The computer networks that connect critical utilities, major companies, universities and military bases is insecure and should be replace with one less likely to be broken or manipulated by hackers or other countries that could become enemies of the United States, according to a top FBI offical.
Even terrorist groups with few hacking skills of their own are becoming a more serious threat as successful criminal hacking groups become more willing to hire themselves out to all comers, according to Shawn Henry, the FBI's executive assistant director in a speech to the International Systems Security Association last week.
One way to minimize the risk is to build out a second, more secure, limited-access network fo utilities and financial systems, Henry said.
Another would be to develop ways to eliminate the possibility of anonymity on existing networks to make it easier to trace attackers.
Maybe, but knowing who is responsible for security in any given instance is at least as big a problem, according to Gen. Keith Alexander – the Army general who is also head of the National Security Agency (NSA).
"Is it the FBI? Is it the NSA? Is it the military or is it the ISPs — the Internet service providers? But somebody can turn that device off," Alexander said at the same ISSA conference.
The Pentagon is finalizing plans describing what parts of the Internet should be its responsibility and what it will do about them, Alexander said.
Homeland Security is also working on its own plans and ability to secure utilities and other civilian resources, he said.
That still leaves a lot of holes in the coverage of the whole Internet, though.
It is not within the NSA's purview to take responsibility for that security, however. Nor is it the FBI's.
The NSA is an intelligence gatherer responsible for highlighting risks and developing responses to them. The FBI is strictly reactive – investigating crimes that have already taken place.
Even the overly broad mission of DHS doesn't include specific responsibility for specifying, implementing or enforcing regulations over the security efforts of public and private organizations across many industries.
Rather than trying to build a whole new Internet – like the ultra-high-speed, ultra-limited-size Internet2 used by scientists to exchange large data sets among universities – wouldn't it make more sense to define cybersecurity as a mission in itself and assign it to one agency to oversee?
The federal government has a huge inventory of skills at its disposal, but not all in one place. The Justice Department's Computer Crime & Intellectual Property Section is an information clearinghouse, but not an enforcement or implementation authority.
The Secret Service within the Treasury Department, the Dept. of Defense, DARPA, the NSA, National Science Foundation,FBI and CIA all have substantial cybersecurity efforts, research and development projects.
As Alexander said, none has the responsibility or power necessary to oversee or coordinate cybersecurity across many industries.
Giving one agency full control of the Internet is a bad idea. Giving one responsibility for enforcing guidelines that keep those responsible for specific portions of the 'net – as the Securities and Exchange Commission does for the financial industry – doesn't sound like a bad idea at all.
At least there'd be one place to go to find out where all the holes are.