SAN FRANCISCO -- When it comes to the state of U.S. national cybersecurity, how far can the government go to enhance it? How far should it go?
The answers to those questions were up for debate by a panel of security experts here at the RSA Conference this week. Richard Clarke, a White House advisor to the last three presidents on security and other issues, was the most vocal panelist in describing a persistent threat to U.S. security.
"We're being attacked every day and all these devices that companies here at this conference sell are unable to stop it. The governments of China, and to a lesser extent, Russia, are making successful attacks on our systems and stealing terabytes of information every day," Clarke said, referring to attacks on both private companies and government institutions.
While tech firms, such as Microsoft, and others regularly distribute patches to address security holes as they're discovered, Clarke said that's only part of the solution at best.
"To say to every company, 'You have to have all your patches up to date,' it's not going to happen," he said. "One thing you can do -- that may be a sixty percent solution -- is to require the tier-one ISPs to allow deep packet inspection for malware."
Know your enemy
The goal of such an inspection would be to identify security threats before they're distributed over the broader public networks, but it also raises privacy issues since individual accounts would be scrutinized.
"I think we have to be careful here," said panelist Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC). "Telephone companies have always had the right to listen in on calls to ensure service, and that gives them access to some content. But we've had difficulty with content filtering and the truth is that deep packet inspection opens up commercial opportunities."
Rotenberg said he fears that companies, once given the green light to check accounts for security reasons, will be that much closer to gaining personal information on individuals that can be used for marketing or be resold.
"It depends on what you do with [the data]," Clarke countered. "You can do it without looking at the content and just looking for [digital] signatures" that indicate a malware threat. But Rotenberg wasn't convinced, raising concerns over who would do the inspections and what privacy guidelines could be enforced.
Former U.S. Secretary of Homeland Security Michael Chertoff, also on the panel, said the larger issue of how far the government should be allowed to dive into people's personal information in the name of security is an ongoing debate that needs to be resolved.
"It's a paradox because you have those who don't want the government involved, so how do you build an architecture that allows enough sharing of information and a coordinated response?" Chertoff said. "You need to have a certain amount of accountability so government doesn't run roughshod [over people's right to privacy] and that's been a hard thing to architect."
All three panelists indicated that they were uncomfortable with a government agency being put in charge of cybersecurity to the extent it involves policing citizens' personal information.
"The folks at the NSA [National Security Agency] can go after malware, but they're also very interested in content," Rotenberg said.
Added Clarke, "We're all afraid of government invading our privacy, so what can government do? Relate the issue to other governments."
Clarke said major cybercrime involves very sophisticated international gangs that work "with the connivance of governments in Russia and China. And we've never done anything to talk to them the way we do about other crimes, like money laundering. I think it's because our government doesn't understand what's going on."
But Chertoff disputed Clarke's point, saying that if the issue and charges of cybercrime aren't being raised between the U.S. and other governments, it's because it's too hard to prove the source of the attack. In the most recent high-profile case, Google said cyber attacks on its systems and those of at least 25 other U.S. corporations, appeared to have originated in China, but any role the Chinese government may have had in the attack remains disputed.
Still, Rotenberg pointed out that Secretary of State Hillary Clinton's speech on the need for Internet freedom was almost a direct response to China for the attack on Google.
"She had to be careful about attribution, but the speech was the U.S. saying to the Chinese government, 'We're aware of this and we're not going to ignore it'," Rotenberg said.
Clarke said what's needed is a willingness by the U.S. government to engage in cyberwar arms control. Clarke added that the U.S. also needs a declared policy on retaliation.
"We may disagree, but we have to start talking about this," he said.
Forbes national editor and panel moderator Quentin Hardy quipped that actual retaliation to a cyber attack could be very difficult.
"How do you go after the ten Kaypros in North Korea," he said, referring to the once-popular portable computer from the 1980s. "We could bomb them [North Korea] into the stone age, but that would only move them forward."