Experts at the Black Hat conference debate the role of the government in online security
Congress is considering multiple cybersecurity bills
Individuals prize convenience over their own security online, attendees say
More than 400 million people trust Google with their e-mail, and 50 million store files in the cloud using the Dropbox service. People manage their bank accounts, pay bills, trade stocks and generally transfer or store huge volumes of personal data online. Who is ultimately in charge of making sure all this information is secure: the government, the companies or the users?
At a lively panel discussion at the annual Black Hat security conference in Las Vegas on Wednesday, computer security experts discussed the roll of the government in online security. The debate centered on whether the U.S. government should take the lead in setting security standards for the industry or whether companies are responsible for their own security and that of their users.
“I lose my cool when I hear people from the government say people from the private sector need to stand up. Providing for the common defense is what the government is supposed to do,” said security systems expert Marcus Ranum.
The U.S. government is considering various security bills that address online security standards.
One controversial bill, the Cyber Intelligence Sharing and Protection Act, would allow private companies to share data with government agencies when there is an attack or breach, without fear of lawsuits from customers over the shared data. However, several civil liberties groups believe the bill needs more restrictions on how the government can use that shared information.
Creating laws isn’t the only way the government can push for greater security. It can also use its significant financial sway on major companies.
“The government is an enormous purchasing agent in our industry. Why can’t the NSA come up with a security standard that they like?” asked Bruce Schneier, security critic and author. “Let them go to the operating system companies, the database companies, the cloud providers, and say if you want the government business, you have to adhere to this.”
Opponents of the government-control approach say corporations are responsible for their own security online, just as they would be for the physical security of their offices or property. Law enforcement is there to respond to incidents, not make sure the doors are properly locked, they contend.
Some of the enthusiasm for the government to take the initiative on cyberthreats is rooted in distrust of big Internet companies.
At one point, Jennifer Granick, the director of civil liberties at the Stanford Law School Center for Internet and Society, asked the large audience of security professionals who they trusted less, Google or the government? The majority raised their hands for Google.
“I fear Google more than I pretty much fear the government,” said panelist Jeff Moss, the founder of Black Hat and DEF CON. “Google, I’m contractually agreeing to give them all my data.”
For now, mutual distrust between the government and the private sector is keeping the two sides from working together as effectively as possible, and the public could suffer because of it.
“The biggest risks right now are not the bad guys,” said Schneier. “They are the good guys who are not doing enough.”
The users do have some responsibility to protect their data online, but the panelists agreed that regular people will usually bypass any extra steps, even if they are in their best interest, in the name of convenience.