RSA 2013: Government will help businesses to help themselves, says US cyber lead

Government is prepared for the worst, but Hollywood-style simultaneous power outages in 14 cities is not part of the “new normal”, says the lead for US federal government cyber security policy

Government is prepared for the worst, but Hollywood-style simultaneous power outages in 14 cities is not part of the “new normal”, says the lead for US federal government cyber security policy.

“In the real world, information security professionals are more likely to be dealing with persistent intrusions, IP theft and distributed denial of service (DDoS) attacks,” said Michael Daniel, special assistant to the US president and White House cyber security coordinator.

“While companies may view DDoS attacks of 100Gbps as catastrophic, from a government point of view these are simply annoying, causing delays,” he told the RSA Conference 2013 in San Francisco.

Even if these attacks come from overseas, the government’s role is not to ride in to save the day, but to help businesses to help themselves.

As indicated in the president’s State of the Union address, the government intends to redouble its efforts in sharing information about threats and attacks with the private sector, said Daniel.

Companies must protect themselves

“The burden of defending every network cannot fall on government alone,” he said, so providing threat intelligence is like a storm warning; it is up to companies to take steps to protect themselves.

No corporate CISO should be caught offguard by things like DDoS attacks. They need to plan, participate in information sharing, test incident response capabilities, have contingencies, and use modern defences.

But like natural disasters, there may come a time when the federal government will have to step in when local and state resources are overwhelmed, said Daniel.

“When and how that intervention would take place is still a question that is under debate in government and society,” he said.

However, in the event that federal intervention is deemed to be necessary, there are several things that could be done, said Daniel.

These include technical support, diplomatic support, liaison with emergency response teams (CERTs), prosecuting those responsible, preventing the use of US infrastructure in attacks, and even military support, he said.

Daniel noted that most of this support is not cyber in nature. “Whatever government response will be, it must be cautious and incremental for two main reasons,” he said.

First, government will never attempt to protect all networks because it could never do that as well as those responsible for those networks.

Second, the risk of mis-attribution and escalation of hostilities is a very real risk. “We cannot risk government’s response to something like a DDoS attack harming relations with other countries or resulting in conflict,” said Daniels.

“This is something that advocates of hacking back [offensive defence] do not think about,” he added.

Mutual government and corporate responsibility

According to Daniel, the strategy of the US government is based on mutual responsibility. A point underlined in a subsequent presentation by Robert Meuller, director of the FBI.

“The private sector is a key ally in the fight against cyber attacks,” said Mueller, emphasising throughout his presentation the importance of public-private partnerships in improving resilience to cyber attacks.

In conclusion, Daniel called on the private sector to work with the National Institute of Standards and Technology (NIST) to implement president Obama’s executive order to develop a national framework for cyber security within the time allocated.

For its part, he said, the government would continue to work on supporting legislation, improve defences on federal networks, engage with other nations on establishing norms of behaviour, and work to ensure the internet is open, stable and reliable.

Read more on Hackers and cybercrime prevention