Security bigwigs want more government involvement in cyber security

Schneier, McConnell, Chertoff urge joint solution to guard against cyberwar during RSA panel

I noted with interest the “Cyberwar Panel” session at the RSA Conference 2011

Cyberwar Panel
just concluded in San Francsco and knew I had to add it to my calendar. A similar panel at the 2010 conference drew a big audience and a robust debate about it in comments here to that post a year ago. This year’s session was less about the prospect of a cyber “Pearl Harbor” and more about the careful balance between government regulation and private sector initiative to guard against that.

Echoing the comments of Microsoft security chief Scott Charney from his Tuesday keynote calling for a “collective defense” of the Internet, this session’s panelists called for a combined government and private sector response to the threat.

Mike McConnell, who was Director of National Intelligence under President George W. Bush, and director of the National Security Agency under President Clinton, said the way to approach the threat is to have the government determine the objective to address a certain cyber threat and let the private sector compete to determine how best to meet that objective. McConnell, now an executive vice president at the consulting firm Booz Allen Hamilton, cited the example of the volume of financial transactions between the two largest banks that are the lifeblood of the U.S. economy, moving $7 trillion to $8 trillion a day.

“To protect those transactions there should be a requirement for a higher level of protection to mitigate that risk,” he said, but that government should set the requirement and the private sector should compete to figure out how to meet it.

Bruce Schneier, chief technology security officer of BT Managed Security Solutions and a frequent author and speaker -- also frequently quoted -- on computer security, agreed.

“Regulate results, not technology.” Schneier said. “If you regulate technology, you stifle innovation. If you regulate results, you incent innovation.”

However, he said there’s a limit to how much private companies will spend to protect themselves from cyber attack. He argued that businesses will only spend to protect their networks up to the value of their companies, but that there may be damage to the public and the economy that is much greater than that.

“The market won’t be able to solve that because the risk is greater than the company doing the work,” Schneier said

Another solution to improving network security could be requiring companies to certify that they have taken the proper steps, said Michael Chertoff, former Secretary of Homeland Security under Bush and also a member of the 2010 RSA panel.

Chertoff called for a regulatory framework where company executives and board members sign on the dotted line, certifying what steps they have taken to secure their network, what backup systems they have in place and what level of resiliency is built into their IT system. “People take that seriously. Is it dramatic? No, but it moves the ball down the field,” Chertoff said.

Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results.

Given the strong response from some readers to my earlier post about a government “National ID” proposal in Charney’s keynote, it was nice to hear these panelists downplay the either-or argument -- government or no government -- and advocate a third way that asks, as Rodney King famously did, “Can’t we all just get along?”

(The photo is of the panel at RSA, including moderator James Lewis, far left, a director at the Center for Strategic and International Studies, and, from left to right, Chertoff, McConnell and Schneier.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.