Network Execs Argue Against Government Regulation in Cybersecurity

Government regulation could hamper efforts to get ahead of innovative bad guys, argued a panel of network executive in a Congressional hearing this week.

"Anything you can write down as a best practice is already being done," Edward Amoroso, chief security officer of AT&T Services, told the House Energy and Commerce subcommittee on Communications and Technology. "The new things we're working on you don't know about."

The hearing was part of a response to a GOP cybersecurity task force that last year recommended Congress concentrate on targeted, easy-to-achieve legislation rather than a comprehensive cybersecurity bill. The task force also recommended that Congress avoid regulation in favor of incentives for voluntary cooperation, a sentiment that was echoed by the witnesses.

"More can and should be done, but carefully," said David Mahon, chief security officer for the Tier 1 backbone provider Century Link. The government should focus on enabling information sharing within industry and with government, without prescriptive regulations. "We and our peers already have the strongest commercial incentives to protect our networks," he said. "There is neither a lack of will nor a lack of commitment," but he said that private-sector efforts could be diverted by checklist requirements.

"Market forces are better suited to respond to constantly changing cyber threats," said John Olsen, CIO of MetroPCS Communications.

What industry needs are safe harbors from liability and public disclosure of threat and vulnerability information, together with greater access to and freedom to use government information, witnesses said.

The lone voice on the panel in favor of any security standards was Scott Totzke, senior vice president of Research In Motion's BlackBerry Security Group, who spoke in favor of baseline standards for vendors, with testing programs to validate vendor claims for the security of products. Although now being challenged by other products, RIM's BlackBerry has for years been the dominant mobile device in government.

"Greater adherence to security standards like FIPS [the Federal Information Processing Standards] would help customers better understand their personal and professional investments in protecting their information," Totzke said. "The assurance that the information is trusted and suitable for use by some of the most security-conscious organizations in the world is an essential cornerstone in developing trust and confidence."

Witnesses described a common set of security efforts being taken to secure their networks, with multiple layers of defenses. Comcast has taken an additional step by becoming the first large Internet service provider to implement the DNS Security Extensions to help protect the Domain Name System.

Comcast vice president for Internet systems engineering Jason Livingood said that the 2008 announcement of a critical vulnerability that would allow easy DNS poisoning "scared the heck out of us." The company began implementing DNSSEC to help it reach the critical mass needed for better security. "It will require adoption across the entire ecosystem," he said.

Despite market-based incentives to secure their networks and the current lack of government-mandated security, commercial networks still are falling behind in their efforts to defend themselves, however.

"We are being out-innovated by our adversaries," AT&T's Amoroso said. He described malware "so good, so well-crafted that we are amazed at how far our adversaries have come."

Amoroso said that any government regulation would stifle innovation needed to get out in front of the bad guys, and said that service providers should not be responsible for providing additional security for their customers. He also was doubtful of the value of DNSSEC, saying that cryptographic applications are "incredibly complicated to run," and that "complexity of the infrastructure is the biggest problem in cybersecurity."

He conceded that DNSSEC does have some benefits, but warned that unintended consequences of implementing the technology could make security worse.

About the Author

William Jackson is the senior writer for Government Computer News (


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus