Genachowski Not Shy About Going After ‘Low-Hanging Fruit’ to Shore Up Cyber Defenses
As the government deals with the global challenge of cyber security, it’s important to focus on the little things, FCC Chairman Julius Genachowski told computer security professionals Tuesday at a cybersecurity conference sponsored by the Atlantic Council. The FCC’s small business initiatives have included releasing a tip sheet with advice about password-protecting their wireless networks, and a “small biz cyber planner” to help businesses develop a cyber security plan. “Yes, this is low-hanging fruit,” Genachowski said. “There is a lot of low-hanging fruit to tackle in addressing cyberthreats. And we can’t let the larger and more complex challenges keep us from making practical progress on low-hanging fruit."
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Genachowski noted he tasked the FCC’s Communications Security, Reliability and Interoperability Council with tackling a few discrete issues because a “boil the ocean” approach is less likely to lead to real-world progress. Cablevision and Charter Communications have now joined many other U.S. ISPs in signing on to commit to implement the CSRIC implementations, he said, which will bring the share of American consumers with access to enhanced security to 90 percent.
The commission is attempting to enhance security while still preserving an open Internet and consumer privacy, Genachowski said. “What some see as a fundamental divide between privacy and security is a false choice. In fact, they're complementary, and we need to do both.”
We need a “new mental model” to ensure the Internet remains unfettered yet secure, said Jamie Barnett, chief of the FCC Public Safety Bureau. “We really did think about the proper role of government,” he said, pointing to the multi-stakeholder CSRIC model that seeks “smart, practical, voluntary solutions through cooperative efforts.” The frontline of cybersecurity will always be in private hands, he said. “So the FCC’s view has been, how do we organize that?"
"The notion of a perimeter defense is a myth,” said Rick Howard, general manager of iDefense. As companies begin to realize they'll be breached, they can start focusing on what to do about it, he said. Many of iDefense’s customers watch traffic as it leaves their network, and “discover patterns that shouldn’t be there,” he said. “Should Rick Howard send a Word document to someplace in China? If that’s happening at 3:30 in the morning, maybe that shouldn’t be happening at all."
Fundamentally, it’s a complex adaptive system, and a singular linear approach won’t work, said Robert Ghanea-Hercock, chief research scientist at BT Security Research. “It’s continually adaptive. Whatever steps we take, the adversaries, the bad guys, are adapting. And they will always adapt.” It’s also a big data problem, harder than finding the proverbial needle in a haystack, he said. It’s like looking for “a slightly perturbed piece of straw in a haystack.” The problem is compounded because “the end-user really is like Homer Simpson” when it comes to security, he said. “They really are clueless.” Ghanea-Hercock expects that “ultimately the Internet is going to have something like an immune systems.” Just like people carry pathogens that attack the viruses all carry around, so will the Internet, he said.