DHS: Standards Should Stymie Threats

Monday, October 10, 2011 @ 05:10 PM gHale


While cyber-attacks continue to be a threat to the United States and its economy, a Department of Homeland Security network security expert said solutions are not up to the government alone.

With millions of computers falling victim to infectious software, most agree standards should be in place so victims can effectively and uniformly respond to a threat. The problem: Which standard? The difficulty is so many stakeholders are a part of the issue — consumers, Internet service providers, government agencies — no one knows who should be writing the rules.

RELATED STORIES
Vast Divide over Security Perceptions, Reality
Standard for Security in Action at NSA
Survey: Users Abide by Security Policies
Roadmap for Energy Cyber Security

Companies are leery of government regulations that would require cyber security measures within their networks, advocating instead for a blended authorship of response protocols shared by the government and the private sector.

Officials at the Departments of Homeland Security and Commerce, along with the Federal Communications Commission, are studying the problem. They agree government should not take the lead in prescribing a battle plan against cyber threats, said Bruce McConnell, senior counselor and director of Cyber Strategy at DHS’ national protection and programs directorate. Instead, the departments are playing a “facilitative role” in devising standard responses to certain types of cyber attacks, he said last week during a panel discussion at the Center for Strategic and International Studies.

By bringing together private companies, technical experts and government agencies, the goal is to emerge with an agreed-upon, uniform national response plan that can occur when an entity detects certain cyber threats, he said.

One of the most malevolent threats to cyber security, botnets, affect as many as 4 million computers a month. A collection of computers infected by a single person or program, they can compromise personal information and exploit the machine’s Internet access and computing power. The malignant software can steal information or can use other infected computers to crash websites or other computing networks by flooding them with information from multiple sources at once.

“Botnets truly are a scourge. They can be the vectors of serious threats or can hide other threats and make them harder to find,” McConnell said. Despite the threat to both the public and private sectors, “Homeland Security has been focused on an educational role, rather than a protect-and-prevent role,” he said.

Because the problem is at the user level, government officials consider it an enemy best fought through education rather than a top-down mandates of how to address botnet infections, he said.

Congress, however, is likely to consider some form of legislation to get the process going and bipartisan consensus exists on the issue, said Cameron F. Kerry, general counsel for the Department of Commerce. McConnell agreed legislation should and likely would occur through the current Congress, though no one knows how it will read.

ISPs especially are resistant to government oversight of their customer service, said Kate Dean, executive director of the U.S. Internet Service Provider Association.

“The government needs these companies to remain dynamic,” Dean said. “Any kind of uniform response is going to handcuff us from responding in this dynamic threat environment.”

ISPs are not solely responsible for providing Internet security to the customer, she said.

DHS and Commerce have launched a request for information — open through Nov. 4 — that solicits input on how to develop a plan of attack against cyber threats that includes customers, ISPs, application vendors, the government and other stakeholders. The plan seeks information on how to detect threats, what to do when they appear and who will help victims cleanse infected computers.

“It always baffles me when I hear ‘we had a really bad attack,’” McConnell said. “There’s no video [of cyberattacks]. It’s an almost invisible crime that’s being committed. … We need to reach a national consensus on this and move forward.”



Leave a Reply

You must be logged in to post a comment.