Debate Continues Over Cyber Protection, NSA Role
In terms of technical know-how, the National Security Agency (NSA) ought to lead U.S. government efforts to protect critical computer networks from cyber attacks, said Larry Wortzel, a cyber expert and former intelligence officer, to a Senate subcommittee on Tuesday.
The NSA has decades of experience at electronic and cyber operations, Wortzel said. The agency's personnel "are skilled and superbly trained," the NSA has extensive contacts with friendly governments and the private sector, and it employs linguists conversant in the languages most often associated with foreign-launched cyber attacks, he said.
But Gregory Nojeim of the Center for Democracy and Technology offered another view: No way.
"Expertise in spying" is not the same thing as expertise in cybersecurity, he told the Senate Judiciary subcommittee on terrorism and homeland security.
Putting the secretive NSA in charge of cybersecurity "would almost certainly mean less transparency, less trust and less corporate and public participation, increasing the likelihood of failure," Nojeim said. "The lead for cybersecurity operations should stay with the Department of Homeland Security (DHS)."
And so the debate over how to organize cybersecurity goes on. Meanwhile, so does a deluge of cyber assaults.
"Criminals and other adversaries attack critical U.S. systems every day, stealing valuable information, diverting funds to support criminal or terrorist activities, and compromising the online identities of Americans," said Philip Reitinger, a deputy undersecretary at DHS.
"The need to effectively prevent, protect against and respond to these attacks is critical to the nation's economic and national security," he said.
Ultimately, it's the federal government's job, said Sen. Benjamin Cardin, D-Md., the subcommittee chairman. "The government has a responsibility to protect our government and its citizens from cyber attacks."
For now, weak cyber defenses leave U.S. computer systems and networks vulnerable, Cardin said. Cyber criminals are modern-day bank robbers and identity theft is rampant.
And the government itself is hardly less susceptible than private industry. Computer systems at the Defense, State and Commerce departments and NASA have all been broken into, said Sen. John Kyl, R-Ariz.
Last spring, President Barack Obama declared cyber attacks to be both an economic and national security threat. But little improvement has been made since, either by the government or by the private sector.
For example, despite the frequently publicized dangers of cyber attacks, 47 percent of companies questioned during a security study this year reported that they were spending less in 2009 on information security, said Larry Clinton, president of the Internet Security Alliance.
On the government side, despite calls last spring by a White House review panel for appointment of a cybersecurity coordinator, no one has yet been named, Wortzel said. "Efforts to coordinate standards and policies across government and in the private sector appear stalled without the support of senior leadership in the National Security Council," he said.
Amid the leadership vacuum, government and private industry remain "in a reactive posture to cyber intrusions and cyber espionage," Wortzel added.
It doesn't have to be that way, Clinton said. If agencies and companies used cyber defenses already available and followed best practices, they could thwart 80 percent to 90 percent of cyber attacks, he said.
"The vast majority of it we know how to do. We're just not doing it," he said.
Help
