Experts fear a new government plan to combat the growing threat of cyberattacks on private computers, the government’s own systems and the nation’s critical infrastructure could end up implementing outdated controls and introduce possible privacy violations.
The plan, unveiled by the White House on Thursday, was lauded by experts for increasing attention on cybersecurity and recommending higher penalties for cybercriminals. But some say the proposal lacks the force, flexibility and specificity necessary to effectively protect the nation’s cybersecurity.
While most affirm the need to take a tougher stance on cybersecurity measures, many experts worry the proposed legislation will not be adequate to deal with new threats as they emerge given the complicated, ever-shifting nature of cybercrime. While legislation can take years to pass, cybercriminals are often one step ahead of cybersecurity vendors. By the time the government steps in to act to prevent cybercrime, the protections it requires might already be obsolete.
“The attackers are two years ahead of the defenders, security vendors, who are two years ahead of market, which is two years ahead of compliance, and legislation is five years behind that,” said Josh Corman, the Research Director of the 451 Group's enterprise security practice. “These practices may be even more stale once enacted. It’s unlikely the law could ever keep pace, given the glacial pace of legislation.”
Some experts say that legislation governing security practices could lead to the establishment of industry standards that will quickly be made obsolete by cybercriminals. But by asking companies to protect specific kinds of information using specific kinds of protections, those standards will continue to remain dominant, even if they are inadequate to protect against the present state of cyber threats.
"You've already failed before you've begun," said Corman. "It's hard enough simply for vendors to keep pace."
Others are worried by the proposal’s lack of specificity regarding how security protections will be implemented and say the plan would allow contractors to fleece those trying to stay protected.
“This is being pushed through as something we have to do, but where’s the plan behind it? Where’s what we’re going to be implementing?” said Kurt Roemer, Citrix Systems' chief security strategist. “A call to audit -- without a detailed audit plan -- is a license to print money for contractors.”
Security experts were puzzled by the prominent inclusion of intrusion prevention systems, or IPS, as protections for federal executive branch civilian computers. IPS is an outdated security protection, Corman said, adding that the technology only stops previously known kinds of breaches. Last year, 89 percent of the attacks were of a kind that IPSs cannot prevent, according to Corman.
“An IPS would not have protected against Wikileaks, stuxnet or any other targeted unknown threat,” added Roemer. “To specifically call out IPS was laughable.”
The proposal also encourages companies to come forward with security breaches and promising those companies "with immunity when sharing cybersecurity information with [the Department of Homeland Security].” But experts said the proposal would be ineffective unless it made disclosure mandatory. Given the potential backlash from both the public and shareholders, the risks of disclosing security flaws often keep companies from coming forward. Only 3 in 10 firms report all data breaches, a study by McAfee found, while 6 in 10 only disclose certain breaches.
“You’d have to be an idiot to say hackers compromised you if you don’t have to,” said Corman. “The incentive structure is to hide when we fail."
Without sufficient data about these high-profile breaches -- often concerning valuable intellectual property, such as plans for weaponry, research behind new medicines, and more -- security forces remain without the information necessary to address potential vulnerabilities.
“By my count (some publicly known, many not) more than 50 of the Fortune 100 have lost intellectual property and corprate secrets in the last 12 to 18 months. That I know of,” Corman said in an email. “In 2011, we've seen more than a breach-a-week, of firms large and small.”
Privacy experts also fear the new proposal could violate user privacy. While law today prevents Internet service providers from sharing the content of user communications with the government, the proposal allows for these protective statutes to be overruled in the case of cybersecurity information sharing.
“The information sharing provision is very flawed,” said Greg Nojeim, senior council at the Center for Democracy and Technology. “It allows companies to share a lot of communications with this new DHS center and the privacy rules are to be determined. That seems like a blunt instrument for a very narrow problem.”