RSA rewind: National security heavyweights talk cybersecurity

The panel was led by Quentin Hardy, national editor of Forbes Magazine, along with former Homeland Security Secretary Michael Chertoff, current security consultant and former counter-terrorism czar Richard Clarke, and Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC). The four gentlemen gathered in front of a packed theater to discuss the complicated cybersecurity balancing act governments face in relation to safety and personal freedoms, in addition to the current states of cyberterroism, espionage, and preparedness.

Clarke claimed that the US is drastically unprepared to defend itself from cyber attacks, as was shown during the recent Cyber Shockwave exercise. “We have no public strategy to fight cyber war” said Clarke. “In fact, we have no private strategy.”

He added that governments, including Russia and China, are successfully stealing useful information. “Every day we are being attacked”, noted Clarke, and “every major company, every government institution has been successfully penetrated.”

All the panelists agreed that the public does not recognize the seriousness of cyber crime; therefore, there has been no real effort to comprehensively address the issue. “We are really bad at educating people on operational security”, lamented Chertoff.

As for global cooperation, Clarke said we have never engaged in an international agreement to address cybersecurity, much as we have done previously with money laundering. An international treaty that puts the onus on each country to police its own cybersecurity could be an effective solution, he assured.

The former Homeland Security chief agreed: “There are areas for cooperation among major powers like the US, China, and Russia. Security of the global financial system, and trust in it, is an issue that they must all address and can work together on”, said Chertoff.

Hardy then posed the question: How do you engage in cybersecurity in open governments that value individual rights when combating countries that do not? Clarke quickly replied that the US “government has discredited itself in the last decade”, perhaps no longer controlling a moral high ground from more despotic regimes.

Clarke would go on to assert that government should facilitate cybersecurity protection, by establishing guidelines, but should not actually be executing it. This would help avoid privacy issues.

“Privacy ends up being the collateral damage in a cyber war scenario.” said EPIC’s Rothenberg. “These scenarios become excuses to intrude on the users, who are doing nothing wrong.” Rothenberg concluded that we can find solutions to authenticate and protect without trampling on civil rights.

Clarke would go on to criticize the Obama administration for not filling positions on the Homeland Security Privacy Protection Board and for failing to address the privacy protection issue, especially since it ran on a platform of restoring trust in government, in light of the privacy abuses of the previous administration.

All the while a consensus emerged that government should set cybersecurity protection and privacy standards, but that neither Homeland Security, the NSA, nor the government in general should be responsible for executing the policy. The common feeling here was that government administration of such policies would be woefully inadequate to address cybersecurity for the private sector. Chertoff said this provides an opening for innovative private sector companies that can help accomplish the goals of both protection and privacy.

“A comprehensive security strategy is key,” said Chertoff. “We need more action, and less talk about cybersecurity.”

What’s hot on Infosecurity Magazine?