A Conversation on Cyber Security

George Washington University’s Homeland Security Policy Institute hosted “A Conversation on Cyber Security Legislation,” this morning. The participants included Adm. Mike McConnell, former Director of National Intelligence, Michael Chertoff, former Director of the Department of Homeland Security, Tommy Ross from the Senate Office of Majority Leader, Jeffrey Ratner from the Homeland Security Governmental Affairs Committee (Majority), Nick Rossi from the same committee (Minority), Tom Corcoran from the House Permanent Select Committee on Intelligence, and Kevin Gronberg from the House Committee on Homeland Security.

The discussion began with remarks from Adm. McConnell and Sec. Chertoff. McConnell discussed the current cyber threat picture, noting that while he was at NSA he was given the prediction that 90% of the world’s communications will be over fiber optics. Over time it’s become clear how “amazingly easy” it is to exploit that mode of communication. With regard to the legislation pending in Congress (in particular, the Senate’s Cybersecurity Act of 2012, and two House bills, the Cyber Intelligence Sharing and Protection Act of 2011 and the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act of 2011), McConnell said that the bills were long overdue, and necessary but nevertheless insufficient. He said that market forces are not enough for cyber threats, and that there are unique things that only government is equipped to do. He also noted that in the current legislative debate, concerns over privacy and perceived regulatory burdens on industry are holding back government from defending this infrastructure.

Chertoff spoke next, and indicated his agreement with McConnell’s remarks. He suggested that the criticism of cyber “hype” is largely misplaced, and pointed to the case of Nortel (which was recently found to have been the subject of cyber thefts over a ten year period), Stuxnet (and potential uses of similar technology to inflict harm on US critical infrastructure), and the rise of groups like Anonymous as examples of the gravity of the threat environment. Chertoff said the cyber battlefield is all over, and is most felt by the private sector, whom he considers both a combatant and a target. On the legislation, he said three core elements are necessary: information sharing (which he called “foundational”), liability protection and incentives, and standards setting and requirements for critical infrastructure. He suggested that market forces are inadequate for this threat, and provided the following example: a $1 million enterprise won’t spend $10 million to safeguard their systems – to them it’s just not worth it. Nevertheless, a failure of those systems could lead to damages of hundreds of millions of dollars. The market can’t sufficiently address that.

The senior legislative staff spoke next, each defending the legislation they were working on. They were quick to point out that where the market operated properly they wanted it to continue to do so.

Corcoran, with the House Intelligence Committee, touted the Defense Industrial Base (DIB) Pilot as a workable foundation and what led the Intelligence Committee to adopt a similar approach with the Cyber Intelligence Sharing and Protection Act. He said committee staff spoke with industry and tried to figure out what obstacles they faced in terms of effective information sharing; the committee then sought to remove as many of those barriers as possible.

Gronberg, who works for the Homeland Security Committee, said that their approach with the National Information Sharing Organization (NISO) would work well because it pools information and expertise into a single clearinghouse. He suggested that it would also help to facilitate a common operating picture for industry and agencies.

Rossi agreed that the common operating picture would be a “game changer,” but said it would require all sorts of information sharing procedures (seemingly endorsing what the Senate bill and both House bills offered).

On this note, McConnell raised an alternative or possible addition: since NSA is at the heart of the cyber realm, task it with establishing an all-source information center, and provide security clearances for ISPs and other stakeholders – bring them in to participate. With respect to the NSA, he also suggested a potential avenue could be for the agency to scan domestic traffic for malware, but forbid it from examining content on those networks. Upon prompting from the Wall Street Journal’s Siobhan Gorman during the Q&A period, the other panelists mildly took issue with that idea, noting that while NSA’s capabilities are superior, highly sophisticated, and necessary for safeguarding US systems, domestic networks ought to be the domain of DHS. As it stands now, McConnell later added, if NSA sees an inbound threat aimed at a private sector asset, it is only authorized to “write a report about it.” The unstated implication  seemed to be that those restrictions need to be changed.

Chertoff made an interesting point regarding the tools that “the adversary” uses against government networks and critical infrastructure systems. He began by noting that opponents often use the cheapest, least sophisticated tool in their arsenal, and only pull out the “big guns” (my words) when necessary. He argued that setting standards and enacting other measures that enhance security forces the opponent to bring out those big guns. This allows us to get a look at the equipment and adapt to it, thereby further improving our security. McConnell added that if the intelligence community does its job, “we’ll know the malware” before its revealed and have already adapted to it.

On the matter of potentially devastating cyber capabilities and the potential disincentive for countries like China or Russia to employ them (mostly because the catastrophic harm that such weapons could yield would undoubtedly cascade and affect them as well), McConnell said there is a strong fear of the potential consequences from such capabilities leaking to more aggressive, less prudent opponents.

The discussion closed with a request for predictions on the outcome for this legislation, which no one seemed comfortable offering.

You can watch the event in full here.

Tagged , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: