The U.S. government is stepping up its efforts to thwart off cyber-attacks against American infrastructure, networks and defense, though it continues to attract much skepticism from security industry professionals in a post-Edward Snowden world.
Yesterday at the kickoff of the annual RSA Conference, U.S. Homeland Security Secretary, Jeh C. Johnson made a passionate plea for information security private industry to partner with the federal government to protect against attacks aimed at their homeland, while touting the accomplishments of the administration. He also told the crowd that the Department of Homeland Security (DHS) was looking for the best security professionals to “consider a tour of service for your country” and take up employment for DHS.
Before Johnson spoke, some of the founders of today’s cryptography algorithms took the stage to address the state of security. Co-founder of the RSA public key algorithm, Ron Rivest, shot down the idea of the industry introducing a “front door” to help law enforcement track illegal activity through targeted means.
“It just won’t work,” said Rivest.
Similarly, co-RSA founder, Adi Shamir, said that “There’s no difference between front doors and back doors… only that the NSA will have to take your house and turn it around.” Nonetheless, Johnson pressed for the need for greater cooperation among federal and private entities, saying that “the current course we are on toward deeper and deeper encryption… is making it harder for your government to find criminal activity.”
Johnson said that cybersecurity is a major priority for the president and his administration and that DHS is building an agile and responsive cybersecurity capability. He cited the formation of the National Cybersecurity and Communications Integration Center (NCCIC), which last year received over 97,000 cybersecurity alerts from government and private sources and issued over 12,000 warnings.
According to Johnson, NCCIC identified 265 Heartbleed vulnerabilities and within three weeks of Heartbleed being made known had reduced the number of those still affected to just two. He said that DHS was enabling NCCIC to deliver real-time alerts on threats.
Johnson said that later this year, NCCIC would enable data sharing of cyberthreat indicators, including receiving tips from private industry. Recent legislation is designed to protect those sharing threat indicators from liability, addressing what has been a major impediment to data sharing.
As part of its effort to reach out to private industry and encourage cooperation, Johnson announced the establishment of a new DHS satellite office in Silicon Valley.
Still, Johnson acknowledged that much work lies ahead in finding the balance between protecting American government and industry against attacks while still protecting civil liberties.
“Homeland Security is itself a balance between basic physical security and the liberties and freedoms we cherish as Americans,” Johnson said.
That balance was addressed by the previous panel of notable cryptographers. Shamir said of the NSA programs that too many times they were not appropriately targeted and involved “the excessive use of force with too much collateral damage.”
Whether the federal government can strike the appropriate balance of physical security and civil liberties and gain the critical support of private industry remains to be seen.