Cybersecurity

Is government doing too much on cyber-response?

world map

Large, private-sector firms would be better first responders than government agencies in the event of a systemic -- cyberattack, according to a report released April 16 by the Atlantic Council.

"Governments must understand their limitations when it comes to managing cyber risk," the report said. "They cannot scale as easily as the private sector, and lack agility and subject matter expertise."

The U.S. government is best as a facilitator and funder of cybersecurity response, Jason Healey, the report's lead author, said in an interview.

DHS's approach to incident response, including its National Cyber Incident Response Plan, is generally a "classic chain-of-command" model and not mapped closely enough to how cyber-attacks actually unfold, said Healey, who is director of the Atlantic Council's Cyber Statecraft Initiative. The Atlantic Council is a nonpartisan, Washington-based nonprofit focused on international affairs.

Federal resources are best spent funding private-sector R&D, he added, rather than the government itself trying to keep pace with advances in cybersecurity.

Healey pointed to the Financial Services Information Sharing and Analysis Center as an example of a successful public-private partnership on the issue. The center, comprised of banks and other financial firms, was "losing relevance," the Atlantic Council report said, until it received a $2 million grant from the Treasury Department in 2003. Today FS-ISAC is repelling Iranian distributed denial-of-service (DDOS) attacks, Healey noted.

To prevent a cyberattack from spiraling into a global contagion, there needs to be a better mechanism for global, public-private cooperation in place, Healey argued. The report offered a spinoff of the Group of 20 economies to fill the void. The "G-20+20 Cyber Stability Board," an idea inspired by Microsoft, would convene 20 governments and 20 large technology and telecom firms that contribute a bulk of the world's Internet traffic to draft cybersecurity principles.

"Such an idea could go beyond a single set of principles to a larger plan for risk management to deal with cyber shocks, with the financial sector as a model," the report stated.

The 2008-2009 global financial crisis is a cautionary tale for handling cyber risk today, Healey and the other report authors warned.

Healey, speaking April 16 about the report's findings, asked: "Why should we suspect that a cloud service provider is any more or less likely to be there from one week to the next than a bank like Lehman that had been around for over 100 years?"

The possibility of a "Lehman moment" for IT is looking less far-fetched with the public revelation of the Heartbleed OpenSSL flaw April 7, he added.

About the Author

Sean Lyngaas is a staff writer covering defense, cybersecurity and intelligence issues. Connect with him on Twitter: @snlyngaas.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Sun, Apr 20, 2014

Yes. The security component of any/every agency could bankrupt the agency if they got half of what they want. Add to it that each agency's IT component would be seen to hate the people they serve and you have a bankrupt agency with people who loath IT. Congress needs to find a way for each agency's non-IT component to want and need the security and beg the IT component to provide it. Short of that it's a waste of time and a no-win for IT.

Fri, Apr 18, 2014

The government need to work on contingency plans, and to know went and how to implement them. Given a worse cast scenario what do they do? On another note; government research in academia is too scatter about and not fully leveraged. This is not as much the fault of academia as it is the government. Too many silos being overseen by ...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above