Cybersecurity

Is government doing too much on cyber-response?

world map

Large, private-sector firms would be better first responders than government agencies in the event of a systemic -- cyberattack, according to a report released April 16 by the Atlantic Council.

"Governments must understand their limitations when it comes to managing cyber risk," the report said. "They cannot scale as easily as the private sector, and lack agility and subject matter expertise."

The U.S. government is best as a facilitator and funder of cybersecurity response, Jason Healey, the report's lead author, said in an interview.

DHS's approach to incident response, including its National Cyber Incident Response Plan, is generally a "classic chain-of-command" model and not mapped closely enough to how cyber-attacks actually unfold, said Healey, who is director of the Atlantic Council's Cyber Statecraft Initiative. The Atlantic Council is a nonpartisan, Washington-based nonprofit focused on international affairs.

Federal resources are best spent funding private-sector R&D, he added, rather than the government itself trying to keep pace with advances in cybersecurity.

Healey pointed to the Financial Services Information Sharing and Analysis Center as an example of a successful public-private partnership on the issue. The center, comprised of banks and other financial firms, was "losing relevance," the Atlantic Council report said, until it received a $2 million grant from the Treasury Department in 2003. Today FS-ISAC is repelling Iranian distributed denial-of-service (DDOS) attacks, Healey noted.

To prevent a cyberattack from spiraling into a global contagion, there needs to be a better mechanism for global, public-private cooperation in place, Healey argued. The report offered a spinoff of the Group of 20 economies to fill the void. The "G-20+20 Cyber Stability Board," an idea inspired by Microsoft, would convene 20 governments and 20 large technology and telecom firms that contribute a bulk of the world's Internet traffic to draft cybersecurity principles.

"Such an idea could go beyond a single set of principles to a larger plan for risk management to deal with cyber shocks, with the financial sector as a model," the report stated.

The 2008-2009 global financial crisis is a cautionary tale for handling cyber risk today, Healey and the other report authors warned.

Healey, speaking April 16 about the report's findings, asked: "Why should we suspect that a cloud service provider is any more or less likely to be there from one week to the next than a bank like Lehman that had been around for over 100 years?"

The possibility of a "Lehman moment" for IT is looking less far-fetched with the public revelation of the Heartbleed OpenSSL flaw April 7, he added.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1986, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Sun, Apr 20, 2014

Yes. The security component of any/every agency could bankrupt the agency if they got half of what they want. Add to it that each agency's IT component would be seen to hate the people they serve and you have a bankrupt agency with people who loath IT. Congress needs to find a way for each agency's non-IT component to want and need the security and beg the IT component to provide it. Short of that it's a waste of time and a no-win for IT.

Fri, Apr 18, 2014

The government need to work on contingency plans, and to know went and how to implement them. Given a worse cast scenario what do they do? On another note; government research in academia is too scatter about and not fully leveraged. This is not as much the fault of academia as it is the government. Too many silos being overseen by ...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group