Is government doing too much on cyber-response?

Large, private-sector firms would be better first responders than government agencies in the event of a systemic -- cyberattack, according to a report released April 16 by the Atlantic Council.

"Governments must understand their limitations when it comes to managing cyber risk," the report said. "They cannot scale as easily as the private sector, and lack agility and subject matter expertise."

The U.S. government is best as a facilitator and funder of cybersecurity response, Jason Healey, the report's lead author, said in an interview.

DHS's approach to incident response, including its National Cyber Incident Response Plan, is generally a "classic chain-of-command" model and not mapped closely enough to how cyber-attacks actually unfold, said Healey, who is director of the Atlantic Council's Cyber Statecraft Initiative. The Atlantic Council is a nonpartisan, Washington-based nonprofit focused on international affairs.

Federal resources are best spent funding private-sector R&D, he added, rather than the government itself trying to keep pace with advances in cybersecurity.

Healey pointed to the Financial Services Information Sharing and Analysis Center as an example of a successful public-private partnership on the issue. The center, comprised of banks and other financial firms, was "losing relevance," the Atlantic Council report said, until it received a $2 million grant from the Treasury Department in 2003. Today FS-ISAC is repelling Iranian distributed denial-of-service (DDOS) attacks, Healey noted.

To prevent a cyberattack from spiraling into a global contagion, there needs to be a better mechanism for global, public-private cooperation in place, Healey argued. The report offered a spinoff of the Group of 20 economies to fill the void. The "G-20+20 Cyber Stability Board," an idea inspired by Microsoft, would convene 20 governments and 20 large technology and telecom firms that contribute a bulk of the world's Internet traffic to draft cybersecurity principles.

"Such an idea could go beyond a single set of principles to a larger plan for risk management to deal with cyber shocks, with the financial sector as a model," the report stated.

The 2008-2009 global financial crisis is a cautionary tale for handling cyber risk today, Healey and the other report authors warned.

Healey, speaking April 16 about the report's findings, asked: "Why should we suspect that a cloud service provider is any more or less likely to be there from one week to the next than a bank like Lehman that had been around for over 100 years?"

The possibility of a "Lehman moment" for IT is looking less far-fetched with the public revelation of the Heartbleed OpenSSL flaw April 7, he added.