Cybersecurity

Is government doing too much on cyber-response?

world map

Large, private-sector firms would be better first responders than government agencies in the event of a systemic -- cyberattack, according to a report released April 16 by the Atlantic Council.

"Governments must understand their limitations when it comes to managing cyber risk," the report said. "They cannot scale as easily as the private sector, and lack agility and subject matter expertise."

The U.S. government is best as a facilitator and funder of cybersecurity response, Jason Healey, the report's lead author, said in an interview.

DHS's approach to incident response, including its National Cyber Incident Response Plan, is generally a "classic chain-of-command" model and not mapped closely enough to how cyber-attacks actually unfold, said Healey, who is director of the Atlantic Council's Cyber Statecraft Initiative. The Atlantic Council is a nonpartisan, Washington-based nonprofit focused on international affairs.

Federal resources are best spent funding private-sector R&D, he added, rather than the government itself trying to keep pace with advances in cybersecurity.

Healey pointed to the Financial Services Information Sharing and Analysis Center as an example of a successful public-private partnership on the issue. The center, comprised of banks and other financial firms, was "losing relevance," the Atlantic Council report said, until it received a $2 million grant from the Treasury Department in 2003. Today FS-ISAC is repelling Iranian distributed denial-of-service (DDOS) attacks, Healey noted.

To prevent a cyberattack from spiraling into a global contagion, there needs to be a better mechanism for global, public-private cooperation in place, Healey argued. The report offered a spinoff of the Group of 20 economies to fill the void. The "G-20+20 Cyber Stability Board," an idea inspired by Microsoft, would convene 20 governments and 20 large technology and telecom firms that contribute a bulk of the world's Internet traffic to draft cybersecurity principles.

"Such an idea could go beyond a single set of principles to a larger plan for risk management to deal with cyber shocks, with the financial sector as a model," the report stated.

The 2008-2009 global financial crisis is a cautionary tale for handling cyber risk today, Healey and the other report authors warned.

Healey, speaking April 16 about the report's findings, asked: "Why should we suspect that a cloud service provider is any more or less likely to be there from one week to the next than a bank like Lehman that had been around for over 100 years?"

The possibility of a "Lehman moment" for IT is looking less far-fetched with the public revelation of the Heartbleed OpenSSL flaw April 7, he added.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.