Baker Calls Cybersecurity Critical to National Broadband Plan
FCC policy must promote the development of tools to protect security of broadband networks, Commissioner Meredith Baker said at a cybersecurity workshop Wednesday at the commission. She encouraged the FCC to collaborate with industry on developing best practices. On a panel, industry officials resisted the idea of government certification of cybersecurity tools and practices but urged improved information-sharing processes before and during attacks.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
As network technology becomes more open and interconnected, the threat of cyberattacks rises, Baker said. Cybersecurity tools are needed to stop identity theft, disclosure of sensitive information and service disruption to public safety, among other dangers, she said. “If this is the part” of the broadband plan “that we get wrong, all the rest is for nought.”
Cyberattacks are constant and evolving, industry and government representatives said at the workshop. It’s tough for system administrators to keep up, said AT&T Executive Director John Nagengast. “Every day there’s something new, so the analysts are always out on the floor trying to figure out … what is it, what’s happening, where’s it coming from and how do we go about protecting our infrastructure and our customer base from that exploit.” The broadband plan should include a commitment to spurring cybersecurity innovation and investment, as well as consumer education, he said.
“The technologies we use are littered with vulnerabilities,” with new reports every day, said Richard Pethia, the director of CERT at Carnegie Mellon. And attacks are growing in frequency and sophistication, he said. In defense, “we have a work force that is woefully inadequate in terms of the number of skilled individuals that we need to deal with this problem.”
Maintaining the status quo isn’t good enough to stop cyberthreats, and offense is more effective than defense, said Philip Reitinger, deputy under secretary in the Homeland Security Department’s National Protection & Programs Directorate. “We need to be really good at being reactive,” but “try and get out of the game of Whac-A-Mole.” He urged a “much more automated interoperable mechanism for doing security” that makes it possible to “read and react and mitigate in real time.”
Network security must be balanced against usefulness and costs, said Don Welch, Merit Network’s president. Added security raises costs for providers and limits consumers’ activities on the Web, he said. Providers must ensure that additional security is provided consumers in a “socially acceptable way” that doesn’t anger them, Nagengast said.
Requiring network providers to conform to cybersecurity standards is useful only if the standards can evolve, said Pethia. “This needs to be not seen as a set of controls that are static” and need to be carried out only once: “This has to be a very dynamic process.” Market demand is the best way to motivate innovation, Nagengast said: Certification “can stifle innovation because you're always certifying the last generation of product through the process.”
“There’s going to be no single solution,” Welch said. “This is a very dynamic environment” and attackers quickly adapt to new security measures, he said. “Our adversaries are going to find the flaw and they are going to get to us.” Mandating a single method of defense is “impossible,” Welch said. A better idea would be to “mandate results,” to motivate companies to develop the best security tools they can. Requiring companies to disclose all attacks on their network might be a way to spur investment, he said.
Several speakers sought more vigorous and unified information sharing among network operators about attacks. Access to a broad picture of the overall network would be useful, but many companies are concerned about sharing proprietary information with competitors, Nagengast said. A good model to follow may be that of the health sector, Pethia said. “Health organizations seem to have found a way to get past this information sharing problem,” he said, citing the recent H1N1 outbreak as an example of effective sharing.
Most information sharing today is based on “trust-based relationships,” Reitinger said. Building collaborative relationships will be critical, and policymakers should focus not only on removing barriers to sharing but also increasing the return on investment for companies to share. “A lot of the time we focus unduly on the removing barriers,” but companies can go only so far without an ROI, he said.