’re just now beginning to realize that web that’s woven between us. And now we’re articulating it more strongly today.”
And Kwon says at a time when cybersecurity discussions still are focused on phishing, malware, trojans and botnets, cyberattackers have moved on to the “advanced persistent threat.”
“And it’s not so much where the advanced persistent threat is coming from, it’s what the advanced persistent threat is,” she says. “Think about an attack that lobs in a phishing e-mail that deploys a Trojan, allows communication from inside your network. It then deploys further malware that eventually steals administrator passwords, and now lives in your network, and controls your network. That’s an advanced persistent threat. And that is hard to combat.”