The Importance of Incentives in Securing the Network from the Cyber Threat0
The cyber security threat landscape has changed fundamentally over the last decade from “Code Red” to mass espionage and the threat of kinetic damage. Instead of moving unsophisticated worms around the Internet, today’s adversaries are moving money, markets and jobs between countries and companies.
The cyber adversaries of today are smart and fast, and have no legal, international, or competitive boundaries for sharing information. They often have plenty of funding and well-placed trusted relationships, enabling them to execute harm upon us with an unmatched alacrity. What once might have been called science fiction and displayed by Hollywood is now reality: malicious actors perpetrating cyber attacks to steal money and intellectual property, disrupt businesses, sabotage critical infrastructure, and threaten governments.
Today, I had the great privilege of speaking before the Committee on Energy and Commerce at a hearing titled “Cybersecurity: Threats to Communications Networks and Private-Sector Responses.” At this hearing, I provided McAfee’s perspective and insight on the cyber threat environment as it relates to communications networks and offered policy recommendations on protecting the telecommunication infrastructure.
Internet Service Providers (ISPs), which are foundational to all electronic communications, are hampered in security efforts by the design and physical components of the architecture of the Internet and have the potential to enable mass espionage and critical infrastructure risk. While communications networks allow us to share information around the world instantaneously, they are also a conduit for malware. The very Internet that virtually promises the arrival of our traffic at its destination also promises the arrival of the malware at the destination intended by the sender.
Although telecommunications and ISP firms have been diligent in securing their infrastructures and taking proactive steps to prevent the delivery of some of the known malicious and botnet-affiliated traffic, the task could be done far better and a much more comprehensive global threat picture could be created. However, this is complicated by legal, regulatory, financial, and attitudinal disincentives. Government and private sector need to work together to remove these obstacles. Currently, it is unacceptably easy for the cyber adversary to delivery malware via the Internet and have it promptly and accurately delivered to its destination.
ISPs need solutions that are proactive and predictive, rather than reactive. ISPs can help guide the market by acquisition of innovative technologies. One example suggests that Global Threat Intelligence (GTI) be used within the network fabric by ISPs, which is the basis of a cyber immune system and offers the ability to protect against an attack by comparing current traffic to a dynamic snapshot of real-time cyber activity to determine a risk probability of that traffic before allowing it to continue on its path. If the risk is high, that is noted in the system and the traffic can be stopped. Another example is application whitelisting, which can prevent malicious instructions from executing on a system even if they are able to enter. These technologies extend to systems outside of the ISPs as well, and we note in testimony that ISPs cannot own all the burden of cyber security – every system must be secure and play a proactive role.
In addition to these private sector solutions, policy plays a key role in assisting ISPs and telecommunications firms in protecting their infrastructure. We need to see more joint collaboration and cooperation between the private and public sectors and passage of the Roger’s bill to encourage the public-private partnerships we need in moving forward in cyber security. This bill already contains a number of privacy protections, and we are working to further upgrade these protections.
To achieve a cyber secure nation, we also need positive incentives. Such incentives would include:
- Imposing limitations on liability for damages as well as non-economic losses would remove a serious obstacle to information security investments.
- Cyber security competitions, challenges and scholarships can assist in identifying and recruiting talented individuals to the cyber security workforce.
- Accelerated depreciation or refundable tax credits are being considered to encourage critical infrastructure industries to make additional investments in cyber security technologies, solutions, and human capital.
- Government should give consideration to implementing reinsurance programs to help underwrite the development of cyber security insurance programs.
ISPs play a fundamental role in the global digital infrastructure. Government action is needed to help address the legal and economic challenges faced by ISPs in terms of sharing threat intelligence, and McAfee believes that a holistic approach is needed. By incorporating private sector solutions, policy regulation, and positive incentives, we can ensure that ISPs have access to the most innovative technologies available to protect our networks and nation states from future sophisticated cyber threats.