The President of the Internet Security Alliance told the House Committee on Telecommunications and The Internet today that our electronic infrastructure is in serious danger, but that 85?90% of security breaches could be averted if due diligence and already existing industry best practices were followed.
“Congress does not need to create or mandate new security standards said Larry Clinton, “the principle problem is that we don’t implement the procedures that we already know will work. Congress’ job in the 21st Century is to provide the market incentives needed so that industry which owns and operates the vast majority of the Internet will make the investments needed to go beyond their own corporate needs and make additional investments that address national security concerns.”
“Cyber Security cannot be understood with out taking into account the economics,” said Clinton. “However, when it comes to cyber security all the economic incentives are in on the side of the attacker. Attacks are relatively easy and cheap, the defensive perimeter is virtually endless and security measures are expensive.”
Moreover, according to Clinton, due to the distributed nature of the Internet, the owner of the system that is the source of vulnerability is not necessarily the goal of the attack. As a result, a particular organization will invest only to secure its own boarders while other connected systems are vulnerable. “We need to design a practical and sustainable system of security,” Clinton said.
Clinton said that the dangers to our system are enormous. “The problems are more serious than the loss of personal data, Clinton said. Our entire power system could be compromised and our military weapons could be configured to attack us instead of our intended targets. This is a matter of national security, Clinton said. Clinton cited two elements of good news. First, the Obama Administration seems to understand the inherent tie between cyber security and economics and second, we actually know how a lot about how to deal with cyber attacks.
Citing as diverse sources as public comments from the CIA to empirical research Clinton identified a set of best practices and standards, which could be used to prevent or mitigate up to 90% of cyber attacks.
ISAlliance then outlined a detailed model of how government could structure a system of historic market incentives to motivate industry to make the investment beyond their corporate interest in the national interest. “We have multiple incentives ranging from insurance to liability protections to awards programs which we have used successfully in other areas of the economy which we ought to try with respect to cyber security.” Clinton said.