Three big computer security breaches over the past month did more than show how badly the Internet needs major repairs. They also exposed the...
Three big computer security breaches over the past month did more than show how badly the Internet needs major repairs. They also exposed the rift between corporate America and the federal government over who should fix it, cybersecurity experts say.
Law-enforcement officials recently cracked an international ring that tapped customer databases and trafficked in tens of millions of credit-card numbers; a researcher uncovered a major flaw that permits hackers to steer some Web surfers to fake versions of popular Web sites filled with malicious software; and computer assaults, some traced to Russia’s state-run telecommunications company, crippled Web sites belonging to Georgia.
Yet the episodes did little to boost cybersecurity higher on the agendas of the federal government or the two major presidential candidates.
“Nothing is happening,” said Jerry Dixon, former director of the National Cyber Security Division at the Department of Homeland Security. “This has got to be in the top five [of] national security priorities.”
Most Read Business Stories
- Belltown penthouse is region’s priciest condo sale ever — and new owners won't even live there
- Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system | Times Watchdog
- Indonesia's Garuda Airlines cancels order for 49 Boeing 737 Max jets
- FBI joining criminal investigation into certification of Boeing 737 MAX
- Doomed jets lacked 2 key safety features that Boeing sold only as extras
Dixon is just one of hundreds of technology executives and experts who have been saying that Washington needs to do much more to protect consumers, businesses and the government itself from attacks by criminal hackers and those supported by rival nations.
The government has largely argued that the private sector is better suited to tackle the broader problem. But big corporations say it’s too big for them to handle. They say the Internet’s technical underpinnings, which are loosely administered by the Commerce Department, need a major overhaul to eliminate vulnerabilities.
Why such a persistent disconnect? It’s partly because cybersecurity crosses so many lines in the executive branch. Homeland Security oversees protection of government networks, and the FBI and Secret Service pursue cybercrimes. When those cases lead to other countries, the State Department must get involved.
More important, most of the Internet’s infrastructure — the big computers and data pipes through which bits travel — is in private hands.
So for years, the government has assembled task forces that call for greater cooperation and communication between the public and private sectors. But experts say the reports have yet to yield tangible results, while the bad guys have become increasingly adept at exploiting new security holes in software and hiding electronic infiltration from anti-spyware and firewall programs.
At the Black Hat technology security convention in Las Vegas in August, Dixon and others on a joint government-industry panel discussed recommendations they were drafting for the next president.
Members of the panel, convened by the Center for International and Strategic Studies, said cybersecurity should be a priority because the country is under attack from organized hackers. But they said that during his first hundred days in office, John McCain or Barack Obama would be far more likely to tackle high-profile voter concerns — the economy, Iraq, education, housing — than cybersecurity.
Security expert Bruce Schneier, in his monthly newsletter last week, said that any new cybersecurity czar should have budget authority. He also said the government needed to demand more security in the products it buys and undo laws protecting software companies from liability lawsuits.
Vint Cerf, an early Internet architect now employed by Google, said in an e-mail exchange that the nation should switch Web-address suffixes such as .com to an existing but more secure version of the Domain Name System, the electronic method for getting people to the right numbered addresses for the Web address names they type.
Cerf also encouraged the government to try to rein in the increased functionality of Web browsers, which can open computers to permanent damage, and to invest more in domestic and international cyberlaw enforcement.