Last night, President Obama delivered his State of the Union address where he announced his much awaited cybersecurity initiatives. Cybersecurity only made up a small aspect of the President’s speech but he outlined his proposed legislation that we previously mentioned in the Cyber Roundup. However, as our nation’s digital systems continue to be bombarded by hackers and other nations, some critics do not believe that the President’s initiatives go far enough or will solve the underlying problems we face in cyberspace. Joel Brenner is voiced his criticisms here in Politico Magazine, below is synopsis.
According to Brenner, the underlying issue is the Internet itself. He agrees, information-sharing between the private sector and the government is needed and Congress should act. Stricter laws and penalties for hackers are necessary. A uniform breach-notification law would make compliance easier and streamline the process of notification. However, none of these proposals will address the weakness’s of the internet, better secure our infrastructure and communications systems against attack or prevent breaches of retailers.
Brenner argues that the Internet was created so that government scientists could easily and efficiently collaborate with a select few American universities but it had no security functions built in. Today our nations critical infrastructures run on the same Internet that I am using to write this and you are using to read it. Along with The Council’s Cyber Roundup, Brenner states that “virtually all our communications, including military command and control, run on this insecure network. Government affairs in all advanced nations run on it. Air traffic control and railroad switches are exposed to it. Factories rely on it. Offshore drilling rigs in the North Sea and the Gulf of Mexico and local water treatment plants run on it. They are all vulnerable, and they have all been hacked.”
To address the issues of Internet insecurity, we have adopted moat-and-drawbridge approach based on firewalls, which as completely failed at limiting malware attacks. Another solution has been to limit data leaving ones systems. However, this requires constant over watch of systems, which is expensive, time consuming and requires a large number of skilled technicians that we don’t have. As Brenner says, we are essentially playing Whac-a-Mole against extremely sophisticated enemies who continue to be a step ahead of us and our systems.
Brenner offers “five commercial, political and technical challenges that the president should have addressed that could make a real difference.”
- Increase research funding to develop a more secure Internet “in which computer instructions could be separated from data storage.” Additionally, he believes that online identity is an issue. Although there are times where we like to be anonymous online, “we need identity assurance in secure communications, in credit transactions and in other contexts where a counter-party demands it.”
- Simplify industrial control systems, “we can test a chip to ensure that it will reliably do what it was meant to do, but no can assure us that a device with a million gateways will not do things it is not supposed to do.” According to Brenner, a move away from complex multi-functioning devices to industrial control systems that operate off of devices that are as simple as possible to efficiently function will help secure systems. However, we do not develop devices in this manor, so the federal government should lead the way.
- “Utilities and other infrastructure operators must be able to factor the cost of security into their rates — including the cost of implementing robust controls.” Politically this would cause problems with State utility commissioners but our water supply, sewage system or especially our electric grid are extremely vulnerable and according to Brenner, “when an attack occurs, many of the efficiencies gained by exposing the grid to the Internet will prove to have been illusory, and the cost of making infrastructure more robust now will look cheap compared to the cost of a major blackout or sewage cleanup.”
- Begin to dismantle cyber criminals vast networks of botnets, which are often allowed to flourish on the Internet except for the most dangerous. Transparency from Internet providers on botnet activity is a necessary step but for long term security we need to focus on their complete elimination.
- Security can no longer be left to consumers and even most businesses because in the end they have no clue about the complexities of the systems that they are using. To solve this issue Brenner looks towards data center companies, “which manage huge volumes of traffic efficiently, will increasingly exploit the growing market for high-level security management in the commercial sector. Huge economic benefits, for example, can be achieved by using data centers to securely manage power generation and transmission.” This type of partnership may also play an important part in combating botnets. \
Joel Brenner is a former senior counsel at the National Security Agency. His full story in Politico Magazine can be found here.