On Wednesday, I attended a U.S. Department of Homeland Security “Bloggers Roundtable” convened in Washington, D.C. by Secretary Michael Chertoff to address the issue of cyber security.
The Roundtable took place at the Secretary’s ’satellite’ office at the Ronald Reagan Office Building near the White House. It was pegged to October’s National Cyber Security Awareness Month which according to DHS is “designed to educate the public on the shared responsibility of protecting cyberspace.” A full transcript can be found here.
Others attending the Roundtable were HLS Watch’s Jonah Czerwinski, CQ’s Jeff Stein, Consumer Reports’ Jeffrey Fox, Federal Computer Week’s Ben Bain, Heritage Foundation’s Jena Baker McNeill, and Ars Technica’s Julian Sanchez. (I attended a previous Bloggers Roundtable held by Secretary Chertoff on emergency preparedness in May.)
In his opening remarks, Chertoff called cyber security “perhaps an area of vulnerability we have that remains the greatest challenge in terms of addressing” and added:
“It’s not a secret that, you know, if you look at what happened in Estonia, looked at what happened in Georgia, if you look at that massive identity theft that occurred in California that I announced we had made some arrests this past August, we’re becoming more and more acutely aware of the vulnerability we have at all levels: denial of service, corruption of information, theft of identity, exfiltration of confidential information. All of these are critical issues.”
Though much of DHS’ cyber security effort is focused on federal systems and critical infrastructure (and that was the subject of most of the discussion during the Roundtable as HLS Watch nicely covers in its post), Chertoff says that the public has a significant role in cyber security both in their workplaces and at home:
“There’s public in your own personal life and there’s the business community. The business community obviously, to the extent they operate critical infrastructure, they have a role to be responsible not only to themselves and their own businesses, but to the wider community that depend upon them. Because we are interdependent. If the power grid goes down because somebody hasn’t adequately protected their systems from an IT denial of service attack, that’s going to have implications for everybody who relies on that power.”
“So there’s an awful lot the private sector has to do. It reminds me of the Y2K period when the private sector was required to step up and make sure it was protecting its assets. So part of what we’ve been in the process of doing is we’ve set up a committee with the private sector built upon the model that we’ve been using successfully over the past several years to create a national infrastructure protection plan. And the idea is to have a — it’s a critical infrastructure coordinating committee that looks in particular at computers and spans all of the sectors, recognizing that each sector is going to have unique challenges and is going to want to look at different kinds of issues.”
“From a homeowner standpoint or personal standpoint, you know, obviously you don’t want your computer turned into a — you know, taken over by bots and then converted into an attack vector. But on a more prosaic level, you don’t want your personal stuff, your financial records exfiltrated. You don’t want to have your computer become sluggish and unable to operate.”
“And, you know, this is really an area — it is like the disaster area where personal responsibility is important. If you don’t change your password periodically, if you don’t update your firewalls and your anti-virus, you’re just — you know what it’s like? It’s like taking your wallet and throwing out on the street. And no one would suggest doing that. No one suggests just leaving your door wide open without a lock.”
“For many people, that’s how they view the computer, and, you know, whether it’s — to make a larger point, whether it’s preparing yourself for physical disaster with water and food as we’ve talked about, John, or whether it’s taking reasonable security over your computer, people have got to do this. Because otherwise, they’re going to get victimized and then they’re going turn and say, well, who’s going to help me? And the answer is, it’s going to be a lot harder to help them after the fact than if they take reasonable precautions.”
Chertoff said that he thinks ultimately the key to cyber security at the consumer user level may be changing the security paradigm:
“…I would actually make the case — and this is not with the Cyber Security Initiative, but it’s another initiative we’ve talked about — that part of what we need to do is we need to change from a model in which your assets are controlled by your, for example, your Social Security number, which is a very weak way to control your assets, to a way in which your assets are controlled by some combination of a biometric, a token, and maybe some secret knowledge that isn’t kept in a database.
“If you — bear with me for a second. If you had a system where in order to access my bank account you had to use my biometric and a token as well as a number, it wouldn’t matter if you stole the number, because the number wouldn’t do anything for you. It would be like having my name. It doesn’t do anything for you. So I actually think we need to step out — I mean, in the short run, you want to protect the information by encrypting it and securing it.”
“But in the long run, I think you want to move away from a model which I consider inherently vulnerable, where the very information that you’re trying to protect is the information you have to disseminate in order to validate yourself. So as you — the more effective use you make of the information, the more vulnerable you become. I’m suggesting we paradigm shift.”
“On the issue of theft of data over the Internet, whether it’s wireless interceptions like we had out in California, there again, a lot of the key is encryption. It is a different architecture for how we validate and verify people so that we don’t have — so that getting a single piece of information about you doesn’t really do any good, because it’s not enough to get you into an ability to corrupt somebody. And of course, part of it is just doing what we can to secure the networks against hacking or intrusions.”
“But, mind you, you know, it’s not just about hacking. It can be about interception of wireless transmissions. It can be about theft of data by insiders. You know, someone told me that people stick a lot of data on a thumb drive. You’d be amazed how many thumb drives are found on the floor of airplanes, commercial airplanes, because people drop them out..”
“…What I’m saying is, there’s a whole spectrum of threats. And what I want to encourage is not just to think about the obvious thing or the thing that gets written about, but to look at what I call game changers, ways to actually organize protection of our identity so that we are not so vulnerable to the theft of a single piece of information or a Social Security number, because that is insufficient to allow someone to actually seal someone’s assets. And I think this is a huge issue. You can tell I’m interested in it because I’m talking about it a lot.”