Experts: DoD should share more cyber info

Monday - 2/14/2011, 7:05am EST

WFED's Jared Serbu

Click below to hear the report

Download mp3

By Jared Serbu
Reporter
Federal News Radio

Lawmakers were told Friday that they should ensure that the Defense Department restricts itself to the military networks when it comes to active cybersecurity efforts, while the Department of Homeland Security should handle protection of the rest of the federal government's networks.

That setup represents DoD's own view on cybersecurity, and it is the status quo. But there was also a recognition Friday among a panel of three information security and policy experts testifying before the House Armed Services subcommittee on emerging threats and capabilities that the nation as a whole has a lot of work to do on cybersecurity, and that building federal capabilities could lead to mission creep.

Gregory Nojeim, Director of the Project on Freedom, Security and Technology at the Center for Democracy and Technology told members of Congress they should resist any temptation to extend the military's cyber authority into civilian and private networks. Instead, he said, Congress should encourage DoD to share its own threat information with private network operators.

"Some people have said that maybe the government should have authority to order the shutdown of internet traffic to a critical infrastructure system," Nojeim said. "But that authority, when you really think that through, would only be exercised when the person who owns or operates that system thinks that it ought not to be shut down. And they have a strong incentive to protect their system when it's in danger. They do that right now. I think the question we have to ask is whether the government would have superior information that would inform that decision. I think if so, that information out to be shared."

The hearing focused on DoD not just because it's charged with the nation's defense, but because it has broad, well developed expertise in cybersecurity as well as real-time information on threats. Gerry Cauley, CEO of the North American Electric Reliability Corporation told the subcommittee that industry needs to have access to that kind of information.

"I myself have a top secret clearance, so I've been to some of the briefings and understood more than I have in the past," he said. "It's serious stuff going on out there. The Department of Defense has a much richer understanding of the ongoing cyber warfare than we have in the private sector. The tendency is, because it's a war, to keep it in the military and not share it. I think we have to figure out how to overcome that a bit."

Dr. Shari Pfleeger, Director of Research at Dartmouth's Institute for Information Infrastructure Protection pointed to another potential pitfall when it comes to giving government cybersecurity authority over private networks. She said that since individual problems on a network develop rapidly and information about what's happening is often scarce in the first few minutes of an incident, there is a danger that acting without enough information could create new problems.

She imagined a situation in which a government agency monitoring the nation's networks saw what it believed to be a cyber attack and took action on that basis, when in fact the cause of the problem was a failure of networking equipment.

"Therefore I think it makes a lot more sense to look from a preventive point of view at things like our critical infrastructure and look at more diversity, look at redundancy and look at ways to ensure that if we do have some sort of attack we can come back up in some manner that allows the Defense Department as well as private enterprise to function while we figure out what's happening and apply fixes. I think in-advance preventive measures might be more effective than just having a blanket ability for DoD to take over something that it's not used to running," she said.

Pfleeger said developing new channels for sharing information with network operators could be relatively easy, given that DoD already has a great deal of experience with exchanging information with non-governmental entities in a secure way.

"There is a model that seems to be working that the Defense Department is already using called the defense industrial base, where collaboratively, the major defense contractors come together to share their cyber experiences and to share the things they've done in order to address any kind of cyber problems," she said.

While most of that shared information would have to be classified, Nojiem said that problem could be dealt with as well.

"The government should expect and should help the telecommunications carrier have people on staff who can handle classified information," he told the subcommittee. "If there's a gap there and the right ones don't have the right people, that's something the committee ought to pay particular attention to."