DHS needs fresh ideas on cybersecurity, experts say

The Department of Homeland Security is too reactionary to cybersecurity threats, policy experts said Wednesday, and needs to develop stronger incentives for the private sector to take preventative measures against cyberthreats.

The DHS cybersecurity initiative has come under heavy criticism, and some have suggested responsibility for cybersecurity be shifted to the White House. Panelists at a roundtable discussion Wednesday hosted by the House of Representative's Homeland Security Committee agreed there could be stronger leadership, but they emphasized that there are potentially more effective means of improving the nation's response to cyberthreats.

"I personally don't believe you can designate some person and say, 'You're responsible for securing the nation's computers,'" said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "At the ground level, we're going to have the right system of incentives."

Those incentives could be legislative, he said, such as encryption requirements for electronic health records.

Regardless of how the government encourages network managers to protect their systems, it will be critical for the private and public sector to work together, panelists said.

"We're going to need encouragement so that there are incentives in place to invest the money necessary to make sure your machines are up to date, patched, and firewalled," said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University. "Increasingly we need to worry about security as something we can convince others to engage in."

Marc Rotenberg, executive director of the Electronic Privacy Information Center

(Credit: Electronic Privacy Information Center)

If the private sector and private citizens are expected to cooperate with the government's cybersecurity efforts, it needs to trust them, panelists added. That requires more accountability and clearer missions for programs like "Einstein 2," the department's new intrusion detection system.

"The key point to understand is when we're looking at government surveillance, we need to know the reason for it," Rotenberg said. "If it's purely for security purposes, we would say that's OK, but it has to be solely for that purpose with a means of accountability."

The country also needs to take a more forward-looking approach to cybersecurity, the panelists said. Privacy implications should be considered from the very start of the development of security technologies, said Carol DiBattiste, senior vice president of privacy, security, compliance and government affairs for LexisNexis Group. Then, the government can develop policies around the technologies.

A more forward-looking approach should also include some creative thinking, Rotenberg said, such as devising ways to verify a person's identity without revealing their personal information.

"There ought to be more thinking of a strategic vision not just for the (Homeland Security Department) as a whole, but for each of its initiatives," Cate said. "What are the 10 top cybersecurity threats? Let's deal with those. The impetus to do something should not be stronger than the impetus to do something intelligent or thought through."

[Solaris_User]

The Department of Homeland Stupidity needs to disappear.

I don't want the government anywhere near the internet. Let private companies continue to provide products that secure computers as we have been doing.. since we had computers. They are apparently much better at it than government. Remember all the FBI hacks that use to go on? Do they even have e-mail working yet?

[n3td3v]

Yup, disband the DHS... let government departments organise their own cyber security operations individually.

[Harrison912]

I'm not so quick to say we need to disband the DHS but I don't think we need them legislating our computer security. When that happens, the small business owner like me, gets stuck with a huge financial liability in order to comply with legislated standards. It could put my safety and security web site out of business all together.

[chash360]

There needs to be strict standards enforcement, in software design. These standards need to include that no system connected to a network will execute code directly transmitted over the network. Executable code, should always be transmitted as static data, then installed on the system in question by the user or admministrator of that system, in such a manner as it can be scanned and tested for malicous behavior without access to the network. It is violations of standards that have allowed this rampant distribution of malware in the first place. Staight HTML 1.1 (no scripting, no activeX, no Java, etc.) is still pefectly capable of 90% of the things we do over the internet, and can be completely secure from remote hacking. All these new things that have arrived out there are purely for the ease on the programmers/architects to eliminate the complexity of how to accomplish the same things following strict security principles, of static data transmitted in autonomous transactions. If security was always the priority 1 in code design we would not be vunerable to most of the cyberthreats that exist. The remaining amount is in the way kernels handle errors, not properly checking for buffer boundries, isolating processes, and cleaning up their garbage, when they crash (I believe this to be intentional, software has no moving parts, it does not wear out, every security vunerability that exists was in the software to begin with, if they truly fixed it it would be fixed forever). This would not prevent innovation, nor neccessitate the need for government backdoors and surveillance that violates any kind of privacy. They created the disease, and are trying to force you into a treatment (not a cure) that comprises your security and privacy. Eliminate the potential for the problem, and you won't have to waste time trying to fight it all the time.

DHS is not the agency that can accomplish this.

[Cosmo_deMedici]

From: Deep Inside the Capitol Beltway
To: America

Calling the folks who served on the one-sided panels at Chairman Bennie (I need more business in MS and don?t bother me with national security) Thompson's forum experts is the equivalent of agreeing that Fox News is completely fair and unbiased. Chairman Thompson and most of the folks on the panels were more after scoring political points using misinformation and the inflammatory rhetoric. I was there!

Wishing DHS away is pointless as is having a pre-September 11th mentality; Both are non-starters with real world politics. DHS?s role is to coordinate on cybersecurity and the internet that the U.S. Government sponsored/created ? carrots and sticks would be a nice addition to help do that, but don?t count on it. Congress has NOT finished passing legislation for the 9-11 Commission recommendations, and they will not get all the OLD BULLS (Committee Chairmen) to agree.

Only DHS can do this, as the only other Federal agency that knows cyber better is DoD. So pick DOD and say "Oh Well, I wasn't using my civil liberties anyway." At least DHS is a law enforcement based organization that knows the limit of its authority (every cop knows it - the question is do they cross it).

Moreover, DHS has done more for PRIVACY than the law requires ? they apply citizen rules to everyone?s data. Y?all think Congress is going to update the PRIVACY Act? Get Real, we will be lucky if we get E-Gov reauthorized.