ISPs: Cybersecurity can't be handled through regulation
Many of the tropes of the cybersecurity discussion in federal agencies and Congress came under challenge from a March 7 panel before the House Energy and Commerce subcommittee on communications and technology.
For example, cybersecurity legislation that would require firms to audit their cybersecurity posture annually would take "people away from the work to do paperwork," said Ed Amoroso, chief security officer for AT&T Services. Communications providers are already overwhelmed by compliance checklists, he added.
Government intervention isn't necessary to ensure good Internet service provider cybersecurity efforts, said David Mahon, chief security officer for CenturyLink (formerly Qwest). "We and our peers already have the strongest commercial incentives to protect our networks," he said. "There is neither a lack of will nor a lack of commitment."
"Market forces are better suited to respond to constantly changing cyber threats," echoed John Olsen, chief information officer of MetroPCS Communications.
ISPs themselves cannot reliably stop malware at the Internet layer, Amoroso said. "Every hacker knows to make sure they're pushing their malware through that encrypted tunnel, because none of us can see it," he said. "They hide malware in places we can't see."
Were ISPs to block the Internet protocol addresses of computers infected with botnet viruses, Amoroso also said, "we would just shut down the whole Internet if we did that." New botnets 100,000 computers strong crop up every day, he added.
The main cause of computer vulnerabilities today, Amoroso said, is badly written software. "Even professionals today cannot write a non-trivial piece of software that is bug free. And those bugs are the way that our adversaries get into our companies."
As a result of all of the above, "I don't think there's an agency right now that's in a good position to come in and solve a problem that we can't solve ourselves," Amoroso said.
"If it really was a case where you could write out these five things we should all be doing and for whatever reason--negligence, ignorance, whatever--we're not doing, then we really do need someone in government to shake us into action. The problem is that we don't know what it is you should be telling us what we should be doing," he added.
- go to the hearing webpage (prepared testimonies and webcast available)
Private sector official condemns mandatory cybersecurity information sharing
McCain cybersecurity bill aims for legal frameworks, updates, not structural changes
DHS takes the lead in Senate cybersecurity bill
DHS authority would increase under Lungren cybersec bill - UPDATED