Feds Search for Cybersecurity Solutions

WASHINGTON -- When it comes to improving cybersecurity, new laws are not necessarily the answer. That was the message on Wednesday at a House subcommittee hearing, as IT vendors recommended a variety of ways for the U.S. Congress to help the private sector deal with continuing cybersecurity problems. Few of those suggestions recommended legislation requiring action by private companies.

Panelists at a hearing before the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census advanced several ideas on how the U.S. government could help secure cyberspace, including more money for cybersecurity law enforcement efforts and more government spending on security research and development.

Writing New Laws

But only three of 12 witnesses before the subcommittee hinted at legislation that would require private companies to take cybersecurity steps.

Public policy should "strongly encourage" the use of automated security patching tools, said Gerhard Eschelbeck, chief technology officer and vice president at Qualys, while Richard Pethia, director of the CERT Coordination Center at Carnegie Mellon University, suggested the U.S. government should use its buying power to include "code integrity" clauses in the software it buys and hold vendors accountable for defects.

Pressed by Representative William L. Clay Jr. (D-Missouri) on whether the government could raise the quality of software by creating some kind of minimum security standard in the software it buys, Christopher Wysopal, director of research and development at AtStake, agreed with Pethia because the U.S. government is one of the largest purchasers of software in the world.

"Acceptance testing for security is ... expensive and time-consuming, so no one really does it," Wysopal said. "If the federal government was to do that, the benefits would be for all the users of that software. The federal government could say, 'We spent a lot of money and tested this, and we rejected it. You need to go back to the drawing board and build something secure.' If that happens, all the other purchasers of software would think twice about buying it."

Making a List

Only one of the hearing's witnesses seemed to allude to an idea floated by the subcommittee's chairman, Representative Adam Putnam (R-Florida). Putnam is considering legislation that would require publicly traded companies to fill out a cybersecurity checklist in their reports to the U.S. Securities and Exchange Commission.

Such legislation wouldn't require specific actions of private companies, but supporters of such an approach say it would raise awareness of cybersecurity among chief executives and could force companies to make changes if investors or customers believe not enough items are checked on the cybersecurity checklist.

Cybersecurity has too long been left to a security administrator or chief information officer, said John Schwarz, president of security vendor Symantec. "This needs to change," Schwarz added. "Cybersecurity needs the attention of the top leadership of the business or government organization."

The Sarbanes-Oxley Act of 2002 forced companies to report to the SEC on their accounting practices, Schwarz said.

"The [Sarbanes-Oxley] legislation makes no mention of the importance of protecting the information systems that produce the data used in the financial management process," he added. "Only when cybersecurity is treated with the same attention as the protection of physical and financial assets can we enable the necessary cultural change and focus enough attention and resources to truly address the cyberthreat."

Cyberattacks Growing

Witnesses said the number of cyberattacks are growing and becoming harder to stop, as attacks such as the SQL Slammer worm hit thousands of computers within 10 minutes of being unleashed in January, without operators of computers having to open e-mail, as with many older viruses.

Witnesses noted CERT tracked more than 4,000 computer vulnerabilities in 2002, compared to a total of 11,000 the center has tracked since 1988. Symantec counts 175 million probes for computer vulnerabilities every day, Schwarz said.

After the hearing, Putnam said the subcommittee is still considering its options for cybersecurity legislation that would affect private industry. He defended his SEC reporting requirement proposal, saying it would prompt companies to pay more attention to cybersecurity.

"It is the least blunt instrument, and the least regulatory approach, to achieving an end," Putnam said of the proposal.

Leaving a Legacy

The hearing was originally planned to cover the U.S. government's cybersecurity efforts, Putnam said, but it was expanded to include private industry's response after the Sobig.F and Blaster worm attacks on the Internet in August.

"This summer everyone--once again--realized just how vulnerable our computer networks are to cyberattack," Putnam said. "The Blaster worm and Sobig.F virus brought home the reality that unsecured computer systems are all too prevalent and that--as a nation--across all levels, government, business, and home users, we must take computer security more seriously."

At one point, Putnam, chatting with Microsoft senior security strategist Phil Reitinger, noted it's been "a bad month" for the software giant after the Blaster and Sobig worms hit Microsoft products. "It's been a tough several weeks at the office," Putnam said to Reitinger.

Reitinger told Putnam Microsoft is working hard on its Trustworthy Computing initiative that focuses on security all the way from the design to the deployment stage of its software. "Although we are working hard, much remains to be done," Reitinger said. "We accept our responsibility to create ever more secure software."

Other Suggestions

Other companies advanced other recommendations for preventing cyberattacks. Vincent Gulloto, vice president of the Anti-Virus Emergency Response Team at Network Associates, called on government to promote a culture of security by creating more public awareness and to support more cybersecurity research and development.

Putnam also questioned whether cyber criminals face lighter sentences for the damage they create than other criminals. He questioned why John Malcolm, deputy assistant attorney general at the Criminal Division of the U.S. Department of Justice could only name a handful of cyber criminals who've been caught.

Putnam asked if investigators had a different attitude about going after cyber criminals, and Malcolm answered that they pursued cyber criminals with the same vigor as other criminals. But the Justice Department is constantly re-evaluating whether existing cybersecurity laws are adequate, Malcolm added.

"There are hundreds of viruses released every year ... but you can recall two arrests, two convictions," Putnam said to Malcolm. "I asked what was the source of the threat. 'We really don't know.' Was it foreign or domestic? 'We really don't know.' That seems to re-enforce a premise that cybercrime is treated vastly different than some other crimes that caused significant damage."

Malcolm denied that law enforcement agencies have a "different approach, a different attitude, a different level of concern" about cybercrime, as Putnam said. Cyber criminals can be tough to track, and investigations can be complicated, Malcolm said, but their crimes are taken seriously.

"I would reject that premise totally," Malcolm said to Putnam. "The Department of Justice is well aware, as is the Department of Homeland Security, that cyber vulnerabilities are among the most critical problems we have."