In Case of Emergency, Read This Blog

In Case Of Emergency, Read Blog

A Citizen’s Eye View of Public Preparedness

At “Bloggers Roundtable”, DHS Secretary Chertoff Discusses Public’s Role In Cyber Security Effort

October 10th, 2008 · 2 Comments

On Wednesday, I attended a U.S. Department of Homeland Security “Bloggers Roundtable” convened in Washington, D.C. by Secretary Michael Chertoff to address the issue of cyber security.

The Roundtable took place at the Secretary’s ’satellite’ office at the Ronald Reagan Office Building near the White House. It was pegged to October’s National Cyber Security Awareness Month which according to DHS is “designed to educate the public on the shared responsibility of protecting cyberspace.” A full transcript can be found here.

Others attending the Roundtable were HLS Watch’s Jonah Czerwinski, CQ’s Jeff Stein, Consumer Reports’ Jeffrey Fox, Federal Computer Week’s Ben Bain, Heritage Foundation’s Jena Baker McNeill, and Ars Technica’s Julian Sanchez. (I attended a previous Bloggers Roundtable held by Secretary Chertoff on emergency preparedness in May.) 

In his opening remarks, Chertoff called cyber security “perhaps an area of vulnerability we have that remains the greatest challenge in terms of addressing” and added: 

“It’s not a secret that, you know, if you look at what happened in Estonia, looked at what happened in Georgia, if you look at that massive identity theft that occurred in California that I announced we had made some arrests this past August, we’re becoming more and more acutely aware of the vulnerability we have at all levels: denial of service, corruption of information, theft of identity, exfiltration of confidential information. All of these are critical issues.”

Secretary Chertoff At Bloggers Roundtable by you.


Though much of DHS’ cyber security effort is focused on federal systems and critical infrastructure (and that was the subject of most of the discussion during the Roundtable as HLS Watch nicely covers in its post), Chertoff says that the public has a significant role in cyber security both in their workplaces and at home:

“There’s public in your own personal life and there’s the business community. The business community obviously, to the extent they operate critical infrastructure, they have a role to be responsible not only to themselves and their own businesses, but to the wider community that depend upon them. Because we are interdependent. If the power grid goes down because somebody hasn’t adequately protected their systems from an IT denial of service attack, that’s going to have implications for everybody who relies on that power.”

“So there’s an awful lot the private sector has to do. It reminds me of the Y2K period when the private sector was required to step up and make sure it was protecting its assets. So part of what we’ve been in the process of doing is we’ve set up a committee with the private sector built upon the model that we’ve been using successfully over the past several years to create a national infrastructure protection plan. And the idea is to have a — it’s a critical infrastructure coordinating committee that looks in particular at computers and spans all of the sectors, recognizing that each sector is going to have unique challenges and is going to want to look at different kinds of issues.”

“From a homeowner standpoint or personal standpoint, you know, obviously you don’t want your computer turned into a — you know, taken over by bots and then converted into an attack vector. But on a more prosaic level, you don’t want your personal stuff, your financial records exfiltrated. You don’t want to have your computer become sluggish and unable to operate.”

“And, you know, this is really an area — it is like the disaster area where personal responsibility is important. If you don’t change your password periodically, if you don’t update your firewalls and your anti-virus, you’re just — you know what it’s like? It’s like taking your wallet and throwing out on the street. And no one would suggest doing that. No one suggests just leaving your door wide open without a lock.”

“For many people, that’s how they view the computer, and, you know, whether it’s — to make a larger point, whether it’s preparing yourself for physical disaster with water and food as we’ve talked about, John, or whether it’s taking reasonable security over your computer, people have got to do this. Because otherwise, they’re going to get victimized and then they’re going turn and say, well, who’s going to help me? And the answer is, it’s going to be a lot harder to help them after the fact than if they take reasonable precautions.” 

The Homeland Security Department has recommended that citizens “practice good cyber security in their homes and offices,” including: “installing virus detection software and updating it as necessary, creating strong passwords and frequently changing them, backing up important files, and ignoring suspicious e-mails.” 
I asked Chertoff whether he thought the public would be willing to undertake such of those preventive measures, some of which may seem too much of a nuisance given their perception of risk. He said every individual and business has to make their own risk evaluation, but, like in other challenges in this policy area, there is a need to find a “balance” between security and inconvenience:
“I’ve seen circumstances where the requirements for getting into the system are so cumbersome that people stop using the system, and that’s not a good answer. I think it’s risk management. In a business where there’s a huge consequence to having data stolen. Like in our world. In our world we’re required to change our password frequently, and also there are all kinds of rules about what it has to be that are, you know, frankly inconvenient. But it’s important because of the data we have. Now you might make a judgment at home that what’s at risk is less and the attractiveness of stealing it is less, and therefore you might be a little bit more moderate. I do think it’s important for people to be realistic. If you set too high a bar, then it’s not going be honored. And that’s part of the judgment here is, it’s managing the risk to the appropriate level of consequence.”

Chertoff said that he thinks ultimately the key to cyber security at the consumer user level may be changing the security paradigm:

“…I would actually make the case — and this is not with the Cyber Security Initiative, but it’s another initiative we’ve talked about — that part of what we need to do is we need to change from a model in which your assets are controlled by your, for example, your Social Security number, which is a very weak way to control your assets, to a way in which your assets are controlled by some combination of a biometric, a token, and maybe some secret knowledge that isn’t kept in a database.

“If you — bear with me for a second. If you had a system where in order to access my bank account you had to use my biometric and a token as well as a number, it wouldn’t matter if you stole the number, because the number wouldn’t do anything for you. It would be like having my name. It doesn’t do anything for you. So I actually think we need to step out — I mean, in the short run, you want to protect the information by encrypting it and securing it.”

“But in the long run, I think you want to move away from a model which I consider inherently vulnerable, where the very information that you’re trying to protect is the information you have to disseminate in order to validate yourself. So as you — the more effective use you make of the information, the more vulnerable you become. I’m suggesting we paradigm shift.”

“On the issue of theft of data over the Internet, whether it’s wireless interceptions like we had out in California, there again, a lot of the key is encryption. It is a different architecture for how we validate and verify people so that we don’t have — so that getting a single piece of information about you doesn’t really do any good, because it’s not enough to get you into an ability to corrupt somebody. And of course, part of it is just doing what we can to secure the networks against hacking or intrusions.”

“But, mind you, you know, it’s not just about hacking. It can be about interception of wireless transmissions. It can be about theft of data by insiders. You know, someone told me that people stick a lot of data on a thumb drive. You’d be amazed how many thumb drives are found on the floor of airplanes, commercial airplanes, because people drop them out..” 

“…What I’m saying is, there’s a whole spectrum of threats. And what I want to encourage is not just to think about the obvious thing or the thing that gets written about, but to look at what I call game changers, ways to actually organize protection of our identity so that we are not so vulnerable to the theft of a single piece of information or a Social Security number, because that is insufficient to allow someone to actually seal someone’s assets. And I think this is a huge issue. You can tell I’m interested in it because I’m talking about it a lot.”

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Technorati

Tags: Cyber Security · Department of Homeland Security · Preparedness Events

2 responses so far ↓

Leave a Comment