Last week, the George Washington University’s Homeland Security Policy Institute (HSPI) held a “Conversation on Cybersecurity Legislation with Mike McConnell, Michael Chertoff, and Senior Congressional Staff.” Video of the event, along with background materials, can be found here: http://www.gwumc.edu/hspi/events/cyberPRF413.cfm
On one hand, the sausage-making portion of the discussion with congressional staff was interesting, if not too enlightening to one uninitiated in the dark legislative arts. On the other, former DHS Secretary Chertoff and former DNI McConnell seemed to echo some of Phil’s framing of the cyber issue in his last post.
Obviously, these two men fall into Phil’s descriptive pot “Those that may make money on increased attention to cybersecurity are in favor of the current proposal.” In fact, both gentlemen agreed that the current legislation is a start, but that more is required. To be fair, both also have extensive knowledge of the threats and vulnerabilities involved in the cyber domain.
More interesting, to me at least, was their description of the issue of regulation vs. collaboration that serves to reinforce Phil’s frame. To paraphrase Chertoff: “how can you expect a company that is worth $10 million to voluntarily spend $1 million on cyber security, despite the fact that the cascading vulnerabilities could cost the nation $10 billion?” While McConnell discussed the military’s initial aversion to Goldwater-Nichols reforms, now credited with producing a superior fighting force that not only collaborates because they have to, but because of the specific design of the system such cooperation is something they now want to accomplish.
Phil characterized it in his last post:
While the efficacy of the new bill is debatable, it is clear the current approach — depending almost entirely on voluntary collaboration — has not worked. The weakest links in the cybersecurity system are the least willing to show up, talk turkey, and truly collaborate in sharing information and changing behavior. What do you do when “pretty please”, earnest presentations on self-interest, and peer pressure do not work? What do you do when neglect by one “house” on the block endangers the safety of the entire block (or city)?
Sanctions are needed. But no matter how tough, sanctions will not be sufficient. Whatever sack of sanctions are available, unless the sanctions are used to craft collaboration (rather than mere compliance) cybersecurity will not be enhanced. The threat of regulatory sanctions may encourage collaboration, but a rigid regulatory approach alone will only achieve minimal compliance, which in cyberspace will always lag behind new threats and vulnerabilities.
If you are interested in cybersecurity, I would highly recommend going back and re-reading Phil’s piece with his intriguing suggestion that cybersecurity lessons can be derived from the model of the Coast Guard: http://www.hlswatch.com/2012/02/24/creating-a-cyber-coast-guard/
Then watch the HSPI event, which may shed some light on the competing legislative priorities and processes that may, hopefully, someday result in a bill: http://www.gwumc.edu/hspi/events/cyberPRF413.cfm
The Washington Post reports on the tussle between the White House and NSA over the access and monitoring for threats/privacy rights divide:
The National Security Agency has pushed repeatedly over the past year to expand its role in protecting private-sector computer networks from cyberattacks but has been rebuffed by the White House, largely because of privacy concerns, according to administration officials and internal documents.
The most contentious issue was a legislative proposal last year that would have required hundreds of companies that provide critical services such as electricity generation to allow their Internet traffic be continuously scanned using computer threat data provided by the spy agency. The companies would have been expected to turn over evidence of potential cyberattacks to the government.
NSA officials portrayed these measures as unobtrusive ways to protect the nation’s vital infrastructure from what they say are increasingly dire threats of devastating cyberattacks.
But the White House and Justice Department argued that the proposal would permit unprecedented government monitoring of routine civilian Internet activity, according to documents and officials familiar with the debate. They spoke on the condition of anonymity to describe administration deliberations; internal documents reviewed by The Washington Post backed these descriptions.
A few days ago, the Government Security News website reported on remarks by former NSA and CIA Director Michael Hayden that covered topics not usually associated with cyber issues: mitigation, response, and recovery:
So, when Hayden says the U.S. may be spending too much time thinking about cyber vulnerabilities and not enough time thinking about the actual consequences of a successful cyber attack, it probably makes sense to pay attention.
“We may be at the point of diminishing returns by trying to buy down vulnerability,” the general observed. Instead, he added, maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can “self-heal” or “self-limit” the damages inflicted upon them.
“I cannot stop them at the perimeter,” Hayden acknowledged, “so, how do I deal with the fact that they are on the inside.”