Cybersecurity

Is government doing too much on cyber-response?

world map

Large, private-sector firms would be better first responders than government agencies in the event of a systemic -- cyberattack, according to a report released April 16 by the Atlantic Council.

"Governments must understand their limitations when it comes to managing cyber risk," the report said. "They cannot scale as easily as the private sector, and lack agility and subject matter expertise."

The U.S. government is best as a facilitator and funder of cybersecurity response, Jason Healey, the report's lead author, said in an interview.

DHS's approach to incident response, including its National Cyber Incident Response Plan, is generally a "classic chain-of-command" model and not mapped closely enough to how cyber-attacks actually unfold, said Healey, who is director of the Atlantic Council's Cyber Statecraft Initiative. The Atlantic Council is a nonpartisan, Washington-based nonprofit focused on international affairs.

Federal resources are best spent funding private-sector R&D, he added, rather than the government itself trying to keep pace with advances in cybersecurity.

Healey pointed to the Financial Services Information Sharing and Analysis Center as an example of a successful public-private partnership on the issue. The center, comprised of banks and other financial firms, was "losing relevance," the Atlantic Council report said, until it received a $2 million grant from the Treasury Department in 2003. Today FS-ISAC is repelling Iranian distributed denial-of-service (DDOS) attacks, Healey noted.

To prevent a cyberattack from spiraling into a global contagion, there needs to be a better mechanism for global, public-private cooperation in place, Healey argued. The report offered a spinoff of the Group of 20 economies to fill the void. The "G-20+20 Cyber Stability Board," an idea inspired by Microsoft, would convene 20 governments and 20 large technology and telecom firms that contribute a bulk of the world's Internet traffic to draft cybersecurity principles.

"Such an idea could go beyond a single set of principles to a larger plan for risk management to deal with cyber shocks, with the financial sector as a model," the report stated.

The 2008-2009 global financial crisis is a cautionary tale for handling cyber risk today, Healey and the other report authors warned.

Healey, speaking April 16 about the report's findings, asked: "Why should we suspect that a cloud service provider is any more or less likely to be there from one week to the next than a bank like Lehman that had been around for over 100 years?"

The possibility of a "Lehman moment" for IT is looking less far-fetched with the public revelation of the Heartbleed OpenSSL flaw April 7, he added.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.