Industry: protecting cyberspace calls for financial incentives

Dan Kaminsky, director of penetration testing for IOActive, testified that more discussions should focus on how to reduce the costs of delivering a solution. Jae C. Hong/AP

The federal government should use financial incentives to encourage private sector companies to deploy better network security, rather than issuing more mandates and regulations, said a panel of industry representatives during a hearing on Friday. One group of security companies proposed legislation that would define specific incentives for various segments of industry.

In the wake of numerous cyberattacks against sensitive defense systems and the nation's critical infrastructure , Congress introduced in recent months measures that call for stronger oversight of computer networks owned and operated by the private sector. But regulating how industry protects its network infrastructure would be counterproductive, Larry Clinton, president and chief information officer of the Internet Security Alliance (ISAlliance), told the House Energy and Commerce Subcommittee on Communications, Technology and the Internet.

"The good news is we know a great deal about how to defend our cyber infrastructure -- we just are not doing it," he said. ISAlliance was created to provide a forum for information sharing and thought leadership on data security issues. "A common theme from some policymakers who are relatively new to the severity of the cybersecurity problem is to say, 'Well if industry won't do this on their own, we will just have to regulate them,' Clinton said. "Such an approach is short-sighted and does not reflect a necessary understanding of the new breed of technology and issues created by the Internet." He noted regulations that address specific vulnerabilities or attacks are limited because technology and threats change quickly. But, he said, more flexible, conceptual regulations that try to address a broader range of cyber threats are too general to have real effect.

"Too much of the discussion focuses on how we can apply more pressure, and not enough about how can we reduce the cost to deliver a secure solution," said Dan Kaminsky, director of penetration testing for IOActive, a Seattle-based security consultancy. In 2008, Kaminsky discovered a critical flaw in the Internet's core infrastructure that, if not addressed, would have exposed almost every Web site, e-mail and online account to attackers. He worked with industry and the federal government to fix the problem, spawning what he called "the largest synchronized repair event in the history of the Internet."

"It was a perfect example of a public-private partnership, and a remarkable experience for all parties," he told lawmakers, noting that type of collaboration between public and private entities becomes more difficult when government acts as regulator of industry.

Clinton proposed the Cyber Safety Act, recommending incentives such as insurance, liability protections, procurement advantages, awards programs and small business loans for companies that tighten their security standards.

"You need to change the economics to make cybersecurity something people want to do," he said. "If we had the right incentives, people could fairly quickly and easily mitigate enormous percentages of threats, but everyone has to see some sort of benefit. . . . Incentives will be different for different companies; this is not a one-size-fits all world. Stop making it that way."

But vice chairman of the committee Anthony Weiner, D-N.Y., questioned the rationale of rewarding companies for responsible security practices. "I find it puzzling that we need to offer incentives to do what is intuitive -- to not share terabytes of information on the Internet with hackers," he said.

Rodney Joffe, senior vice president and senior technologist at telecom services provider Neustar, also encouraged Congress to concentrate less on regulation and more on improving collaboration between the public and the private sectors. The U.S. Computer Emergency Readiness Team (US-CERT), which provides cyber incident response and defense capabilities and acts as a liaison between the public and private sectors, "is woefully underfunded and understaffed for the enormous task put before it," he said.

"Ideally, I would like to see a much more focused collaborative effort between the public and private sector -- a two-way street, where we reach back and forth to help one another," Joffe said. "While a lot of US-CERT's focus is properly placed on protecting our national infrastructure and our federal networks and resources, our economy also depends on a multitude of small companies. I would like to see the private partnership role expanded to include not only the major communications and IT companies, but smaller companies as well."