Empty Cybersecurity Slot, R&D Funding Top CSIA Complaints

Months after DHS created an assistant secretary position for cybersecurity & telecom, the slot remains open. Warning he has no direct information about the fizzled recruitment process, Kurtz speculated DHS was distracted by the fall’s hurricanes. People in similar positions have “run into a lot of frustrations,” which might have alienated good candidates, Dunkelberger said. But that doesn’t mean DHS shouldn’t work on its outreach, he added.

The U.S. spends the most worldwide on R&D, but “we're behind in some places,” Lewis said. An earlier CSIA study credited the Defense Advanced Research Projects Agency (DARPA) with about half of technological advances since its creation, Kurtz said. Though venture capital firms have funded about 700 private firms that conduct R&D, the federal govt. is the driving force, Dunkelberger said. Kurtz said less than 2% of DHS R&D funds goes to cybersecurity, and that figure actually dropped this year. DHS was to take over DARPA’s cybersecurity research after 9/11, but that hasn’t happened, said Secure Computing Chmn. John McNulty. The President’s Information Technology Advisory Committee, which issued a report this year on cybersecurity R&D, wasn’t renewed (WID June 8 p3), Kurtz noted.

The Senate’s failure to ratify the Cybercrime Convention is the most baffling, Dunkelberger said: “It’s not about technology, it’s force of will.” The Foreign Relations Committee sent the treaty to the floor this summer (WID July 27 p3), where it has languished. Dunkelberger fumed at the pace: Phishing isn’t “cute,” it’s “fraud,” he said Lewis said many arguments made against the treaty 2 years ago -- like creating an international “big brother” -- are reappearing. But without international cooperation, police worldwide lack the authority to coordinate against cybercriminals, he added.

Europe and Asia outpace the U.S. in privacy and security initiatives by govts., whereas “we tend to assume privacy in the United States” apart from govt. action, PGP Corp. CEO Phillip Dunkelberger said. China is pouring money into cybersecurity, he added. And transitions to IPv6 overseas are outpacing the U.S., a point made last week at the IPv6 Summit (WID Dec 9 p1). McNulty said his firm’s threat security suite is IPv6-ready because Japanese customers demand it.

U.S. initiatives are slow or ineffective: Progress is laudable, but “we're making the same mistakes” making security an “add-on,” Kurtz said. The American Health Information Community (AHIC), which studies electronic health records (EHRs) for the Health & Human Services Dept., has no privacy or security expert, prompting a letter from CSIA, he said: “Ultimately the [EHR] system will not be used” if it doesn’t address such concerns before launch. And Homeland Security Presidential Directive (HSPD) 12 -- requiring a standard for “secure and reliable forms of identification” for govt. employees and contractors -- is a good idea, “but somewhat of a toothless tiger,” since it lacks dedicated funding, McNulty said. The final 9/11 Commission report highlighted the potential for strong authentication to spur data sharing between agencies, Kurtz said.

Lack of effort to get accurate estimates of costs from cyber incidents is a major hurdle to addressing security, speakers said. There’s no common methodology for estimating costs, although DHS funds a rough ongoing study “at a very small level,” Kurtz said. A DHS/Justice Dept. survey coming out in Jan. asks businesses to estimate how much cyberattacks have cost them, he added. Solomon said an oil company in the United Arab Emirates recently told him it lost $10 million in 15 minutes when its system went down -- information the U.S. desperately needs to prepare for attacks. A U. of Md. survey showed an immediate 5% drop in stock valuation after public companies reported data breaches, Lewis said.

Other grades in the CSIA report: (1) “Little to no action” on promoting corporate governance around IT, a “D.” (2) “Unclear” enforcement under the Federal Acquisition Regulation, requiring agencies to plan for security and seek advice from professionals, a “C.” (3) “Ds” for govt. limiting relevant data collection to national security systems, leaving the private sector out, and little information-sharing between govt. and private sector. (4) “F” to the Defense Dept. and DHS for refusing to share results from a study of how well the National Information Assurance Partnership promotes testing and standards for IT security. On a more positive note ("C"), the Energy Dept. and DHS are funding testbeds for Secure Digital Control Systems.

Cyber-education “needs to come back to the board level,” Solomon said. An FTC settlement with BJ’s Wholesale Club over poor network security (WID June 17 p9) -- in which the agency said BJ’s pleas of ignorance weren’t an excuse -- should give boards impetus to address security weaknesses, Kurtz said. DoJ could play a role by meeting with boards and stressing firms’ federal obligations, he added. McNulty said public awareness should be a greater priority, since good technology won’t overcome bad user practices in dealing with problems like phishing. Asked why cybersecurity infrequently is tied to national security in public appeals, Kurtz said CSIA doesn’t want business and individuals to think the issue is “Uncle Sam’s problem,” and therefore not worth their time.

One way for business and govt. to improve online security is telework programs, which contrary to public opinion, offer safer communications, McNulty said. He described how a defense contractor told him he feels safer using his work computer at home because of its VPN tunnel and constant management by his firm’s IT dept.

Consumer Confidence Low in Cybersecurity

Nearly half (48%) of Internet users refuse to shop online out of fear “their financial information may be compromised;” that’s the same percentage that shop online, CSIA’s first Digital Confidence Index (DCI) found. If 48% of Americans avoided their local mall for the same reason, would Congress dither, asked Citadal Security Software Chmn. Steven Solomon. Twice as many believe the govt. needs to make cybersecurity a higher priority (65%) than believe the govt. is doing the right amount (29%). The overall DCI average for consumer confidence of 58 is “less than a passing grade,” said James Lewis, Center for Strategic & International Studies dir.-technology & public policy.

Online security is now a big factor in customers’ leaving financial institutions, which “should scare the hell out of banks,” McNulty said. Dunkelberger defended encryption’s adequacy to safeguard information stored and in transit, and praised its expansive use in e-commerce, but said “a lot of holes in the fabric” remain. Only 5% of e-mail is encrypted, for example, he said. Kurtz hailed the best-practices tack to encryption in federal data-breach bills and Cal.’s pioneering law; neither mandate particular technology, but simply firms’ obligations for disclosure if they don’t encrypt. The group wants a data-breach law passed next year that reaches beyond data brokers and preempts state law, but doesn’t mandate specific technologies. Its ideal spyware bill would protect antispyware vendors from “frivolous” lawsuits for removing software they believe in good faith to be spyware.

Citing the report, Homeland Security Committee Ranking Member Thompson (D-Miss.) slammed DHS Secy. Michael Chertoff by name for lagging on hiring a cybersecurity czar: “I… hope Mr. Chertoff doesn’t wait until a cyberattack causes billions of dollars in damages or results in lost lives before he decides to appoint an assistant secretary to take charge of our nation’s cyber crisis.” Thompson also panned the federal govt. for not taking a leading role in tracking cybersecurity costs, which he said would help businesses make a case to increase cybersecurity spending and help insurance companies develop less expensive cyber-risk policies.