YOU ARE HERE: LAT HomeCollections


Who is responsible for cyber security?

The government looks to the private sector. But firms say it's too big for them to tackle.

August 26, 2008|Joseph Menn | Times Staff Writer

Three very big and very different computer security breaches that have dominated recent headlines did more than show how badly the Internet needs major repairs. They also exposed the huge rift between corporate America and the federal government over who should fix it, cyber-security experts say.

In the last few months, law enforcement officials cracked an international ring that tapped customer databases and trafficked in tens of millions of credit card numbers; a researcher uncovered a major flaw that permits hackers to steer some Web surfers to fake versions of popular websites filled with malicious software; and computer assaults, which some researchers said they had traced back to Russia's state-run telecommunications firms, crippled websites belonging to the country of Georgia.

Yet the episodes did little to boost cyber security higher on the agendas of the federal government or the two major presidential candidates.

"Nothing is happening," said Jerry Dixon, the former director of the National Cyber Security Division at the Department of Homeland Security. "This has got to be in the top five national security priorities."

Dixon is just one of hundreds of technology executives and experts who have been saying for years that Washington needs to do much more to protect consumers, businesses and the government itself from attacks by criminal hackers and those supported by rival nations.

The government has largely argued that the private sector is better suited to tackle the broader problem.

But big corporations say it's too big for them to handle. They say the Internet's technical underpinnings, which are loosely administered by the Commerce Department, need a major overhaul to eliminate vulnerabilities.

Why such a persistent disconnect?

It's partly because cyber security crosses so many lines in the executive branch. Homeland Security oversees protection of government networks, and the Federal Bureau of Investigation and Secret Service pursue cyber crimes. When those cases lead to other countries, the State Department must get involved.

More important, most of the Internet's infrastructure -- the big computers and data pipes through which our bits travel -- is in private hands.

So for years, the government has assembled task forces that call for greater cooperation and communication between the public and private sectors. But experts say the reports have yet to yield tangible results, while the bad guys have become increasingly adept at exploiting new security holes in software and hiding their electronic infiltration from anti-spyware and firewall programs.

At the Black Hat technology security convention in Las Vegas this month, Dixon and others on a joint government-industry panel discussed recommendations they were drafting for the next president.

Members of the panel, convened by the Center for International and Strategic Studies, said that cyber security should be a priority because the country is under attack from organized hackers. But they said that during his first hundred days in office, John McCain or Barack Obama would be far more likely to tackle high-profile voter concerns -- the economy, Iraq, education, housing -- than cyber security.

As if to underscore the gap, the government's latest point man on cyber safety used a keynote address the next day to discuss economic theory, explain why Abraham Lincoln was the nation's "first wired president" and dismiss calls for the financial industry and others to beef up security spending.

"Over time, the banking industry is pretty rational," said Rod Beckstrom, director of the new National Cyber Security Center, which is part of Homeland Security. "So they're probably doing a good job on investment."

He added that private security spending in general was probably at about the right level.

In the hallway afterward, executives grumbled that Lincoln had nothing to do with protecting their corporate networks.

A position paper outlining McCain's technology policy platform, released by his campaign this month, barely mentions security. It says that the Republican candidate is for privacy and against spam and fraud. It also says his "record reflects the careful balance between protecting the essential elements of the Internet and securing the Internet as a safe tool of commerce, education and entertainment for our citizens."

Democrat Obama's platform doesn't differ much on security, although it calls for restrictions on how databases of information on citizens can be used and for the appointment of a federal chief technology officer to coordinate infrastructure efforts.

Outsiders urge far more action.

Security expert Bruce Schneier, in his monthly newsletter, said that any new cyber-security czar should have budget authority. He also said that the government needed to demand more security in the products it buys and undo laws protecting software companies from liability lawsuits.

Los Angeles Times Articles