Department of corporate defense?
Corporate America tends to watch its bottom line more than its back. And national security isn't their job anyway. So the NIPC was put on the lookout.
If you are a tech company or a financial company or a conglomerate, is it your responsibility to defend the free world against a cyberattack? Probably not. That's the government's job, but public companies control the country's vital infrastructures. Which brings the question full circle: Are public companies responsible for protecting national security?
With these problems in mind, former president Clinton issued Presidential Decision Directive 63 in 1998, which set up the National Infrastructure Protection Center. The NIPC was put under the jurisdiction of the FBI. Its mandate was to investigate cyberattacks and to stimulate information sharing between the government and the private sector.
The problem is that many industries, technology in particular, are wary of sharing anything with the government. For an executive, the thought of releasing information about a network attack conjures investor relations nightmares.
Beyond the NIPC, the Department of Defense has also set up a Joint Task Force for Computer Network Defense to protect the Pentagon's networks. Meanwhile, several industry groups are setting up the Information Technology Information Sharing and Analysis Center to pool resources, and, it is hoped, share information with the NIPC.
Ron Dick, a 24-year veteran of the FBI and director of the NIPC, is frustrated with the lack of trust between the government and the private sector. "There is going to be a reluctance to share information," Dick laments. "But we have a great relationship with the electrical power industry and sharing information has helped both of us. We hope that will be a model. You've got to start somewhere."
Still, many experts criticise the government's efforts and point to the distinct fear that these efforts could lead to an increase in federal regulation and oversight. Bill Crowell is the president and CEO of network security provider Cylink and served as deputy director of the NSA until he retired after the Eligible Receiver war games in 1997. "They don't have the ability legally because they don't own the infrastructure, and the only way that's going to change is to increase regulation," Crowell says. "In this political environment, that doesn't seem likely. And it's difficult to make the case that there should be more involvement."
Crowell, whose company provides network security to the financial services industry, argues that ultimately it will be the insurance industry that goes furthest to protect vital infrastructures by refusing to provide coverage to firms that don't have protective measures in place. Indeed, American International Group, the insurance behemoth, has recently started offering coverage against cyberattacks.
Since PricewaterhouseCoopers' Charney left the attorney general's office, he has spent much of his time at the consulting firm persuading companies to at least assess their risk to network attacks. "The reception to that is mixed, because risk is hard to quantify," he says. "They want to know how much money it's going to cost to defend against an attack. Does the business model sustain that kind of investment? If your company has $40 million in revenues, it doesn't make sense to spend $50 million on a security solution. You could go bankrupt protecting yourself."
Companies will never be able to create a totally impenetrable network, but Cylink's Crowell says they can build security systems that will cause enough confusion and enough difficulty that cyberattackers will move on to easier prey. "It's easier to go after weaker targets than to devote a lot of time to a difficult target," he says. "We argue for a layered approach. The first layer is protecting your network with encryption programs. The second is to protect access to your internal networks with strong authentication like smart cards."
