Page 2 of 2
In the event that legislation is not passed, DHS Secretary Napolitano urged President Obama to issue an executive order in support of security objectives. But, she acknowledged that such an order coming from the Oval Office would have limitations, particularly in the area of liability protection for companies under attack that share information with government agencies and other groups involved in protecting the infrastructure. Such protection, she said, could only come through congressional action.
One of the obstacles associated with any government action involves the likelihood that regulations and best practices would also be known by the attackers, who could then revise their exploits to circumvent the additional defenses.
Beyond the domestic discussion, the secretary also noted the need to strengthen the international framework for investigation, forensics and deterrence against cyber attacks. "The U.S. and European Union are currently having dialogues in an attempt to develop agreements and protocols on this matter," she added.
At the conclusion of Napolitano’s comments and subsequent interview, the event turned toward a fictional scenario in which a large oil company was struck by a virus that destroyed 40,000 computers. A number of people involved in the protection of sensitive infrastructure played the roles of various parties who would be involved in this dialogue, either from federal agencies or from the fictional oil company in question. But, progress quickly broke down amid the oil company's CEO concerns that exposing too much information would entail legal exposures and other negative ramifications for his company. Various individuals who spoke at the conclusion of this exercise indicated that the same course of events would likely transpire in real life.
"We need to set up a process for private and public to assess risk and come up with a set of minimal standards for response," said Jeff Ratner, senior advisor to the Senate Homeland Security and Government Affairs Committee. "Regulatory fines have now moved toward liability protections and procurement incentives around government contracts."
But such actions do not go far enough, according to James Lewis, program director at the Center for Strategic and International Studies. "Incentives need to be tax breaks and direct financial benefits, as opposed to [preferential treatment] in the contract process," he said.
The discussion also turned towards the political ramifications around counterattacks, and whether such measures should be reserved to the federal government, or if victimized corporations should have the opportunity to take direct action. Most favored of governmental response, but penetration tester Raphael Mudge, the founder of Strategic Cyber, LLC and self-described "white hat hacker," said the direct response from the private sector could sometimes have a favorable impact.
"Oftentimes, it's possible to reach in and control those systems like the bad guy would, and shut down the attack," he explained. Mudge went on to say that security in support of the command-and-control servers is not always as impenetrable as people might assume.