Analysis: Gov't must 'modernize' cyber defense

Thursday - 2/9/2012, 6:14pm EST

Even as the House and Senate debate various proposals for cybersecurity legislation, the cyber environment is rapidly changing, one expert says.

Larry Clinton, the president of the Internet Security Alliance, testified before the House Energy and Commerce subcommittee Wednesday on the evolving cyber threat and the role of the private sector in responding to it.

In his remarks, Clinton, who joined In Depth with Francis Rose for an interview, said government and industry need to "modernize our notion of what constitutes cyber defense," and that the biggest challenge isn't technological but economic. "The single biggest problem in combating cyber threat is not technical, it is cost," Clinton told the committee.

He described a "dramatic change" in the cyber threat over the past two years.

Rise of the APT

"Our main concerns are not 'hackers' or kids in basements," he told the House panel. "The fact that a cyber system has been 'breached' is no longer the metric that determines a successful cyber attack."

Instead, Clinton pointed to increasingly sophisticated individuals and groups, including "hacktivists," and rival nation-states. Taken together, this constitutes what cyber experts refer to as the Advanced Persistent Threat (APT), he added.

"These are the pros," he told In Depth. "They're highly educated, well-funded, well-organized, often nation-state-supported hackers using whole suites of very sophisticated that will compromise any system that they target."

In his House testimony, Clinton said the APT-style attacks have become "the major focus" of many in the private sector, in no small part because these sophisticated hackers have branched out from the defense sector in looking for potential targets.

"So we need to really rethink our notion of cybersecurity," he told In Depth. "A perimeter defense doesn't work anymore. We need to focus on the technology and the economics and come up with a more engaging and modern system of cyber defense."

While a more robust cyber defense doesn't only boil down to how much money is spent, Clinton called the numbers "dramatic."

The private sector spends about $80 billion a year, he said, citing recent statistics from the Ponemon Institute. "By comparison, the Department of Homeland Security's entire budget — not cyber but their entire budget — is $57 billion," he added. "We need to find a way to manage our costs to keep up our defenses."

RELATED STORIES:

Agency cyber shortfalls not just a problem of funding

Bill to establish cyber sharing nonprofit clears House subcommittee

Cyber bill clears House Homeland Security subcommittee