Representatives of major broadband network operators Comcast, CenturyLink and AT&T warned Congress Wednesday that the best thing government can do to help industry thwart increasingly sophisticated cyber-attacks would be to boost communication, better educate the public and protect networks from liability for sharing info with each other and government.
What the government should not do, they said, was apply prescriptive rules and mandates that would prevent them from innovating in real time or with threats that they say are already difficult to combat and would be virtually impossible to thwart under such a regime.
Thove positions were articulated during "Cybersecurity: The Pivotal Role of Communications Networks," in the House Communications Subcommittee, the latest in a series of hearings on cybersecurity, this one featuring network cybersecurity engineers.
The tone from the legislators was definitely bipartisan -- botnets attack Republicans and Democrats alike -- and the witnesses painted a sometimes frightening picture of threats from nation states and terrorists, or from individual hackers with only malicious mischief in mind [some of whom grow up to be network engineers and congressional witnesses] to federations of economic hackers for whom it was all about the money, or so-called hactivists -- think the Anonymous group -- out to make a point. All this while the average computer or mobile device user is unaware of the scope of the threat.
AT&T chief security officer Edward Amoroso, making the point that the Cloud might actually be more secure than a home computer, suggested his own mother's computer was probably attacking China even as he spoke.
On the other side, they said, are companies trying to defend against thousands to millions of attacks daily, but dealing with rooms full of lawyers to avoid running afoul of Washington or the civil liberties everyone agrees need protecting.
Committee chairman Greg Walden (R-Ore.) said the committee's goal was to find out what network operators were doing to combat attacks and how the government could help without doing anything to impede that response through overregulation. "Help educate us so we can do the right thing," he said.
At the hearing, Rep. Marsha Blackburn (R-Tenn.) indicated that she is currently working with Rep. Mary Bono Mack (R-Calif.) on a House version of the Senate SECURE IT Act, though less prescriptive. The Senate bill would charge the Department of Homeland Security with developing network performance standards, something all the witnesses suggested could be an overly prescriptive hindrance to flexible, real-time industry responses to threats.
Rep. Henry Waxman (D-Calif.), ranking member of the parent Energy & Commerce Committee, said there was an important role for government -- the closest anyone came to siding with a more regulatory approach, but even he followed that with talking about the FCC's proposed voluntary code of conduct on attacking botnets, and the FCC's Internet committee that features government-industry collaboration on addressing Internet threats.
Also testifying were David Mahon, chief security officer for CenturyLink; John Olsen, senior vice president and CIO of MetroPCS Communications Inc.; and Scott Totzke, senior vice president, Blackberry Security Group.
They all pointed out that it was in their self-interest to aggressively combat those threats, and that new government mandates were not the way to go.
Jason Livingood, vice president of Internet Systems Engineering, for Comcast, when asked what the Congress should and should not do, said the government could help by making that information sharing easier, incentivizing more research and development, and better educating the public, whether through public service announcements or some other means.
What the government should not do, he said, was implement mandates, checklists, and compliance regimes that could prevent companies from focusing on innovation. Another of the witnesses main points was that by there very nature, such mandates would be focusing on a target that had already been replaced by a new one.
Comcast got a shout out from Rep. Anna Eshoo (D-Calif.). Eshoo, who is co-chair of a newly created cybersecurity working group, said it was "terrific" that Comcast had been the first North American ISP to implement the DNSSEC regime for protecting domain name security. Eshoo's principal concern was about supply chain threats--foreign companies supplying elements of U.S. network infrastructure.
AT&T's Amoroso was among the most-questioned witnesses likely due to his shoot-from-the-hip approach -- legislators have indicated they are looking for straight talk on the issue from engineers. In fact there were shout-outs for the witnesses repeated comments that perhaps they could bet more done on the cybersecurity front if there were fewer lawyers in the room making sure they did not run into legal troubles.
Amoroso was not shy about the extent of the threat, saying that none of the witnesses could profess to being able to entirely stop botnets--nobody on the panel argued--and that they were currently trying to keep up with attacks. He suggested that when networks do ferret out malware, it was more like seeing someone clutch their chest and fall over and concluding they were having a heart attack," adding that it was stopping the sophisticated threats they can't see that is the problem.
"We are being out-innovated by our adversaries," he said, adding that sometimes the malware is so well crafted that even they have to marvel at how far it has come. He was immediately, and good-naturedly, dubbed Dr. Sunshine by Rep. Mike Doyle (D-Pa.).
But Amoroso suggested his point was not that AT&T as throwing up its hands, but instead how hard it was to thwart adversaries who were moving at the speed of innovation, and that the government should not do anything to make it harder for industry to keep pace.
He said that the mobile space was less secure in part because of Washington's pressure for operators not to throttle or block traffic.
And Amoroso was not as enamored of DNSSEC protections as Comcast, arguing that the bad guys are figuring out how to circumvent that as well. The thrust of his argument was to let networks have as much flexibility as possible to respond to threats without having to have 50 lawyers in the room or to have to spend time filing lots of government paperwork -- like mandated checklists -- rather than defending networks.
MetroPCS' Olsen said he was concerned that they were not getting a lot of consumer inquiries about security, which suggests the public is neither forewarned nor well-armed.