Who is responsible for cyber security?
Three very big and very different computer security breaches that have dominated recent headlines did more than show how badly the Internet needs major repairs. They also exposed the huge rift between corporate America and the federal government over who should fix it, cyber-security experts say.
In the last few months, law enforcement officials cracked an international ring that tapped customer databases and trafficked in tens of millions of credit card numbers; a researcher uncovered a major flaw that permits hackers to steer some Web surfers to fake versions of popular websites filled with malicious software; and computer assaults, which some researchers said they had traced back to Russia’s state-run telecommunications firms, crippled websites belonging to the country of Georgia.
Yet the episodes did little to boost cyber security higher on the agendas of the federal government or the two major presidential candidates.
“Nothing is happening,” said Jerry Dixon, the former director of the National Cyber Security Division at the Department of Homeland Security. “This has got to be in the top five national security priorities.”
Dixon is just one of hundreds of technology executives and experts who have been saying for years that Washington needs to do much more to protect consumers, businesses and the government itself from attacks by criminal hackers and those supported by rival nations.
The government has largely argued that the private sector is better suited to tackle the broader problem.
But big corporations say it’s too big for them to handle. They say the Internet’s technical underpinnings, which are loosely administered by the Commerce Department, need a major overhaul to eliminate vulnerabilities.
Why such a persistent disconnect?
It’s partly because cyber security crosses so many lines in the executive branch. Homeland Security oversees protection of government networks, and the Federal Bureau of Investigation and Secret Service pursue cyber crimes. When those cases lead to other countries, the State Department must get involved.
More important, most of the Internet’s infrastructure -- the big computers and data pipes through which our bits travel -- is in private hands.
So for years, the government has assembled task forces that call for greater cooperation and communication between the public and private sectors. But experts say the reports have yet to yield tangible results, while the bad guys have become increasingly adept at exploiting new security holes in software and hiding their electronic infiltration from anti-spyware and firewall programs.
At the Black Hat technology security convention in Las Vegas this month, Dixon and others on a joint government-industry panel discussed recommendations they were drafting for the next president.
Members of the panel, convened by the Center for International and Strategic Studies, said that cyber security should be a priority because the country is under attack from organized hackers. But they said that during his first hundred days in office, John McCain or Barack Obama would be far more likely to tackle high-profile voter concerns -- the economy, Iraq, education, housing -- than cyber security.
As if to underscore the gap, the government’s latest point man on cyber safety used a keynote address the next day to discuss economic theory, explain why Abraham Lincoln was the nation’s “first wired president” and dismiss calls for the financial industry and others to beef up security spending.
“Over time, the banking industry is pretty rational,” said Rod Beckstrom, director of the new National Cyber Security Center, which is part of Homeland Security. “So they’re probably doing a good job on investment.”
He added that private security spending in general was probably at about the right level.
In the hallway afterward, executives grumbled that Lincoln had nothing to do with protecting their corporate networks.
A position paper outlining McCain’s technology policy platform, released by his campaign this month, barely mentions security. It says that the Republican candidate is for privacy and against spam and fraud. It also says his “record reflects the careful balance between protecting the essential elements of the Internet and securing the Internet as a safe tool of commerce, education and entertainment for our citizens.”
Democrat Obama’s platform doesn’t differ much on security, although it calls for restrictions on how databases of information on citizens can be used and for the appointment of a federal chief technology officer to coordinate infrastructure efforts.
Outsiders urge far more action.
Security expert Bruce Schneier, in his monthly newsletter, said that any new cyber-security czar should have budget authority. He also said that the government needed to demand more security in the products it buys and undo laws protecting software companies from liability lawsuits.
Vint Cerf, an early architect of the Internet who is now employed by Google Inc., said in an e-mail exchange that Washington should quickly switch Web-address suffixes such as .com to an existing but more secure version of the Domain Name System, the electronic method for getting people to the right numbered addresses for the Web address names they type.
Cerf also encouraged the government to try to rein in the increased functionality of Web browsers, which can open computers to permanent damage, and to invest more in domestic and international cyber-law enforcement.
Beckstrom, an entrepreneur with little security experience before taking the helm of the National Cyber Security Center, is best known as the co-author of a recent book on the power of decentralized organizations. The nearest he got at Black Hat to faulting the status quo was when he said that a Domain Name System flaw recently discovered by security researcher Dan Kaminsky that had tech giants scrambling for solutions was a “huge problem.”
Beckstrom said some effort should be devoted to rethinking the address system and other basics of Internet architecture because they represent a “single point of failure,” a weak spot presenting an effective target. Otherwise, he praised the corrective power of the free market.
That’s not enough for people like Dixon, who said that companies hold back on computer security because it’s expensive and they aren’t punished when something goes wrong. Although customers who lose information occasionally sue, few change their buying habits after even well-publicized breaches.
“The biggest thing we’ve noted is the lack of a guiding Net plan that includes privacy and infrastructure security,” Dixon said. “We need an overarching cyber doctrine that’s shepherded by the White House.”