Competitive Enterprise Institute | 1899 L ST NW Floor 12, Washington, DC 20036 | Phone: 202-331-1010 | Fax: 202-331-0640
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
YES: Businesses have re-examined continuity plans, and governments have addressed physical and Web infrastructures.
By Marcus Sachs, director, SANS Internet Storm Center
Recently, there's been increased criticism of the federal government's efforts to secure the Internet. The September departure of Amit Yoran from the Department of Homeland Security was widely cited as indicative of problems that run deep, not just through DHS, but the entire government. While everyone agrees there's much work to do, it's important to recognize the accomplishments of the past few years.
The al Qaeda attack in 2001 was clearly a turning point. Immediately afterward, government and industry officials worked side by side to restore services to lower <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />Manhattan and the Pentagon. Across the nation, industry leaders re-examined business-continuity plans while governments began the arduous task of building protective measures into both physical and Web infrastructures.
While the government was creating the DHS, computer-security experts began drafting a strategy for securing the nation's computer networks. Homeland Security's National Cyber Security Division, formed in 2003, has collaborated with industry, academia, and the international community to improve cybersecurity. It created the US-CERT in 2003 to act as our nation's single point of contact for Internet-security readiness. Network administrators subscribe to this warning system and use it together with private services to understand new Internet threats and vulnerabilities, such as viruses, worms, and weaknesses in popular software. Also, the FBI and the Secret Service have formed cybercrime investigative teams that have bagged numerous fraudsters and thieves in the private sector.
Sept. 11, 2001, wasn't the first event that triggered our government to combat cyberthreats, however. Cybersecurity organizations, including the FBI's National Infrastructure Protection Center, the Commerce Department's Critical Infrastructure Assurance Office, and the Defense Department's Joint Task Force for Computer Network Defense, were created in 1998. Industry was also engaged, forming sector-specific information-sharing centers, such as the Financial Services Information Sharing and Analysis Center and the IT-ISAC. These have been invaluable in countering Internet threats, such as the Sasser worm outbreaks.
Since 2001, we've learned that the government alone can't ensure cyberspace's security. Cyberspace belongs to all citizens and has no national boundaries. All Internet users have a responsibility to keep their systems secure, as do all businesses and government agencies. As standard practice, individuals regularly run antivirus software and are cautious about unfamiliar sites. And businesses design security into all information systems, develop internal cyberpolicies, and follow best practices.
Government's role should be to lead by example rather than pass legislation outlawing particular technical processes. Beginning with Homeland Security's internal networks, all government information systems should be the model of near-perfect security and an example for industry and private citizens to follow.
MARCUS SACHS is director of the SANS Institute's Internet Storm Center, a cooperative cyberthreat monitor and alert system. He is former director of the National Cybersecurity Division in the Homeland Security Department.
NO: Government should increase efforts to collaborate with the private sector. More legislation isn't the answer.
By C. Wayne Crews, VP, Competitive Enterprise Institute
Computer attacks like MyDoom, Sobig, and others have caused billions of dollars in global economic damage. MyDoom proved to be the world's fastest-spreading virus ever, sending out more than 100 million contaminated E-mails in its first 36 hours last January. And that's just one virus. The past 18 months have yielded a record number of even more sophisticated worms and other cyberattacks.
In their wake, questions abound about Washington's cybersecurity emphasis and whether it's sufficient. In September, Department of Homeland Security's cybersecurity czar, Amit Yoran, who had warned of a digital Pearl Harbor, abruptly resigned—the third administrator to do so—amid rumors of his frustration with the lack of attention paid to computer security at the agency.
Of course, it's not certain how much any government can do in this regard. What's clear is that proposing more legislation—which has been the government's answer to making the Internet more secure—hasn't done much good. The private sector needs to resolve the problems.
For example, last year's Can-Spam Act did little to stop the problem. On the contrary, it may even have inspired businesses to begin sending unsolicited E-mails. Moreover, the law doesn't address cyberthreats directly: The bad guys don't obey the law, and many viruses originate abroad and, therefore, aren't subject to U.S. regulation.
This impulse toward regulatory solutions has been a mistake. The government should focus on arresting computer criminals, not on cyber-regulations. In addition, the Bush administration itself should make sure it doesn't become a cybersecurity risk by undermining individual privacy in this age of proposed national ID cards to regulate encryption.
What the government can do is protect its own networks and set internal government-security product standards to get its own house in order. In addition, the administration should increase efforts to collaborate with the private sector. Private-sector experimentation in cybersecurity is necessary. The marketplace is increasingly forced to address cybersecurity, and efforts are under way, such as Microsoft's automating of security. Important cybersecurity concerns surround information sharing, anonymity, and questions of insurance and liability-all issues that CIOs and chief security officers deal with every day.
When the market makes mistakes—for example, spam blacklists—it's easier to change than bad government legislation.
Private innovations in security can create an environment where insurers feel more comfortable offering liability coverage. In addition, businesses could develop authentication technologies far more capable than those we have today. If vendors were starting from the ground up, it's likely they'd invent new solutions to put authentication at the core of a fully commercial network.
Even in the best case, it's not clear what government could really fix. But if government continues on its current path, a lot more could break.
C. WAYNE CREWS is VP for policy and director of technology studies at the Competitive Enterprise Institute, a non-profit group.
Tell us your views at www.optimizemag.com/forum/squareoff .