Observers recommend broader role for government in cybersecurity

Public service campaigns to promote safe Web surfing and developing best practices for fending off cyberattacks are not constructive activities for the government, a panel of cybersecurity experts told Federal Communications Commission officials on Friday.

FCC is now identifying the five most critical threats to the Internet, as well as a plan to address such risks in accordance with the Obama administration's National Broadband Plan, a roadmap for attaining ubiquitous, affordable high-speed Internet access. To assess the threat landscape, the agency on Friday sought the input of about 10 security officials who work for Internet service providers, research institutions and the government.

The most vocal participants said the mercurial nature of attacks makes it nearly impossible to devise defensive procedures or rely on computer users to ensure that viruses don't spread. The most effective role for the government is preparing for the unknown, they said.

October marked the government's annual cybersecurity awareness month. This year's theme was the notion that cybersecurity is a shared responsibility among the government, network services providers and Web surfers.

But James Lewis, a senior fellow at the Center for Strategic and International Studies, a Washington think tank, said educating end users will not protect the Internet.

"I've kind of given up on the end points. We had National Cybersecurity Awareness month last month. A complete waste of time," he said. "We're never going to get the end, the edge, to be safe. It's never going to happen."

Instead, the government should concentrate on which agency or combination of agencies, such as FCC and the Homeland Security Department, should coordinate with ISPs, Lewis said. They should cooperate to ensure that customers, including federal workers, are supplied almost automatically with the best defenses against malevolent intruders.

An example of the need for such proactive tactics is the shift from attacks against networks to botnets. Botnets -- organized by cybercriminals -- invisibly hijack multiple Internet users' computers or mobile devices to spread content that steals personal information through the users' communications with others.

"We've seen less attacks on the Internet, or at us, and more using us to go after financial gain," said Ed Amoroso, senior vice president and chief security officer for AT&T. "The threat that seemed so real two or three years ago around attacks at infrastructure really in two years has changed."

Studying past attacks to defend against future threats, therefore, may not be productive, he added. "It's hard to lay out a concrete set of best practices and follow it because what we do is so fluid that we have to be willing to take the playbook and throw it out and start a new one the next week or the next month, depending on what the threat is." Amoroso said that today he is obsessed with how botnets are affecting his customers but tomorrow he could be worried about vulnerabilities with different risks and fixes.

A more effective approach for protecting government and private sector computers would be practicing solutions to worst-case scenarios, the panelists said. "Have you had a day yet where you came in and you had a directive at work, where it said: 'Don't turn on your Blackberry . . . It's probably infected. If you do, all this awful stuff is going to happen,' " Amoroso said. "And you would go, 'Ok, what do I do?' "

The government has not discussed those sorts of situations, he said. "I think this idea of preparing for a battle that we can't define today is the way we need to start to operate," Amoroso said.

But other participants said there are some strategies to reduce risks that government and industry should immediately carry out.

"It's true that this problem is not going to go away. That doesn't mean we give up on trying to solve it," said Ari Schwartz, senior Internet policy adviser at the National Institute of Standards and Technology. He likened the situation to fighting fires. "We're never going to have an end to all fire accidents. But we can come up with different standards, different technologies, different policies that help us mitigate them," such as building codes and smoke alarms, Schwartz said.

Many preventive measures are expensive for ISPs to deploy across the country. That's where the government can step in to help, even without subsidies, which the industry generally opposes, panelists noted.

The federal government -- the largest U.S. consumer -- can wield its purchasing power to require that ISPs include security enhancements in all federal contracts. Such technologies include the Domain Name System Security Extensions (DNSSEC) protocol, a set of standards for identifying server addresses that ensures that when computers and mobile devices talk to each other, hackers can't misdirect their communications to fake websites.

If agencies bought only products that support DNSSEC, that would help the Web industry afford to develop the same protections for all products and services nationwide, said Andy Ellis, senior director of information security and chief security architect for Akamai, a content delivery company.

"That's not a subsidy. That's the government as a consumer, saying, 'We feel that level of security is important for us and therefore we'll pay for it,' "Ellis said. "When the government decides to do that, people will build it. And once you've built a technology, you're really happy to go sell it to everybody else."