The Department of Homeland Security is too reactionary to cybersecurity threats, policy experts said Wednesday, and needs to develop stronger incentives for the private sector to take preventative measures against cyberthreats.
The DHS cybersecurity initiative has come under heavy criticism, and some have suggested responsibility for cybersecurity be shifted to the White House. Panelists at a roundtable discussion Wednesday hosted by the House of Representative's Homeland Security Committee agreed there could be stronger leadership, but they emphasized that there are potentially more effective means of improving the nation's response to cyberthreats.
"I personally don't believe you can designate some person and say, 'You're responsible for securing the nation's computers,'" said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "At the ground level, we're going to have the right system of incentives."
Those incentives could be legislative, he said, such as encryption requirements for electronic health records.
Regardless of how the government encourages network managers to protect their systems, it will be critical for the private and public sector to work together, panelists said.
"We're going to need encouragement so that there are incentives in place to invest the money necessary to make sure your machines are up to date, patched, and firewalled," said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University. "Increasingly we need to worry about security as something we can convince others to engage in."
If the private sector and private citizens are expected to cooperate with the government's cybersecurity efforts, it needs to trust them, panelists added. That requires more accountability and clearer missions for programs like "Einstein 2," the department's new intrusion detection system.
"The key point to understand is when we're looking at government surveillance, we need to know the reason for it," Rotenberg said. "If it's purely for security purposes, we would say that's OK, but it has to be solely for that purpose with a means of accountability."
The country also needs to take a more forward-looking approach to cybersecurity, the panelists said. Privacy implications should be considered from the very start of the development of security technologies, said Carol DiBattiste, senior vice president of privacy, security, compliance and government affairs for LexisNexis Group. Then, the government can develop policies around the technologies.
A more forward-looking approach should also include some creative thinking, Rotenberg said, such as devising ways to verify a person's identity without revealing their personal information.
"There ought to be more thinking of a strategic vision not just for the (Homeland Security Department) as a whole, but for each of its initiatives," Cate said. "What are the 10 top cybersecurity threats? Let's deal with those. The impetus to do something should not be stronger than the impetus to do something intelligent or thought through."