House Panel Seeks Ways to Bolster Network Cybersecurity

The Communications Subcommittee is searching for ways to help, said Chairman Greg Walden, R-Ore. The body recently started a bipartisan working group (CD March 2 p13) to make suggestions. “With an eye toward incentive-based approaches, the working group looks to facilitate communication among private sector companies and with the public sector on a variety of topics, including DNSSEC adoption, supply chain risk management, and a voluntary code of conduct and best practices for network operators,” Walden said.

Walden sought specifics on rules or laws that may be barriers to industry’s cybersecurity efforts, he said. That has to be the focus, said Rep. John Shimkus, R-Ill, because a tightened budget makes it difficult for Congress to do anything with a “dollars and cents component.” He said tax credits and other spending proposals are probably out. Several GOP members emphasized they are against new regulation. “Prescriptive mandates” are “not necessary” and “will not work,” said Rep. Cliff Stearns, R-Fla.

Rep. Doris Matsui, D-Calif., said she hopes to find incentives for “a sharing of information that goes beyond … commercial concerns.” She said she fears the U.S. is “losing control” of cybersecurity.

The U.S. already is “out-innovated by our adversaries,” Amoroso said. Attacks have become so sophisticated that security experts like Amoroso “marvel” at their brilliance, he said. It’s impossible to prescribe ways to deal with the threats because they're constantly changing, and no government agency is in a better position than industry to solve the problem, he said. Publishing a list of best practices would be the equivalent of an NBA team advertising its defense to the other teams, he added.

"Beware of mandates,” said Comcast Vice President Jason Livingood. Checklists and other compliance measures will burden industry, he said. “When you write a law, we do paperwork,” instead of responding to threats, Amoroso said. Companies “are heavily incented to make sure that we're protecting not only our internal resources but all our partners that our interconnected,” said MetroPCS Chief Information Officer John Olsen.

Amoroso didn’t see as a significant problem sharing information among industry entities, though he said competitive factors can come into play. Security firms hired by networks already share information with each other, but a central clearinghouse enabling carriers to notify other carriers about threats could be helpful, said Olsen. Amoroso cautioned against broadcasting information so widely that adversaries can see it.

It would be helpful if government shared its own information about threats with industry, the witnesses said. Intelligence and law enforcement agencies see problems that network providers don’t look for, Amoroso said. What government sees is “much different than what we see,” agreed Scott Totzke, senior vice president of Research In Motion’s BlackBerry Security Group. He urged a “more transparent, more real-time” mechanism for that type of sharing.

Other barriers to keeping up with threats include frequent release of buggy software and an increasingly complex Internet infrastructure, Amoroso said. He also complained that privacy concerns can restrict sharing of customer information used only for security. Malware is “not really a civil liberties issue,” he said.

Security experts aren’t always highly educated, witnesses said. One of Research In Motion’s biggest talents dropped out of high school, Totzke said. But the U.S. is losing many of the students it trains in computer science, Amoroso said. A 65-person college class he teaches is “98 percent foreign nationals,” and most of them plan to leave the country when they're finished with school, he said.

Wednesday’s hearing was the subcommittee’s second this year on cybersecurity. The subcommittee plans another soon with witnesses from federal agencies, said full committee Ranking Member Henry Waxman, D-Calif.