Witnesses urge cooperation in combating cyberattacks

The cybercrime arm of the FBI has an important role to play in protecting the nation's critical infrastructure against cyberattacks, but government needs to work proactively with industry against 21st century security threats, panelists said in statements submitted to a Senate Judiciary subcommittee on Tuesday. The witnesses were scheduled to testify in person at a hearing of the Technology, Terrorism and Government Information Subcommittee, but Arizona Republican John Kyl, chairman of the panel, canceled the hearing on cybercrime challenges and the FBI's National Infrastructure Protection Center (NIPC) so members of the panel could attend the tax-cut debate on the Senate floor. Kyl apologized to panelists on behalf of the Senate. The subcommittee did accept the witnesses' prepared written testimony, however, and Kyl said the hearing record will be open to further comment for three days. The committee then will decide if and when the next hearing will be held. An April General Accounting Office report noted that cyber risks to critical infrastructure are increasing and that cooperation between government and industry to combat such risks by sharing information on system vulnerabilities has been mixed. Among other things, the report recommended that the Bush administration create a system to analyze computer-based threats, require a framework for collecting and analyzing data to make sure national watch and warning operations are sufficient, and clearly define NIPC's role in relation to other government and private-sector security entities. The GAO report hailed NIPC's InfraGuard initiative, which has chapters established in all 56 FBI field offices around the country and is a public-private partnership to share information about cyber intrusions and vulnerabilities. And in his testimony, NIPC Director Ronald Dick said the agency has an "excellent relationship" with the Federal Computer Incident Response Center in reporting cyber crimes. In his statement, Robert Dacey, GAO's director of information security issues, said various factors have inhibited NIPC's ability to develop a methodology for analyzing cyberattacks. "The federal government's strategy and related plans for protecting the nation's critical infrastructures from computer-based attacks, including the NIPC's role, are still evolving," he said. But Securify CEO Taher Elgamal noted that increased protection means increased investment. "Governments will have to increase their financial and political support for improved security measures. ... Now that we are all dependent on the Internet and computer-based communications, we need to take some new action to make the Internet strong enough." Elgamal also recognized industry's reluctance to disclose the vulnerabilities of their computer systems to the federal government, especially in light of international competition. He specifically cited congressional concern over foreign ownership of U.S. tech companies, an issue recently raised by the planned merger of VoiceStream and Germany's Deutsche Telekom. "Some in industry fear sharing information in industry groups as an exposure to one's competitors and to attackers," he said. "Multinational companies and some governments wonder how information sharing and analysis can cross borders when trust between parties may not be sufficient to address national security and espionage concerns."