Companies are hiring chief information-security officers and spending ever-increasing sums to protect their communications networks and databases from attack.
Bruce McConnell, a senior cybersecurity official with the Department of Homeland Security, sat down with The Wall Street Journal's John Bussey to discuss what role the government should play in this effort and why he's especially concerned about the theft of intellectual property.
Here are edited excerpts of their conversation.
MR. BUSSEY:We have a new era. It used to be that a company locked its front doors and maybe put a fence around the perimeter, kept its stuff in the warehouse, and there would be a cop on the beat making sure that anybody rattling the front door would be caught. Now that we have this new sort of rattling of the front door, who's the cop on the beat?
MR. McCONNELL: The sheriff hasn't actually showed up in cyberspace. We're in an early part of the evolution of this industry and of our approach to this problem. It's tricky because cyberspace is privately owned and operated. There are issues involving government getting more involved in it because it involves the transmission and handling of information that may be proprietary or personal. So part of what we're focusing on in Washington is trying to get that role of the government right.
With respect to the private sector, currently the job of DHS [the Department of Homeland Security] is to provide information and otherwise help companies—critical-infrastructure firms, in particular—protect themselves. We have some things going now that might have a little more active role for the government, but that's a work in progress at this point.
MR. BUSSEY:Tell us a little bit about the active role, because this is a sensitive issue. Say the FBI calls some of the people in this room and says there was an attack that was very sophisticated, and it appears to be state-sponsored. You know, that's always a synonym for China. Or a proxy thereof. And yet, they don't want the government to come in and look at all their private data. What can you do for these companies?
MR. McCONNELL: We already provide information. If you go, for example, to our Computer Emergency Readiness Team, you can find the latest alerts that we have. These alerts are also picked up by the commercial companies such as McAfee and Symantec.
We're also doing an experiment right now with some of the defense companies to provide them with the same kind of security that we use on our military networks. We have information about threats that is not publicly available, and we are providing that information to some of the Internet-service providers who serve these defense companies. And they are using that to block known, bad traffic. So we're doing that test with them to see how that works and whether it can be scaled in a larger way that still protects privacy and confidentiality.
We also have a legislative proposal out that would set out risk frameworks and say these are the kinds of cybersecurity risks firms should address. For critical-infrastructure companies, it would require them to develop plans for addressing those risks. That is currently being considered by the Congress.
MR. BUSSEY: Is the private sector responding positively to that?
MR. McCONNELL: The private sector's response to the legislative proposal is a mixed bag, because on the one hand it does kind of set a level playing field, but it also adds an additional government intervention in the market.
Our view is that we've been trying to get the market to solve cybersecurity for years, and we don't want to repeat the definition of insanity, which is continuing to do the same thing over and over again and expecting a different outcome. So, we are taking a little bit more aggressive approach.
MR. BUSSEY: Do you see a sector of private industry that's doing it as best as they can do, or pretty close to it?
MR. McCONNELL: The financial-services sector has been at this for a long time. They understand risk and they understand this particular kind of risk better than most. So, I would put them at the top of the list.
MR. BUSSEY:And the defense industry?
MR. McCONNELL: It's more of a mixed bag there.
MR. BUSSEY:This is an area of particular concern to DHS because of intellectual-property theft?
MR. McCONNELL: That is what we're seeing as the main threat these days. There is criminal activity involved in financial fraud and then the theft of intellectual property—trade secrets, industrial secrets and that kind of thing, and defense secrets from defense companies, obviously. That is seen as endangering the overall, long-term economic competitiveness of the country.
MR. BUSSEY: I was hinting that it's largely China. Who else besides China is on that list?
MR. McCONNELL: At DHS, our job is to attack and defend against the problem, not do attribution. My view is it doesn't do us a lot of good to call out particular countries and demonize them for this.
Take China. Cybersecurity is a big issue in China. They are experiencing significant hacking problems, financial fraud and that kind of thing. So there's a win-win solution here that involves us cooperating with them and working on some common solutions. This is really a global thing, and no one country can really solve it for themselves.
MR. BUSSEY:You wrote a piece for Wired magazine in which you said: "Nearly everyone practices at least some level of cybersecurity, but these measures must also get easier. They are simply too hard now." What did you mean by that?
MR. McCONNELL: One example is with these defense companies. We're putting more smarts in their firewalls to stop known, bad malware from coming in.
But some of the more recent attacks use a more sophisticated technique known as spearfishing, where the attacker sends a very legitimate-looking email to several employees. One of them opens it up and clicks on the link. It downloads a keystroke logger that allows the attacker to impersonate an authorized user on the network and establish a long-term presence.
That isn't protected by these protections against exterior attacks. Similarly, if you look at the WikiLeaks problem, that was an authorized user who was carting it out because he put stuff on his thumb drive and walked out with it.
Having to deal with it in these multiple ways means you need a whole program of this. The complexity adds to our inability to maintain a uniform level of protection.
MR. BUSSEY:What advice would you give to these executives for how to assess their vulnerability and then address it?
MR. McCONNELL: This has to be put into another class of risk that you are dealing with and evaluated against other pieces, not just for the reputational aspect of it, but for the long-term competitiveness piece of it. That's why I asked [audience members] whether their chief information-security officer reports to the chief information officer or the chief risk officer.
The CIO's job is to make the systems work, get 'em done, get 'em cheap, make sure they're up all the time. And the chief information-security officer tends to be looked at as a cost center in that environment. So, there may be some advantages to not necessarily changing the reporting, but thinking about it more in a risk-based framework.
MR. BUSSEY:Who within the executive branch would you have the chief information-security officer report to?
MR. McCONNELL: Often, CFOs are the chief risk officers, so that might be the place.
MR. BUSSEY: Any other advice?
MR. McCONNELL: Try to work with your peers on this. There are a number of ways in which we interact with the private sector and, in particular, work with the critical-infrastructure companies. That's an area where more interaction with the government would be helpful to us to understand what you're seeing, and we could tell you some of the things we're seeing.
There's also a good, well-known set of best practices to follow on the technical side. It includes user training and awareness, as well as some of the more technical things such as having long passwords and changing them frequently.