How Government Can Improve Cyber-Security
In “How Can Government Improve Cyber-Security?” Ed Felten says:
Wednesday was the kickoff meeting of the Commission on Cyber Security for the 44th Presidency, of which I am a member. The commissionhas thirty-four members and has four co-chairs: Congressmen Jim Langevin and Michael McCaul, Admiral Bobby Inman, and Scott Charney. It was organized by the Center for Strategic and International Studies, a national security think tank in Washington. Our goal is to provide advice about cyber-security policy to the next presidential administration.
First, congratulations on the appointment, Ed! Given that Scott Charney is a chair, I want to be clear that, as always, my comments here are my own.
There are some great comments about economics and motivations, and I’d like to offer up a different answer, which is that the government can improve cybersecurity by helping us gather more and better data.
This is a normal and regular role of government. For example, the US government runs and publishes a census, a statistical abstract of the United States, the CIA produces their World Factbook, and the FBI produces Uniform Crime Reports, and the Department of Justice does a National Crime Victimization Survey.
In information security, we have a paucity of good information to help us make good decisions. For example, are insiders really responsible for 70% of all attacks?
Many of the data gathering processes that the government runs are obsessed with secrecy. CERT, ISACs and others sometimes publish statistics, but they’re sparse. Over the last few years, laws relating to reporting data breaches have sprung up in 39 states. Hackers at Attrition.org have assembled a database of over 800 breaches, and Privacy Rights Clearinghouse maintains a similar list. These lists contain specific data on what’s gone wrong at a wide variety of companies and institutions. There are two key lessons we can get from this.
Many of our fears about what happens after a company is breached have turned out to be false. This is the first key lesson. We have feared that companies will go out of business, people will lose their jobs, and customers will flee. Generally, these things happen only in extreme outliers, if at all. (Two companies have gone out of business; average customer churn is about 2%.)
The second lesson comes from studying the data. The dataloss list contains less selection bias about a broader set of incidents than any other public data I’ve ever seen.
So my goal for the 44th Presidency would be to overcome the fear that has held us back from having national cybercrime statistics, in the form of good law requiring breach disclosure.
By good law, I mean breadth of what must be reported on, no expensive and anti-consumer ‘trigger provisions,’ central reporting of detail, and publication of those details and summaries by an agency tasked with data sharing and advancing knowledge.
That said, congratulations on the appointment, and I’d be happy to delve deeper.
Thanks for a great suggestion, Adam. I’ll keep it in mind as the commission discusses what to recommend.
Without trying to be contrarian, I think that Adam described how the research community can improve computer security. That is not the same thing as how government can help.
More research is certainly good but I am strongly of the opinion that our Internet security problem is not a lack of tools. Instead the problem is how to put the tools to use. After three decades of PK and Fifteen years of the Web we have three cryptographic security infrastructures that are deployed and used at approaching Internet scale (hundreds of millions to billions of users). One of these is SSL, another is Chip and PIN, the other is DVD-CSS. Only two of those systems actually work. WiFi security, WPA and WEP is currently a runner up.
One observation to make is that most ‘Internet’ crime isn’t. Phishing is not an Internet crime, its bank fraud. Deploy strong authentication in the credit card infrastructure and we take a big bite out of phishing fraud.
The question that only government can address is why Chip and PIN is deployed in Europe but not the US?
The answer the bankers give is that the economics of the credit card industry are very different, lots of issuers, few acquirers. That makes it hard to deploy a security measure where costs fall on the acquirer but the benefit goes to the issuer. Particularly when anti-trust laws make renegotiation of settlement fees impractical.
What government can do and no other party can do is to align responsibility to act with ability to act through regulation.
That said, I do have some questions about the composition of this group. Despite the title it is clearly not a body appointed by the 44th President since we don’t know who she is yet. What is the scope of the body? Is it only US nationals or is it looking to experiences in other countries. This is very important in my view because Internet crime has very different patterns in different countries across the world and many of the differences are due to the impact of regulation.
At the very least governments must become aware of the cyber-security implications of new regulations they make. The license plate story elsewhere on this blog illustrates how government actions can have unforseen but entirely forseable impact.
PHB,
I think there is a component of government action that could be very helpful. Chris Walsh’s work in getting reports from New York State online has been expensive in his time and money, and has exposed issues with the Attrition and PrivacyRights data sets. New Hampshire putting their reports online allows people to do less work gathering data, and more work analyzing it.
I think it’s a reasonable function of government to collect and distribute data, and one which could enable a tremendous amount of valuable research.
Adam, I agree that government spending on research is good (my work was funded by five governments over the years), but suggesting this as THE way government needs to help frames the problem as a research problem.
I think we know what needs to be done, the big question is how to do it. How do we get from A to B?
Adam has an excellent point. In health and environmental risks we have standards for acceptable or hazardous risk. There are accepted methods for measuring risk. In finance there are also operational measures of risk.
I think if I hired two consultants and asked them to evaluate a small business network I would get not just two approaches but also two units of measure. It is like I ask someone “How big is it?” and the result came in weight and volume with no understanding of how one might relate these with density. Security sometimes seems more like alchemy than chemistry.
We are in sad need of measures and metrics. Having some basic data would be a good start.