Like they did before passing the Patriot Act, which was designed to help keep us safe from terrorism in the wake of the 9/11 attacks; Congress is now considering new laws to keep us safe on the Internet in the wake of a 650% increase in cyber attacks over the past 5 years.
During a House Energy and Commerce Committee hearing on cyber security this week, officials from companies including AT&T, Metro PCS, Comcast, Research In Motion (RIM), and CenturyLink, testified that increased government regulation would stifle innovation and harm their ability to protect consumers. Because online threats are constantly changing; they reasoned, regulations would be already out of date by the time they went into effect.
Jason Livingood, Vice President Of Comcast Internet Systems Engineering, said government should educate citizens about the severity of online threats, and about actions they can take to protect themselves online. He also suggested that the government provide incentives for cyber security research and development, and encourage the exchange of threat information between the government, Internet service providers, and mobile carriers.
In addition, the security officials said they wanted the ability to share threat information amongst themselves without fear of antitrust laws, and “safe harbor” protection from consumer class-action lawsuits related to using information they get from the government to secure their networks against attack.
CenturyLink Vice President and Chief Security Officer, David Mahon, said “The cyber threat is real and serious.” Mahon, a former FBI agent, says “More can and should be done. We need public/private partnerships. We are entering into a new era where our adversaries are more sophisticated and determined.”
AT&T Chief Security Officer, Dr. Edward Amoroso, testified that the hacking community is keeping pace with Silicon Valley. “We are being out-innovated by our adversaries. Their malware is so good, and so well-crafted; we marvel at how far they’ve come. We need to do something to get out ahead of it.”
Because US Intelligence agencies are aware of different types of threats–the types posed by other nations, for example–being able to have access to that information would be really useful, Amoroso says. “Government should be able to share issues, without the company being considered an “agent” of the government. Intelligence and law enforcement regularly see signatures that we don’t–particularly if it’s classified”.
Responding to a question from representative Mike Doyle (D-PA) about whether government employees should be allowed to use their own mobile devices for work; Scott Tozke, Senior Vice President BlackBerry Security Group, responded “The security of platforms varies from device to device, and then there’s the question of liability; who owns the device and the info on it? Also, how do you protect the information on that device?”
While Tozke says there’s a certain level of encryption built into BlackBerry; one of the biggest concerns is the lack of a standard bar set for protecting information across a wide range of devices. As a result, he says government IT administrators could get into a “race to the bottom” that results in setting security standards to the “lowest common denominator”, which would be a bad idea.
Rep. Mike Rogers (R–Michigan) talked about how countries such as China are “exfiltrating” information from both private and government computer networks in the USA through the use of advanced persistent threats (APT’s). “Hundreds of thousands of jobs are being lost as a result of this” Rogers says.
Tozke agreed, and pointed to the example of a Canadian company–Nortel–which went out of business as a result of such a data breach.
Just last month, in fact, former Nortel CEO Frank Dunn went on trial for fraud, because of claims that he knew about the data breach and did nothing about it.