The president of one of the world’s biggest computer security vendors says he is skeptical that a stronger government role in cyberdefense will abate the growing number of attacks.
In an interview with IDG News Service, Amit Yoran, president of RSA, also rejected calls by U.S. intelligence chiefs for industry to tread carefully in deploying more encryption in case it cuts off their ability to eavesdrop on communications by suspected criminals.
“The government is not the answer here,” he said, when asked about White House proposals for sharing of cybersecurity information. Despite the growing severity of attacks and a feeling that the government should “do something,” the issue is best left to private companies, because they are the ones developing networks and the technology that defends them, he said.
“Nobody is going to say information sharing is bad, but I’ve yet to see what is being asked to share by whom, for what purpose, to which parties, how will it be protected, how will it be used and then what is the value proposition back for sharing information,” Yoran said.
Instead, he said the government might better help by sharing some of its own threat intelligence with the private sector.
Yoran’s comments might come as a surprise to some. A graduate of the U.S. military academy at West Point, he served in the Department of Homeland Security as national cybersecurity director for a year in 2003 and also helped found the Defense Department’s Computer Emergency Response Team. He’s been at RSA since 2011, when it acquired NetWitness, a company he started in 2006.
The proposed information-sharing hubs are part of the government’s response to the devastating cyberattack on Sony Pictures Entertainment last year. Less than three months after that attack, they were proposed by President Obama at a White House Cybersummit at Stanford University in February.
As envisioned, they would feed information into a central government clearing house that would coordinate among industries and various arms of government.
U.S. industries are bombarded with thousands of attacks each day, but these usually only make headlines when a large amount of personal information is stolen. Millions of Americans experienced the result of attacks last year when they had credit and debit cards reissued in the wake of breaches at retailers such as Target and Home Depot.
Despite acknowledging that the situation seems to getting worse with regard to cyberattacks, Yoran is also firmly against the government gaining the ability to block Internet traffic.
“Do we imply that the government is going to be intercepting and blocking what they believe to be attacks?,” he said. “Unless you are operating the system and you own the system and you know what it’s for … I don’t see how you can have any government entity take an operational role in defending the networks themselves.”
Many of these issues were at the fore last week, when industry experts gathered for the RSA Conference in San Francisco.
One of the conference speakers was Jeh Johnson, the Homeland Security Secretary, who addressed increased use of encryption in the last couple of years—something that has been largely triggered by revelations over U.S. intelligence collection programs.
“Encryption is making it harder for your government to find criminal activity, and potential terrorist activity,” said Johnson, before appealing to the crowd of security experts to “help find a solution.”
But Yoran isn’t persuaded.
“It’s absolutely the wrong direction, he said, underlining that this was his personal view. “By every measure, the increased use of technology has made intelligence collection and surveillance far greater and more effective than it has ever been before and reduced privacy by every possible measure.”
“Given how badly the security industry is being beaten by the bad guys, anything which in any way, shape or form reduces the effectiveness of protections available to network defenders is a step in the wrong direction,” he said.
Yoran, who describes himself as a “pretty sensitive privacy guy” has already made a move to encryption in his personal life. He said he stopped using What’s App when it was acquired by Facebook and started using Wickr, an instant messaging client that features end-to-end encryption and self-destructing messages.