via The Wall Street Journal
Companies are hiring chief information-security officers and spending ever-increasing sums to protect their communications networks and databases from attack.
Bruce McConnell, a senior cybersecurity official with the Department of Homeland Security, sat down with The Wall Street Journal’s John Bussey to discuss what role the government should play in this effort and why he’s especially concerned about the theft of intellectual property.
Here are edited excerpts of their conversation.
MR. BUSSEY:We have a new era. It used to be that a company locked its front doors and maybe put a fence around the perimeter, kept its stuff in the warehouse, and there would be a cop on the beat making sure that anybody rattling the front door would be caught. Now that we have this new sort of rattling of the front door, who’s the cop on the beat?
MR. McCONNELL: The sheriff hasn’t actually showed up in cyberspace. We’re in an early part of the evolution of this industry and of our approach to this problem. It’s tricky because cyberspace is privately owned and operated. There are issues involving government getting more involved in it because it involves the transmission and handling of information that may be proprietary or personal. So part of what we’re focusing on in Washington is trying to get that role of the government right.
With respect to the private sector, currently the job of DHS [the Department of Homeland Security] is to provide information and otherwise help companies—critical-infrastructure firms, in particular—protect themselves. We have some things going now that might have a little more active role for the government, but that’s a work in progress at this point.
MR. BUSSEY:Tell us a little bit about the active role, because this is a sensitive issue. Say the FBI calls some of the people in this room and says there was an attack that was very sophisticated, and it appears to be state-sponsored. You know, that’s always a synonym for China. Or a proxy thereof. And yet, they don’t want the government to come in and look at all their private data. What can you do for these companies?
MR. McCONNELL: We already provide information. If you go, for example, to our Computer Emergency Readiness Team, you can find the latest alerts that we have. These alerts are also picked up by the commercial companies such as McAfee and Symantec.
We’re also doing an experiment right now with some of the defense companies to provide them with the same kind of security that we use on our military networks. We have information about threats that is not publicly available, and we are providing that information to some of the Internet-service providers who serve these defense companies. And they are using that to block known, bad traffic. So we’re doing that test with them to see how that works and whether it can be scaled in a larger way that still protects privacy and confidentiality.
We also have a legislative proposal out that would set out risk frameworks and say these are the kinds of cybersecurity risks firms should address. For critical-infrastructure companies, it would require them to develop plans for addressing those risks. That is currently being considered by the Congress.