The US Department of Homeland Security is too reactionary in terms of cybersecurity threats, and needs to develop stronger incentives for the private sector to take preventative measures against cyberthreats, policy experts said on Wednesday.
The Department of Homeland Security (DHS) cybersecurity initiative has come under heavy criticism, and some have suggested responsibility for cybersecurity should be shifted to the White House.
Panellists at a roundtable discussion on Wednesday, hosted by the House of Representative's Committee on Homeland Security, agreed there could be stronger leadership, but they emphasised that there are potentially more effective means of improving the nation's response to cyberthreats.
"I personally don't believe you can designate some person and say: 'You're responsible for securing the nation's computers'," said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "At the ground level, we're going to have the right system of incentives."
Those incentives could be legislative, he said, such as encryption requirements for electronic health records.
Regardless of how the government encourages network managers to protect their systems, it will be critical for the private and public sector to work together, panellists said.
"We're going to need encouragement so that there are incentives in place to invest the money necessary to make sure your machines are up-to-date, patched and firewalled," said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University. "Increasingly, we need to worry about security as something we can convince others to engage in."
If the private sector and private citizens are expected to co-operate with the government's cybersecurity efforts, it needs to trust them, panellists added. That requires more accountability and clearer missions for programmes like 'Einstein 2', the department's new intrusion-detection system.
"The key point to understand is that, when we're looking at government surveillance, we need to know the reason for it," Rotenberg said. "If it's purely for security purposes, we would say that's okay, but it has to be solely for that purpose, with a means of accountability."
The country also needs to take a more forward-looking approach to cybersecurity, the panellists said. Privacy implications should be considered from the very start of the development of security technologies, said Carol DiBattiste, senior vice president of privacy, security, compliance and government affairs for LexisNexis Group. Then, the government can develop policies around the technologies.
A more forward-looking approach should also include some creative thinking, Rotenberg said, such as devising ways to verify a person's identity without revealing their personal information.
"There ought to be more thinking of a strategic vision, not just for the [DHS] as a whole, but for each of its initiatives," Cate said. "What are the 10 top cybersecurity threats? Let's deal with those. The impetus to do something should not be stronger than the impetus to do something intelligent or thought-through."
