The concerns of House Democrats and Republicans about cybersecurity was made clear in a Hill hearing Wednesday unusually free of the partisan divides that often surface in hearings in the House Communications Subcommittee.
In the hearing on "Cybersecurity: Threats to Communications Networks and Private-Sector Responses," legislators heard from cybersecurity experts that the threat is growing, as is the role of cable operators and other ISPs in trying to combat the threat.
After hearing about attacks that targeted money in bank accounts, Communications Subcommittee Chair Greg Walden (R-Ore.) joked that he would be recessing the hearing for an hour while he checked his campaign account. But it was clear that the members saw serious threats to critical infrastructure that needed some kind of coordinated government-industry response.
During the hearing, there were several shout-outs for National Cable & Telecommunications Association-backed H.R. 3523, the Cyber Intelligence Sharing and Protection Act of 2011, which encourages the government to share certain cyber threat intelligence with private entities, like ISPs, and vice versa.
Legislators on both sides of the aisle agreed that the cybersecurity threat was a growing one, and no one took issue with the suggestion that some form of legislation would likely be needed to address it, though there were cautions about the difficulty of hitting a target moving at the speed of digital information.
"This is the invention of gun powder," said witness Larry Clinton, president and CEO of the Internet Security Alliance, of the explosion in sophisticated cyber-attacks, "Mandating thicker armor is not going to help." One Republican joked that here was one Clinton everyone could agree with.
James Lewis of the Center for Strategic and International Studies said that the government was going to have to pay more attention to cable companies and other ISPs as the responsibility for cybersecurity shifted from the edge and consumers to service providers.
Bill Conner, president of Entrust, disagreed; he said that ID theft at the "end point" -- i.e. the computer, smartphone or cell phone user -- was a growing problem that could not be stopped at the network level. Lewis countered that he thought authentication technology would "ultimately rest" with the service provider.
Clinton said some government help was needed, including legislation, but added that bad regulation could be worse than none. He said the key was to treat the issue not as a technological one but an economic one. Hacking is easy and profitable, he said, while protections are insufficient -- it is hard to show the return on investment in preventing attacks -- and prosecutions of offenders are few and far between. He said the wrong legislation would draw resources from where they could be better used.
The FCC got a shout-out for working with ISPs on a voluntary code of conduct for reporting cybersecurity attacks.
Lewis said the FCC took the approach of working with the private sector to avoid looking like it was regulating the Internet. Instead, he said, they encouraged the voluntary code approach. He added that from the outset he supported that approach, if it worked, but that if it did not, it would need to be mandatory. "So far, it looks like it is working," he said, and called that intersection of regulator -- including the National Telecommunications & Information Administration (NTIA) -- and ISP one of the keys to cybersecurity going forward.
Robert Dix, VP of government affairs for Juniper Networks, added that the FCC and NTIA could also play a key role in educating consumers about the threats to their computers and mobile devices.
Asked by Walden about Australia's code of conduct approach, Lewis said that it was based on the premise that ISPs generally have a good idea of what spyware and malware is running on users computers. Australia first proposed having the Attorney General tell the ISPs what to do with that info, but instead decided to let them come up with their own plan for dealing with the malware threat with the help of the attorney general and federal police. He said the result was a pretty good system in which users with malware are given an option to let the ISP clean it up. He contrasted that to Germany, which he said has a lighter touch, providing a pop-up and phone number for help with disinfecting the computer.
He also talked about other approaches being used by other countries that were more problematic, like just cleaning up the malware without notification, and the issue of whether infected computers should be quarantined from the network.
But Lewis also pointed out that it was the U.S. that was the biggest source of cybercrime bots. "Not because we are criminals," he said, "but because we are incompetent."
Walden and ranking member Anna Eshoo (D-Calif.) indicated they would be following up with the witnesses for more specific advice on tackling the problem, saying the testimony had been some of the best -- and "scariest," added Rep. Doris Matsui (D-Calif.) -- that they had ever heard. Eshoo said trying to get a handle on the issue was like "trying to get socks on an octopus."
