Senate Commerce Chairman John D. Rockefeller, IV (D-WV) this week conducted a hearing entitled “Cybersecurity — Assessing Our Vulnerabilities and Developing An Effective Defense” during which he signalled that cybersecurity will be a major focus of the committee.
Mentioning his experience as a member and former chairman of the Senate Intelligence Committee, Rockefeller commented
I know the threats we face. Our enemies are real, they are sophisticated, they are determined and they will not rest.
I do not believe it is only the job of the Intelligence Committee or our national security and defense agencies to protect us from the threats we face. This committee can and must play a very proactive role in keeping Americans safe.
* * * *Because the topic of cybersecurity is so vast, a single hearing cannot possibly hope to address or identify the many facets of this issue. But this hearing is the first of many under this Committee and will serve as the beginning of a very valuable foundation.
Witnesses included Dr. James Lewis, Director and Senior Fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, who said that the task is enormous.
The internet as it is currently configured and governed cannot be fully secured. Changing this to gain the further advantages offered by information technology will require a restructuring of governance, practices and standards. Right now, however, the advantage lies with the attacker.
Lewis chided the Bush administration’s Comprehensive National Cybersecurity Initiative because it was “over-classified” and focused on securing federal computer networks. According to Lewis,
Economic strength, technological leadership and the ability to innovate will be as important as military force in creating national power, particularly in competition with the rising nations who wish to reduce U.S. influence without resorting to open military conflict. The primary damage to U.S. national security and economic strength from poor cybersecurity comes from the theft of intellectual property and the loss of advanced commercial and military technology to foreign competitors. A failure to secure America’s information infrastructure weakens the United States and makes our competitors stronger.
Lewis beieves that the solution consists of two interrelated sets of actions.
The first is to strengthen our national ability to innovate. Innovation is the process of coming up with news ideas, goods, and services. It has become a central element in economic competition. A more innovative nation will be stronger and more secure as it will have a stronger economy and better technology. A purely defensive strategy will not succeed. The second set of actions is to secure the networks upon which we rely for commerce, innovation and security.
Ed Amoroso, who is AT&T’s Chief Security Officer, testified that network service providers can play an underappreciated role in protecting those lifelines.
[AT&T’s] advanced network technology currently transports more than 17 Petabytes a day of IP data traffic, and we expect that to double every 18 months for the foreseeable future. Our network technologies give us the capability to analyze traffic flows to detect malicious cyber-activities, and, in many cases, get very early indicators of attacks before they have the opportunity to become major events. For example, we have implemented the capability within our network to automatically detect and mitigate most Distributed Denial of Service Attacks within our network infrastructure before they affect service to our customers.
Previously it has been reported that network service providers have a window which enables them to see all kinds of potential cyber threats:
About 1 million of the home computers AT&T sees each day are thought to be infected with bots, reaching out to hundreds of other IP addresses far more quickly than any Internet surfer with DSL or a cable modem ever would. Before a worm strikes, technicians see strange spikes of traffic going to normally obscure ports, as malware developers test and tweak their code. A sudden, sharp increase in the amount of Web traffic worldwide could mean breaking news–or a distributed denial-of-service (DDoS) attack being lobbed at a single company halfway around the world.
But Amoroso’s window into a rapidly junkifying Internet is largely just that: a window. For the most part, he says, all he can do is sit and watch through the glass, as unwanted or malicious traffic makes its way from point A to point B.
“The standard service-level agreement is that we just push the traffic in and out,” he says. “We don’t touch it. We can do some upstream and downstream filtering if we see something that will affect our infrastructure, but you getting a spam, or you having some weird protocol aiming at you–I would love to filter that, but it’s not that simple.”
Amoroso, again, means it isn’t simple from a legal perspective, not from a technological point of view.
Amoroso suggested at the Senate Commerce hearing that
our government should rethink its own relationship with its network service providers. As attacks become more mobile and network-based, the service provider has the best vantage point to mitigate the threat. Too often, in our work at AT&T, we see government and business systems designed with the service provider at arms-length. This practice must be discouraged. In fact, agencies that run their own cyber-security operation should be ready to justify such decision. They cannot stop network threats such as botnets on their own.
The same goes with private networks. According to Amoroso,
“So many groups with cybersecurity teams are trying to solve the same problem,” he says. “Any one of us, as an engineer, would tell you that’s about as inefficient as it gets.”
All attacks pass through the carrier infrastructure, he says, and that’s where the focus should be.