All talk and no action (so far) on cyber threats

The heat is on lawmakers to take action on cybersecurity, and federal officials warn that keeping cyber policy on ice amid political wrangling will continue to be a costly gamble.

Although the United States does, according to top government officials, have the means to defend its interests in cyberspace, there’s a dearth of cutting-edge policies, tools and talent. As a result, widespread theft of intellectual property and other cyber crimes are all too common, and it could be only a matter of time before disruptive activity evolves into destruction.

“I’m concerned that attacks like that are coming, and we’re spending a lot of time talking about what we should do when we should just do it. We ought to argue it out like we did in the election yesterday but then come to a solution and get going,” said Gen. Keith Alexander, commander of the U.S. Cyber Command and director of the National Security Agency, Nov. 7 at the Symantec Government Symposium in Washington. “From my perspective, we can defend this space. We can secure it better than it is today, and we’re stuck at the starting line. We ought to get on with it. I believe that’s the push you’re going to see from the administration and Congress, and it should be the push from the American people.”

Although it remains to be seen whether that push will indeed come from the White House and Congress, Alexander is not the only government official to note the danger resulting from a lack of a definitive cybersecurity policy.

“That’s the challenge of cyberspace: The enemy can take shots all day long, but legally, there are limits to what we can do,” said Brian Varine, director of incident management at the Energy Department’s Joint Cybersecurity Coordination Center. “We know we’re bringing a knife to the gunfight.”

According to other officials, the laws that do exist — including the Federal Information Security Management Act — do not adequately address today’s threats.

“One of the things about the [current] laws is that you have to be an attorney to interpret them,” said Kenneth Brodie, chief information security officer at the Air Force’s Office of Information Dominance and CIO. “But cyber laws need to be more risk-focused and less compliance-focused. The way FISMA is, it’s checking a box and…looking at compliance. The cyber laws need to be hard-core written to address risk management activities and not compliance-based activities.”

A risk management strategy is central to cybersecurity in government networks, where vulnerabilities must be prioritized based on murky legalities and policies — and resource shortages, officials said.

“We are not going to be able to secure every system and every company,” said Jenny Menna, director of the Stakeholder Engagement and Cyber Infrastructure Resilience Division at the Department of Homeland Security and former acting director of the U.S. Computer Emergency Readiness Team at DHS. “Those need to be risk-based decisions. How critical is the system? How critical is the data? What would happen if the network was compromised or destroyed? That’s a decision we need to make as a federal government for our own networks, and they are also decisions companies need to make in the same way they make other risk-based decisions. Where the government needs to come into play there is providing the threat information…so they can make informed risk management decisions as quickly as possible.”

According to Alexander, those decisions need to happen sooner rather than later.

“What we have is a huge concern: theft by crime, theft of intellectual property and now disruption, destruction coming on these networks. And we’ve got to address that,” said Alexander, who cited a number of recent high-profile security breaches, including one at Saudi Arabian Oil Co. “Everybody is getting hit. Everybody is being exploited. From my perspective, this is huge.”