SENATE PANEL: 80 PERCENT OF CYBER ATTACKS PREVENTABLE
Kim Zetter, Wired, 11/17/2009
If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented, a Senate committee heard Tuesday.
The remark was made by Richard Schaeffer, the NSA’s information assurance director, who added that simply adhering to already known best practices would sufficiently raise the security bar so that attackers would have to take more risks to breach a network, “thereby raising [their] risk of detection.”
The Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security heard from a number of experts offering commentary on how the government should best tackle securing government and private-sector critical infrastructure networks.
Larry Clinton, president of the Internet Security Alliance, told senators that public apathy and ignorance played as much a role in the current state of cyber security as the unwillingness of corporate entities to take responsibility for securing the public’s data.
“Many consumers have a false sense of security due to their belief that most of the financial impact resulting from the loss of personal data will be fully covered by corporate entities like the banks,” he said. “In fact, much of these losses are transferred back to consumers in the form of higher interest rates and consumer fees.”
As for corporate and government entities that collect and store the public data, they “do not understand themselves to be responsible for the defense of the data,” said Clinton, whose group represents banks, telecoms, defense and technology companies and other industries that rely on the internet. “The marketing department has data, the finance department has data, etc, but they think the security of the data is the responsibility of the IT guys at the end of the hall.”
A 2009 Price Waterhouse Cooper study on global information security found that 47 percent of companies are reducing or deferring their information security budgets, despite the growing dangers of cyber incursions.
Federally mandated cyber security standards are not the answer, Clinton said, since they would be seriously counterproductive to national economic and security interests. To improve cyber security, the public sector would have to institute sufficient market incentives to motivate companies to protect the public’s interests. His group plans to release a proposal next month laying out some recommendations.
Philip Reitinger, director of the National Cyber Security Center at the Department of Homeland Security, said that end users also need to be made aware of the simple things they can do to protect themselves — such as keeping software and anti-virus up to date.
“We need to, as a nation and as an IT eco-system, continue to make it more simple for people to institute protections to determine if they’ve been compromised and to make sure they stay secure,” said Reitinger, a former Microsoft executive.
Civil liberties were also a concern of the panelists as they discussed privacy issues around the government’s implementation of Einstein 1 and 2 — programs designed to help monitor and protect government civilian networks — and Einstein 3, which the National Security Agency is currently developing for the same purpose.
Civil libertarian groups have dogged the government about a lack of transparency in how the programs collect, monitor and distribute data.
James Baker, associate deputy attorney general, said the Justice Department had done extensive legal analysis of Einstein 2 and made the department’s Office of Legal Counsel opinions regarding the matter publicly available.
“Our analysis of that program is that it does comply with the Fourth Amendment and . . . meets the various statutory requirements that are out there,” he told the panel. “In terms of minimization and use of the information, . . . there are procedures in place . . . to ensure that personally identifiable information generated from that program are handled appropriately.”
Reitinger said that DHS provides privacy and civil liberties training for those with the U.S. Computer Emergency Readiness Team who are responsible for implementing Einstein. He also said that the DHS’s Office of Cybersecurity and Communications has an oversight officer whose job is to ensure compliance with the rules.
“We have received some praise for our privacy impact assessments with Einstein 1 and 2,” he noted. “It is our intention to be as transparent as possible [with Eintstein 3].
But Gregory Nojeim, senior counsel for the Center for Democracy and Technology, told the panel, “We object to the secrecy that has shrouded the Einstein programs.”
Excessive secrecy, he said, “undermines public trust and communications carrier participation, both of which are essential to the success of this and other cyber security initiatives.”
He called for independent audits “to ensure that Einstein does not inadvertently access private-to-private communications. ”
One panelist, Larry Wortzel a retired army intelligence officer, made the case for the NSA to take the lead on the government’s cyber security initiatives, despite the agency’s public stance that it has no interest in assuming the position.
Senator Sheldon Whitehouse (D – Rhode Island) left the panelists with several questions to ponder about the NSA, asking them to provide responses in writing at a later date
“If, in fact, the NSA has technical capabilities beyond those of the providers, why should you be relying on the providers in areas where the NSA actually has greater capability” he asked.
Why should the NSA only be invited into a provider’s network in certain situations when the NSA might be in a better position than the provider to know when it’s under attack And how can the relationship between providers and the NSA be anything but ongoing and continuous when cyberattacks are unremitting, he added.