Architecture, Network security

Black Hat: Less gov’t involvement would be a good thing

July 30, 2009
While all eyes seem fixated on who will be named to the federal cybersecurity coordinator post, some may be overlooking the expansiveness of the private sector to defend against attacks, according to a panel of government and public policy experts speaking Wednesday at the Black Hat conference in Las Vegas.

“If our nation came under attack tonight, we don't have a way to respond,” said Marcus Sachs, executive director of government affairs for national security policy at Verizon.

“We've got to, as a nation, step up to the plate and be leaders as we've always been,” added Sachs, who also is director of the all-volunteer SANS Internet Storm Center. “Do we need a cyberczar? Are we that hopeless that we can't figure out, as community, how to do this?”

The private sector owns about 85 percent of the nation's critical infrastructure.

Amit Yoran, CEO of security intelligence firm NetWitness and the former director of US-CERT, agreed.

“To think that the government is the center of defense in the cyber realm, I think is a fallacy,” he said.

Richard Marshall, a senior information assurance representative at the National Security Agency who was speaking as a private citizen, suggested that internet service providers should be the ones tasked with defending networks from malicious attacks. He said these companies can transfer the cost to customers and be incentivized with tax breaks.

“Who owns the internet?” he asked. “The [telecommunication companies]. Why don't they protect the assets?”

Sachs and Yoran disagreed, saying this type of action could lead to complexity, inefficiency and a stifling of innovation.

But Marshall insisted that users willing to pay for ISP protection should be able to.

“The market can provide the solution,” he said. “You don't need the government to do it.”

Leslie Harris, president and CEO of the Center for Democracy & Technology, said she supports letting the private sector take the lead on cyberdefense plans. But she said there is a need for a government leader to coordinate potentially duplicate efforts by federal agencies.

Yoran, meanwhile, said he sees a role for government in the spearheading of research-and-development efforts. Right now, he said, one-tenth of one percent of government research dollars go to cybersecurity.

“It seems woefully inadequate,” he said.

Still, federal leadership seems inevitable, as evidenced by the unveiling of President Obama's Cyberspace Policy Review. But transparency and privacy are key, Harris said.

“If we do it right, then we maintain these important values…If we do it wrong, we can do it in a way where privacy is not taken into account and where civil liberties are diminished," she said.

prestitial ad