The prevailing, certificate-based web browsing model is a significant cybersecurity threat for Internet users, but this multi-jurisdictional, multi-stakeholder problem has no governmental solution, said a White House official during an Oct. 22 event in Washington, D.C.

"Government can't fix it and government shouldn't fix it. So this is not an area where public policy is going to be able to waltz in with a thunder set of regulations, or some kind of rule set perpetrated down through the system by an authority--it's just not going to happen," said Andrew McLaughlin, White House deputy chief technology officer, while speaking at the New America Foundation.

"You don't want government to try to be your front line. We have a history of screwing things up. Even if it were possible, there are good reasons for government not to try to dictate solutions here," he added.

This issue is the classic Internet policy problem, he said, and the diversity of players, jurisdictions, standards, hardware and physical interconnection make trusted browsing difficult to pin down. Browser certificates depend on a chain of trust between many different entities, and within each link, is another micro-chain of trust, said Ari Schwartz, senior Internet policy advisor at the National Institute of Standards and Technology. Because the Internet is a collection of voluntarily interconnected networks, one party's insecure practices can make the network insecure for the other entities, even when they are being as secure as possible.

While government can't fix the problem, McLaughlin said there is room for government to spur collective action for these multiple and competing actors to cooperate and adopt best practices. International standards bodies should help map out what a better, more secure ecosystem would look like, he said.

McLaughlin added that there also needs to be an incentive system, of some sort, to halt the "race to the bottom"-- the competition among certificate authorities to be less expensive than their competitors and, thus, often sacrificing the thoroughness of their audits in the process.

With the Commerce Department's Internet Policy Task Force, NIST's work with the Internet Corporation for Assigned Names and Numbers, and the Homeland Security Department's emergency preparedness efforts, it appears some government players are actively addressing the problem.

"It's important to note that there are folks in government that are paying attention to this problem," said Schwartz.

"In the Cyber Storm III exercise that just went on, some of these attacks were simulated--and I actually asked DHS if it was okay to talk about it and they said if it was at the level of saying that certificate authorities and related DNS issues were raised and that simulated impact, then that it was okay to do that," said Schwartz. "So it's worth pointing out that there has been a lot of talk about that. These kinds of attacks have real-life examples of things that can go wrong, if not properly taken care of."

Related Articles:
GAO: Only two of Obama administration's 22 cyber policy items are complete 
DoD and DHS sign cybersecurity detente pact 
DOE: Smart grid deployment must not outpace public education on privacy 
Ross: Agencies should better manage cybersecurity risk