Broken record theme: We’re moving too slowly on cyber defense

Deputy Defense Secretary Ashton Carter reiterated the Pentagon’s gripe yesterday that Congress and the U.S. government as a whole are moving far too slowly in figuring out how to protect the networks of utility companies and banks from strategic cyber attacks.

"When it comes to dealing with these issues of safeguarding the nation as a whole from a cyber attack, we’re working our way through all these issues, my own view is, way too slowly. We’re still vulnerable, the pace is not adequate," said Carter. "We were hoping for some legislative relief this summer out of the Congress, and I hope this isn’t going to be one of those situations where we won’t do what we need to until we get slammed."

Carter’s comments echo those made by senior Pentagon officials for several years on the risk of a massive cyber attack that could catch the United States flat-footed due to legislative inaction.

This summer’s cyber legislation, dubbed the Cybersecurity Act of 2012, called for basic information-sharing between private companies that control critical infrastructure (finance, utilities, Internet service providers, defense contractors, etc.), and the government about cyber attacks; it also established minimum network security standards. Senate Republicans nixed the bill in August, citing concerns that even minimum security standards would be too restrictive on private businesses.

"Most of those networks are not owned or controlled by us, they’re owned and controlled by private entities who typically fail to invest or under-invest in their own security," said Carter during a speech at the Air Force Association’s annual confab just outside Washington. "When we offer to assist them, we run up against a lot of barriers that we’re slowly trying to knock down and reason our way through."

In addition to Republican resistance to government security regulations, the government’s ability to protect critical infrastructure is hampered by both privacy and antitrust concerns.

"When we provide information to Company A, do we have to provide the same information to Company B?" asked Carter. "Can Company A provide information to Company B, or does that violate antitrust laws? Can Company A provide information back to the United States, or is that providing personal information to the government? … These are all tough problems."

DoD cyber officials insist that the government is not interested in collecting individuals’ information, only basic digital information on specific cyber attacks. The bill that was defeated in August contained provisions that restricted the amount of personal information about network users that private companies could share with the government, a move that was lauded by civil liberties groups.

"If you’ve ever seen a signature, basically a string of numbers in hexadecimal format that’s mostly unintelligible unless it’s read by a machine or an antivirus program," Eric Rosenbach, deputy assistant secretary of defense for cyber policy, told Killer Apps during a Sept. 4 interview. "That type of information, technical information, is what’s most valuable to information sharing, it’s not the personally identifiable information that we’re interested; it’s the type of information that could help you stop an attack if you know what you’re looking for." 

An earlier version of this post incorrectly referred to Carter as undersecretary of defense. Killer Apps regrets the mistake.