Former Cybersecurity Chief Hathaway Warns ‘Urgency’ Gone in Year Since Review

The recent cyber attacks against Google and other companies show they're “on the front lines of an already raging cyberwar,” Alliance President Larry Clinton said. That’s why policymakers must look beyond technology to address cybersecurity, he said, a subject broached in the alliance’s “Social Contract 2.0” report that recommends the government back a “utility service model” that gives market incentives to industry to improve cybersecurity. Recent studies have shown that while cybersecurity investment is actually declining, with half to two-thirds of companies pulling back spending, there are already simple fixes for 80 to 90 percent of vulnerabilities and attacks, Clinton said. Hathaway’s report, the “most sophisticated effort to date,” shows how to integrate strategic and economic concerns with a technical approach.

Crammed into an office meant for three people, Hathaway and several others “worked around the clock” to interview industry, academia, civil-liberties groups, international counterparts and lawmakers, papering the office with Post-It notes, she said. The fruits of that labor and the source documents that went into it are on the White House website, but in the year since the review started, momentum has slowed, Hathaway said. “A full spectrum threat requires a full spectrum response, and it requires a mobilization of all of the resources that this country can bring to bear,” most importantly to translate complex issues into simple action items. “We can no longer accept a polite conversation” about cybersecurity, she said.

Cyberattacks can have far-reaching consequences on the economy and consumer protection, Hathaway said: A distributed denial-of-service attack on prominent websites such as Amazon.com and Walmart.com days before Christmas likely led shoppers to visit less-trustworthy e-commerce sites, where their payment information may not be secure, she said. Fortune 100 companies saw a 200 percent increase in cyberintrusions in the same period, taking advantage of limited workforces over the holidays, she said: “We challenge our notion of what is a ’trusted transaction’ now."

"We need to be creative in the use of our technology” to educate the public, said Hathaway, now a cybersecurity consultant and adviser to Harvard’s Kennedy School of Government: “Why don’t we have a Twitter alert if there’s a new infection out there?” Videogame companies could design educational games that teach kids about network security as well, she said: “Tell a simple story so people start to understand and raise awareness,” at the dinner table or water cooler.

Hathaway said the U.S. must increase its “black belt” of cybersecurity professionals, tasking hundreds of thousands of workers with the cyberdefense of the government and industry, and start before there’s a “crisis at hand.” High school cybercompetitions and challenges are already common, funded by groups including the SANS Institute, and they should be used more often for recruitment and linked to the Centers for Academic Excellence in information assurance, funded by the National Security Agency and Department of Homeland Security, she said. Big companies should also consider sponsoring such challenges for students, Hathaway said. A recent Carnegie Mellon University cyberchallenge that featured teams from around the world, grouped by country and also multinational, should be followed with more of that nature so people in different countries can share tips and experiences, she said. “Our dollars and euros would go much further” if the U.S. and European Commission pooled their cybersecurity R&D budgets.

A 20-year veteran of the private sector, Hathaway said “we don’t do a very good job of communicating at the same level” between business and government worlds. Justifying cybersecurity in business means showing it won’t dent return on investment or quarterly earnings targets, while in government, agencies must defend their cybersecurity efforts against competing policy matters such as health care, she said. Policymakers should be thinking about how cloud service providers can be vetted for such regulations as Sarbanes-Oxley as more data from the government and business move online, she said.

Other countries are ahead of the U.S. -- German ISPs have to notify customers of network breaches under a new law there, while 500,000 pound fines have been proposed for company breaches in the U.K., Hathaway said. In northern and eastern Europe, ATMs won’t dispense cash unless the account holder’s mobile phone verifies through geolocation that the holder is making the transaction -- a better authentication measure than, say, requiring a zip code to pump gas, which doesn’t “port across cultures and across geographies."

Hathaway didn’t discuss some of the biggest controversies in cybersecurity. Asked why her report didn’t identify the circumstances that would qualify an attack as an act of cyberwar, Hathaway said that government lawyers were still trying to come to a determination of what would qualify and what’s still a gray area. The Cybersecurity Enhancement Act recently approved by the House, a measure focused on R-and-D spending and cybersecurity workforce development, will help cybersecurity efforts if it focuses attention on high-priority items, she said. New White House cybersecurity coordinator Howard Schmidt has as much authority as he could hope for, by virtue of having the Office of Management and Budget as an ally, Hathaway said. The real problem lies outside the Washington area, where cybersecurity solutions aren’t well known, she said, citing her frequent travels.